FTC Safeguards Rule, 16 C.F.R. § 314.4 ("Tak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations."); Massachusetts Data Security Law, 201 CMR 17.03 (2)(f)(1) (same). See also the EU's General Data Protection Regulation (GDPR), Art. 28 ("Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.").