The requirement in question would require organizations to keep records of data breaches of any kind. We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.
In part this provision that you're referring to will allow us to determine whether the organizations are complying with mandatory breach notifications. If they are not, in the worst-case scenarios, we could advise police authorities and the Attorney General so that prosecutions could be made against these organizations. So it's a clear incentive for organizations to comply with the requirement.