The Commission has been steering away from "how to" rules in recent years, instead making rules that describe the required outcome. If carriers do not want to use a password for access to customer private records, I think they should be able to use whatever method they want to protect the privacy of the records, and face substantial fines when those methods fail.
Harold