I'd like to see clear(er) written guidelines for how say customer data should be cared for. And because their may be valid reasons to deviate from the guidelines, perhaps request that the reason for the deviations be written down by the organization and supplied on request to the FTC.
Oh, you mean like when a company agrees to process credit card transactions the written guidelines that dictate PCI-DSS 3.0 compliance?
(Sorry, but in the example provided in TFS, it sure as shit seems pretty cut and dry)
Can you explain how PCI-DSS 3.0 stops anything getting hacked? You know the Target and Home Depot systems were PCI compliant right?
The NIST stuff isn't so awful, but it's not in a form that's very useful. It's lots of little specs that don't fit together into a system. However it contains very useful specs on means for an organization to protect itself. This is good.
This is a solvable problem, but the PCI specs are a barrier to uniform adoption of something effective.