Thanks for raising that. It's worth noting that this whole notion of security breach disclosure actually originated out of California, with the idea of creating sort of the perfect world of incentives for companies to do a better job of securing the information, because they don't want to have to go through the cost and potential embarrassment of disclosure. At the same time, it creates incentives or protection for users because they become aware of these disclosures when they happen.
What we've got under Bill S-4 is such a high threshold, and I think Ms. Lawson referenced this as well, that if the standard is only a real risk of significant harm and we don't have big penalties associated with non-disclosure to begin with, at least if you're a larger organization, in many instances, I think it's going to be quite rational, frankly, for an organization not to disclose. They're going to ask, first, what's the risk that anyone will ever find out about this? Second, if they do happen to find out about it and someone shows that there was a real risk of significant harm, then we will face a penalty. But even there, the penalties are relative low.
So what the California law does is to say that we want to ensure that if we're going to err on one side or the other, it's will be to err on the side of trying to mitigate against identify theft, to err on the side of ensuring that there is better security, and by lowering the threshold. We tried to do that a little bit in Bill C-12 and Bill C-29 with the two-step process, so that at least you are made sure that the Privacy Commissioner would be aware of the circumstances where there's a material breach. But in doing away with all of that, I don't think it's just a fear that breaches will occur in Canada. I think these should be expected. And if you asked many Canadians, they would tell you, “Boy, I should have been told about that”. And yet they won't be because companies are going to err rationally, based on the way this law is drafted, on the side of not disclosing it.