There are a couple of ways to answer your question.
The legislation has been in place for over a decade now and it's working well. As you heard, businesses are reporting.
There are incidents. These breaches are increasing. You hear about them in the media. Generally, those are not the fault of the businesses. They're being attacked in a number of different ways. If you're talking from a cybersecurity perspective, they have challenges in being able to protect themselves against that. That's not unique to business. That's happening to government. It's happening to everybody. You heard that even the U.S. government was attacked.
From a small business perspective, they look at PIPEDA and are doing what they can to comply. Most of the breaches that you don't hear about are being handled at the front lines and reported to individuals. It's not coming back to the Privacy Commissioner at all. Generally there's no need for it to come back because there is no risk of harm to that individual once the breach has been dealt with. Systemically, they're managing these internally.
Is business preparing for the changes to PIPEDA that are coming under Bill S-4? They're certainly aware of them. Will they make any changes? Not until the bill comes into place, I would suspect.