"The key underlying problem – what must companies do – will remain until the agency can explain better what the law requires," he said. "It's like giving speeding tickets without speed limit signs."
There's also the risk that the FTC will require companies to take steps that aren't necessarily the most effective.
"Compliance costs will increase, but it's unclear whether risk management will get better," he said. "The decision encourages business to drive nails with a violin, regardless of whether that's good for the violin.”
The hackers are the ones who illegally break in and steal data.
But it's the businesses who are being treated like criminals by the FTC, Stegmaier said.
Are reasonable steps even enough?
There's little evidence that the ruling will make a significant difference to consumers, said Amir Ben-Efraim, co-founder and CEO at Menlo Park, Calif.-based Menlo Security.
"There have been many reported -- and unreported -- cases of successful attacks on organizations that would have passed FTC scrutiny in terms of patching and updating," he said.
That's the dirty secret of the cybersecurity business, he added.
"No combination of conventional, detection-based security systems deployed today can stop an attack," he said.
The big winners in this debate are the security vendors, who are expecting to see enterprises become more receptive to new approaches -- and to bigger security budgets.
"When you go for the low-cost option to store sensitive data, that's not a good thing," said Kunal Rupani, principal product manager at Palo Alto, Calif.-based Accellion, Inc. "The FTC is doing the right thing by making sure that enterprises take the measures that they need to take to make sure their customer data is secure."
At the very least, enterprises need to be back to the drawing board and rethink their security strategies, he said.
For example, enterprises should admit that traditional walled-garden-style approaches to security are no longer enough. Criminals will break in, and companies need to add layers of protection around the data itself.
That could be via broader adoption of encryption, said Suni Munshani, CEO at Stamford, CT-based Protegrity USA, Inc.
"In case of a breach, the scrambled data cannot be understood by unauthorized individuals," he said.
But all these efforts won't be going to waste, he added.
"While security firms may benefit from this ruling, the real winners are those consumers who want their sensitive information better protected," he said.
Sign up for CIO Asia eNewsletters.