These sound like eminently sensible regulations that could be adopted as best practices for any company that handles personal information. According to the Privacy and Security Law Blog, the US Federal Communications Commission has adopted regulations about the release of calling records by telecommunications companies. The rules provide that information can only be released to those who have a password associated with the account. If no password is provided, the information can only be either (i) mailed to the address of record or (ii) telephoned to the phone number of record. Also, the customer has to be alerted via these approved channels of the address or the password is changed. Makes sense to me.