Current through Register Vol. 45, No. 52, December 27, 2023
(a) This regulation
will be enforced by the superintendent pursuant to, and is not intended to
limit, the superintendent's authority under any applicable laws.
(b) The commission of a single act prohibited
by this Part or the failure to act to satisfy an obligation required by this
Part shall constitute a violation hereof. Such acts or failures include,
without limitation:
(1) the failure to secure
or prevent unauthorized access to an individual's or an entity's nonpublic
information due to noncompliance with any section of this Part; or
(2) the material failure to comply for any
24-hour period with any section of this Part.
(c) In assessing any penalty for a violation
of this Part pursuant to the Banking Law, Insurance Law or Financial Services
Law, the superintendent shall take into account, without limitation, factors
including:
(1) the extent to which the covered
entity has cooperated with the superintendent in the investigation of such
acts;
(2) the good faith of the
entity;
(3) whether the violations
resulted from conduct that was unintentional or inadvertent, reckless or
intentional and deliberate;
(4)
whether the violation was a result of failure to remedy previous examination
matters requiring attention, or failing to adhere to any disciplinary letter,
letter of instructions or similar;
(5) any history of prior
violations;
(6) whether the
violation involved an isolated incident, repeat violations, systemic violations
or a pattern of violations;
(7)
whether the covered entity provided false or misleading information;
(8) the extent of harm to
consumers;
(9) whether required,
accurate and timely disclosures were made to affected consumers;
(10) the gravity of the violations;
(11) the number of violations and the length
of time over which they occurred;
(12) the extent, if any, to which the senior
governing body participated therein;
(13) any penalty or sanction imposed by any
other regulatory agency;
(14) the
financial resources, net worth and annual business volume of the covered entity
and its affiliates;
(15) the extent
to which the relevant policies and procedures of the company are consistent
with nationally recognized cybersecurity frameworks, such as NIST;
and
(16) such other matters as
justice and the public interest require.
Adopted,
New
York State Register March 1, 2017/Volume XXXIX, Issue 09, eff.
3/1/2017
Amended
New
York State Register November 1, 2023/Volume XLV, Issue 44, eff.
11/1/2023
