A key aspect of the alphabet soup of data protection laws is vendor risk management.

You should be aghast to learn that your vendor was storing all of your customers’ data on a billboard… or in a completely unsecured database. It’s like learning the babysitter left your kids at the house and went out on a bender!

https://www.usatoday.com/story/tech/2019/12/01/text-message-leak-millions-americans-might-be-at-risk/4346711002/

Vendor risk management doesn’t mean you have to engineer all of the vendor’s systems yourself just to show that you’ve done adequate due diligence. But you do need to make sure you ask the vendor to certify that their systems and processes are adequate. If the vendor is processing credit card transactions for you, for example, then that vendor should be PCI DSS certified and should be able to prove it. And your contract should have teeth to let you audit their certification, and to impose penalties up to and include termination if their certification ends up being flimsy.

Check out the FTC’s “Start With Security” guide. It does a great job of distilling the NIST Cybersecurity Framework in to easier-to-understand nibbles.