I think on the public sector side of the house, sometimes what happens is that there are institutions that are holders of personal information and that, according to the sense we have from other reporting, may have under-reported. In that case, we can reach out to them and suggest that perhaps breach training is required. Sometimes the breaches are published in the media as “security incidents”, and they are in fact privacy breaches, or there's a privacy element in there as well. We can reach out to institutions or to companies. So there is some sense, but as to how to measure what we don't know, we don't know yet. Perhaps when we have more reporting, we'll be able to track some trends more carefully.
On April 3rd, 2019. See this statement in context.