In the age of technology, if somebody has access to this information, they can misuse that information in a matter of seconds electronically.
One thing you indicated is that the Privacy Commissioner was contacted a week after you first discovered the breach with respect to the USB key. What is your protocol around how long you will wait to see whether it miraculously turns up somewhere before you think you need to notify someone that the breach has happened?