You're very right. You have sticks and carrots—I like to look at it that way. In some cases, the sticks could be compelling businesses to disclose their breaches. Most businesses we talk to say that as long as they are involved with how that would occur and where the information would go, and as long as it is done in a proactive way such that their brand or their business is not damaged in the process.... In other words, you flip the lens and say that proactive disclosure is a good thing. No one should be ashamed that they have had a breach, because it's only a matter of time. You frame it in that way, and then you say that when they proactively disclose to you, the return they will get from that is that they will get others' vulnerabilities so that they can become a better business. It's a quid pro quo type of relationship.
I think those are the missing pieces. If you want to compel, you need to invite businesses in, to figure out how to do that in an effective way that doesn't damage their business. In the same vein, you're going to be sharing that information back, which is something we want and something that will make us better and more secure in the overall ecosystem.