But if your company has its email (or some other business function) handled by another company, you still need take precautions. Those precautions include limiting the information you give any contractor, limiting the amount of time the contractor is allowed to keep the data and being prepared for the fact that it might lose it.
In the case of the Epsilon breach, most of the companies involved gave Epsilon nothing besides the email addresses and the first names of their customers or the people seeking information. While whoever stole the data can use that to create phishing emails that appear to come from a source familiar to the target, or to create emails to others that appear to come from the person who had his or her email stolen, there's not a lot else that can be done. There is little danger of widespread security problems.
By limiting the time a contractor can retain your information, you also limit your exposure. If you had been using Epsilon to manage your email, but had only given the company the assignment for six months, after which you required the company to return or destroy the information, then there would have been nothing to lose. And if Epsilon had retained the information anyway, you'd have some recourse.
In this case, there's nothing to indicate that Epsilon had some major security lapse. It got hacked, and chances are that next week it'll be some other company. Very few organizations have the ability or the resources to be completely immune to attempts to penetrate their security, except for those few that are completely disconnected from the Internet, and there aren't many of those.
So knowing that data breaches are inevitable at some level, the best thing you can do for your company and its customers is to make sure that personal data is protected as well as it's possible to accomplish. When data, such as names or email addresses, needs to be released to someone else so they can perform a task for you, then give out nothing beyond the absolute minimum.
This means that you don't just pass over your complete customer database and let your marketing partner take what it needs. Instead, you take the time to select only what's necessary and send that over. It won't prevent a data breach, but you'll probably never be able to accomplish that. What it will do is protect your information so that the data that's stolen isn't very useful and as a result won't hurt anyone when it gets released.