I think that if every time a USB key went missing, there were requirements to disclose, then yes, you would find that organizations would be spending a lot of time disclosing. However, if we look back at the Bill C-12 and Bill C-29 standard, that's not the standard we talked about. It set a material breach as the standard.
You can debate whether or not that's the appropriate standard, but at a minimum it gets us at a number of breaches that this law will not. Moreover, it does so in a way that I think was good for companies too, because rather than companies being faced with this either/or of going to the expense and potential embarrassment of simply disclosing or not, it said as an intermediary step, let's discuss this on a confidential basis with the Privacy Commissioner's office and determine whether or not it warrants that broader disclosure.
Frankly, that was a good thing for organizations to potentially avoid having to make those broader disclosures, in some circumstances, and it provided the comfort of ensuring that users knew that, at a minimum, we had an advocate, the Privacy Commissioner, who was going to be made aware of these circumstances.
It's puzzling to me why this was removed in favour of a process that, frankly, does less to protect Canadians and, ultimately, actually can create larger costs for companies as well.