Federal law generally prohibits Internet service providers (ISPs), i.e., "cable operators," from disclosing personally identifiable information concerning a subscriber without the prior written or electronic consent of the subscriber. Moreover, under the law, ISPs must "take such actions as are necessary" to prevent unauthorized access to a subscriber's personally identifiable information by a person other than the subscriber or the cable operator. See 47 U.S.C. §551(c)(1).