To answer that question, you need to have a pretty complete understanding of the "powers" service providers already have under the ECPA, and the "powers" they can enforceably claim through contracts (like privacy policies). Those preexisting "powers" are already very broad; they are not, for instance, nailed down to specific definitions of "cybersecurity threats".
