It is leaving the decision to industry itself but I think the more important issue is that the standard has been set at a certain level. I know there has been a lot of debate over the appropriate wording and the standard had been set finally at a level that is fairly high.
In my research I'm just as concerned with attempts of breaches as actual breaches. My concerns are also about organizations in aggregate form not disclosing information about attempted attacks that they have suffered and what we call attack vectors, where do the attacks come from. A lot of what we often tell people.... For example, the banks will often always tell customers that they have to protect their passwords, etc., but we don't have good information as to where the attacks are originating from. They could be originating from overseas, from hackers, and not from negligent customers.
Attacks are just as important as these actual notifications in my own research and my own work, and that's where for me in the system, at least as you see it in other countries, people do get notified. Whether that's going to offer the best protection for Canadians at the end of the day I think there may be further actions that are required perhaps down the line as you see if this system is working effectively or not. I am concerned that right now there's nothing about potential attacks but only actual breaches.