It's a complicated issue.
One of our recommendations is to create a legal obligation for departments to safeguard information technologically, and there would be a breach notification provision. One would think—and there are policies in the Treasury Board and other departments that suggest a similar outcome—that departments need to do what is necessary to protect information that is given to them by individuals. At the same time, we see that there are breaches reported regularly and that departments do not always take the measures necessary to improve their systems.
On that issue, a lot of work is done in government to protect information that I think is insufficient, in terms of surpassing the bar for what would be required. What would be the cost of that? It's not as if you're inventing a new activity. It exists. We just ask that it be improved. We haven't quantified that cost, but it should be, I would say, not insignificant but not extremely important either. One would hope and one thinks that certain measures have already been taken by government to protect information.