Answer: D - U.S. federal laws, including the GLBA, HIPAA state laws (Massachusetts, Illinois, and California), and regulations set forth by municipalities, like the New York Department of Financial Services Cybersecurity Rules, require vendor management by organizations collecting data that is shared with third-party vendors for processing and other purposes.
The European Data Protection Regulation mandates that a data controller may only rely on data processing vendors who contractually guarantee the implementation of appropriate measures to ensure the privacy and security of sensitive data shared with them by the controller.