It's hard to give a clear and comprehensive answer. There's no doubt in my mind that the current legislation is incomplete. I alluded to that earlier when I said I wasn't very familiar with the private protection regime. I'm much more familiar with the public protection regime, seeing as I work in certification on the public side.
The legislation needs more teeth. That's my personal opinion. I pay attention to what Europe, in particular, is doing. There, the General Data Protection Regulation is in place. Under the regulation, companies that fail to report privacy breaches involving personal information are fined. I would say it's important to move in that direction.
I missed the nuances of the second part of your question. As I said earlier, the current legislation needs to be strengthened so it has more teeth.