They need to report the second order effects. They should be required to report the number of fraud reports they are getting. We should see correlations between this and data leaks and we should see how many cases were prevented, compensated completely, partially and not at all.

This is what people will pay attention to.