One of the aspects of the legislation is immediate notification around cyber-attacks. There have been I think strong suggestions from a number of witnesses that there needs to be a clearer period.
Some are suggesting a 72-hour notification period, the objective being to respond to the cyber-attack to stop the cyber-attack initially, hopefully. They are suggesting that the reporting and notification requirements have become onerous, so that you're not able to handle the attack and you're not fighting back against the attack. If you're spending more time being concerned about following the letter of the law rather than responding to the cyber-attack, this can be a real difficulty.
How does the ministry define immediate notification? Do you agree with what numerous witnesses have said, which is that what we need is a clear period, but one that allows the organization, the company or the entity to stop the cyber-attack first before they have to engage in a notification?