David hits on a good point. In a breach-disclosure regime you do need thresholds. People who are ardently pro-privacy are going to say that if we adopt the lowest of thresholds so that just about everything is going to get reported, not only are there going to be significant costs associated with that to organizations, but the reporting and disclosure system is largely going to turn into noise from the perspective of individuals. The whole goal here is to get their attention and to allow them to deal with the issue.
If what we have are notices going out on a daily basis because we have an incredibly low threshold, the news value of those stories will be largely eliminated because it will just be another day, and the individuals will increasingly just ignore them despite the fact that we have a lot of expense.
I think David is right. The issue is how to ensure that the right instances, those where there is a real risk, get reported back to the people who are affected, and at the same time remove the potential reticence of organizations, both in the private and the public sector, to at least do the initial report so that we can engage in a meaningful consideration of the risk.
Lowering the threshold and ensuring that you have a body that will keep it confidential and is well trusted like the Privacy Commissioner offers a pretty nice balancing system that allows for external consideration of the risks involved and also ensures that where there is a real need to know for those who are affected, they are notified.