Companies who took the time to identify the information that needed to remain confidential, and then documented that information in an internal registry, were generally found to be taking the appropriate precautions. In addition, companies who addressed where the possible leaks and breaches might occur were deemed particularly responsible.