Up to now, there have been relatively few laws or regulations from government agencies that mandate just how companies should protect their data. In the United States, however, that may be about to change.

http://blog.trendmicro.com/trendlabs-security-intelligence/ftc-has-authority-to-enforce-corporate-cybersecurity/