Unfortunately, incompetence doesn't require bad faith. You don't have to deliberately try to be incompetent, but there could still be incompetence there.
I'm really interested in what you just said, that CRA believed they were doing a good enough job. Am I correct in saying—I'm paraphrasing here—that they weren't doing a good enough job, and that the upshot or the corollary of the fact that they weren't doing a good enough job is that now we have 31,000 breaches? Is that fair to say?