What were these companies' shortcomings? Not assessing Web applications for vulnerabilities to common hacker tactics such as SQL injection and cross-site scripting attacks, not encrypting laptops and wireless connections, storing sensitive information too long, not training employees, and disposing of documents in insecure containers.

If the FTC determines that your company has substandard security, it can use its authority under Section 5 of the FTC Act to prosecute you for an unfair trade practice.

While the FTC doesn't typically impose fines in these cases, its consent orders contain common requirements that can be far more financially draining: appointing a head of information security, documenting a comprehensive information security program, and conducting mandatory independent security audits every other year for 20 years. The year-one price tag for an information security consent decree for a Fortune 1,000 corporation, including audits, fixes, attorney fees and new appointments, could easily top $1 million. If the meter starts at $250,000 for the subsequent audits, the total effective cost would exceed $3 million.

The lesson from these cases for any company storing significant amounts of personal data is to do the things the FTC mandates: appoint the likes of a chief information security officer, conduct regular enterprisewide risk assessments and fix material gaps.