Well, it's not sufficient, and that's why we need multiple tools. My preference is to take proactive action: to educate, to have frameworks, to have good regulation that is going to help industry do what's necessary, to have quick reporting if there's a breach and to have early compliance letters. I dealt with a big breach of information at PowerSchool, and we got the organization to commit very quickly early on to fixing it without the need for a long investigation.
You're going to need investigation in some cases, but it's a spectrum of tools. I agree with you that we should not always be reactive. We have to try to anticipate things, prevent things, create a culture of privacy and work with the good actors, but for the bad actors, we need more enforcement.