updating Compliance doc with graduated response

Attached is a diff proposed to add a definition of graduated response and then a non-normative section in the security permitted use. I believe this implements the group's decision on a call in July. (Text included below if you want to read the changes.)

Thanks,
Nick

214a215,220
> 			<section id="graduated-response">
> 				<h3>Graduated Response</h3>
> 				<p>
> 					A <dfn>graduated response</dfn> a methodology where the action taken is proportional to the size of the problem or risk that is trying to be mitigated. In the context of this document, the term is used to describe an increase in the collection of data about a user or transaction in response to a specific problem that a party has become aware of, such as an increase in fraudulent activity originating from a particular network or IP address range resulting in increased logging of data relating to transactions from that specific range of IP addresses as opposed to increased logging for all users in general.
> 				</p>
> 			</section>
442a449,452
>   			<section id="security-graduated" class="informative">
>   				<h4>Graduated Responses for Security</h4>
>   				When feasible, a <a>graduated response</a> to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of user agent string and other protocol information, the party could retain logs on all transactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.
>   			</section>