Section
500.20(c) provides a number of factors that the DFS considers in determining the penalty for violation.
- the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts
- the good faith of the entity
- whether the violations resulted from conduct that was unintentional or inadvertent, reckless or intentional and deliberate
- whether the violation was a result of failure to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter, letter of instructions or similar
- any history of prior violations
- whether the violation involved an isolated incident, repeat violations, systemic violations or a pattern of violations
- whether the covered entity provided false or misleading information
- the extent of harm to consumers
- whether required, accurate and timely disclosures were made to affected consumers
- the gravity of the violations
- the number of violations and the length of time over which they occurred
- the extent, if any, to which the senior governing body participated therein
- any penalty or sanction imposed by any other regulatory agency
- the financial resources, net worth and annual business volume of the covered entity and its affiliates
- the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST
- such other matters as justice and the public interest require.
