Obviously the policies and whether those vendors are encrypting at rest, whether they're encrypting in transit, whether they're taking various steps to protect data are part of the equation. The other part of the equation is, how are we protecting our own account management? Making sure that we are using password managers, making sure that we are using that second-factor authentication that is available on many of these systems at this point—and increasingly will probably start to become required—are steps that government can also encourage and help explain. So there's a role there as well.
On February 19th, 2019. See this statement in context.