Ok but these security issues are all around authorization, which doesn't seem to cover the spread of things that can happen after vendors have whatever data they are handling.
So, what is the guidance on that?
