Thanks for the question.
Incentives are always good. There are some smaller organizations that have a greater burden to introduce new measures. I think we have a lot of incentive already. Our members' reputations are built on protecting privacy, security, etc.
Our concern with the penalties is this: They are very large and they are cumulative. Also, as I mentioned before, for some reason we're the only industry not afforded a due diligence defence. To be clear, this means that an organization could have done everything reasonably possible to comply, but there could be something in the order that, for whatever reason, is outside of their control and that they were not able to do—yet they're subject to huge monetary penalties and even criminal sanctions against individuals.