One of the other themes you both mentioned today that has come up in previous testimony is mandatory breach reporting, and also, having penalties for breaches. One of the tensions there, of course, is worrying that an institution, for example, might cover up a breach they're supposed to be reporting because they fear the penalties. We had one witness talk about, not having consequence-free reporting of a breach, but maybe changing the scale of consequence in cases where certain kinds of measures had been taken, including encryption and so on.
Do either of you want to speak to that interplay between reporting and penalty, and give your thoughts on what a successful regime might look like?