CNET News reports that Microsoft will soon publish its internal dev guidelines on protecting PII. This article quotes Peter Cullen: 

"This is designed for an IT pro or a developer, in terms of: 'If you're building an application that does X, this is what we think should be built,'" he said. "The public document will use a lot of 'shoulds.' Inside Microsoft, those are 'musts.'"

Worldwide IT pros and devs will see the standard we hold ourselves to. They can push back on that if they wish. They can tell us the standard needs to change, and they can tell us for sure if they see that we are not meeting the publicly disclosed bar.

Kudos to Peter. It takes guts to do things like this.