In your introductory speech, you also talked about the determination of risk and the risk on the data that has been breached. You've put that responsibility on the person who actually created that breach, or should I say, that was breached. Is that correct?
Don't you think that allowing the people who have actually disclosed to decide whether it should be advised to you is kind of like putting the fox among the chickens?