Individual organizations have a lot at stake in terms of ensuring that they properly weigh the impact of any breach on their customers. Their most important assets as business organizations are their customers, so making that sort of evaluation is one of the most important functions an organization has to take on when there is a breach situation. They are in the best position to evaluate the level of risk to their customers, and then to take appropriate action.
I believe that the law as drafted largely has that component constructed in an appropriate way. There is provision for reporting also to the Privacy Commissioner, which is an additional component that supports, I guess, the safeguards under the new provisions of the law.