I did hear the testimony earlier this week where that came up. Maybe I can give you a really quick example of it.
Take a call centre context, where someone calls in and says, “I received the bill of my neighbour at my home.” What would happen in that context is that the call centre representative would say, “Oh, that's horrible. We'll send you an envelope; can you please send the bill back to us?” Then the call centre representative would reach out to the other customer and say, “We're very sorry, but your neighbour received your bill. We apologize.” They would then make amends.
That situation is technically a breach of security safeguards, because the wrong bill went to the wrong customer. It's a one-off. It's not insignificant to those two customers, but it's insignificant in the grand scheme of when you think about breach notifications. The way Bill S-4 is worded today, it would require us—by “us” I mean any industry or organization subject to PIPEDA—to develop a system to log that somehow. It's taken care of. It's managed. It's handled. But it would have to be logged somehow, through a different system. Otherwise the organization is subject to new offence provisions, which are very serious. The breach notification offences are quite serious in the record-keeping—