But the privacy order stressed that following these standards is "voluntary" and that "providers retain the option to use whatever risk management approach best fits their needs." If there are complaints about security, the FCC would decide whether the ISP has implemented reasonable data security practices based on a few factors.
So ISPs don't have to do anything. But whatever they do, the FCC can step in and decide if it was enough - after the fact. Sounds like a half-baked regulation that should be tossed.