Implement and maintain reasonable security measures to prevent unauthorized access to personal information (PI). If a collector passes the information on to a third party, there needs to be a clause in the underlying contract that this third party takes reasonable security measures as well.