I was doing this bit of turn of phrase taking the legislation as it applies to security breach notification and applying it to companies. I think you need to step back, look at the big picture, and say, “Is this going to be effective? Are there sufficient incentives for industry to comply?”
When I say “comply”, I don't just mean reporting the breach and keeping the records of it; I mean complying by putting in place adequate security measures in the first place. I would think that what we're trying to do, first and foremost, is to make sure that companies put in place reasonable security safeguards. You need incentives for that, and in the private sector those need to be financial incentives.
I'm not sure if that was your question, but the point I was making is that I'm concerned that we may not have adequate incentives. A very strong incentive is negative publicity, and I don't understand why the Privacy Commissioner is being dissuaded in this legislation, under section 20, from publicizing those reports. Why don't we make them public? Why isn't transparency reporting part of transparency disclosure?
The submissions that CIPPIC made in 2008 on this issue were that we should establish a public registry of security breaches. Why are we treating these as confidential?