Employers’ engagement and use of various types of vendors has expanded recently, to include vendors who assist with office re-entry screening and contact tracing as employees return to work during the COVID-19 pandemic.  The service agreements that are negotiated and executed for this purpose should sufficiently address data privacy and security considerations related to employee personally identifiable information (PII). This is necessary for any service provider or vendor agreement.   In the absence of a federal law governing data security and breach notification of employee PII, employers must comply with increasing state and local legal requirements to ensure the protection of employee PII which employers obtain in the normal course of employment.  Many states have breach reporting laws that apply to data held by employers, such as employee social security numbers.  Other states, such as New York, have laws encompassing PII breach reporting and mandating certain data protections.  For example, the New York Stop Hacks and Improve Electronic Data Security Act (“Shield Act”) requires employers to implement a cybersecurity program providing protective measures for New York resident-employees’ PII.