State and Federal Cyber Compliance

As of 2019, nearly every business in New York State is required to adhere to the minimum requirements of the NYS SHIELD Act. 

Depending on the type of business you operate, you may be required to comply with various state and federal regulations (sometimes overlapping) to safeguard your business and avoid substantial fines.

The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act (“the Act”) was enacted into New York State Law in July of 2019. Major provisions of the law took effect in March of 2020.

The SHIELD Act aims to safeguard the online private information of New Yorkers by requiring businesses to notify anyone whose private information it stores anytime it suffers a cybersecurity breach.

It also calls for preemptive safeguards to be put in place to avoid breaches occurring in the first place.

The act updates and amends the 2005 Information Security Breach and Notification Act to buttress previously applicable requirements and provide additional protections.

Who Does SHIELD Act Apply To?

The NYS SHIELD Act applies to any business that does business in New York State, that stores the personal information (PII) of customers, employees, vendors, or anyone else.

What Defines Personal Information (PII)?
What Happens If I'm In Violation?

As of March 2020, Businesses that fail to comply with the regulations laid out in the SHIELD Act may face civil penalties of up to $5,000 per violation.


The SHIELD Act increases the penalties that can be recovered for noncompliance from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000.

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all Covered Entities (financial institutions and financial services companies).

It includes 23 sections outlining requirements for developing and implementing an effective cybersecurity program, requiring Covered Entities to assess their cybersecurity risk and develop a plan to proactively address them.

Who Does 23 NYCRR 500 Apply To?

The NYDFS Cybersecurity Regulation applies to all entities operating or required to operate under DFS licensure, registration, charter or who are otherwise DFS-regulated, as well as their third party vendors and service providers.

Examples of covered entities include:

  • Foreign Banks Licensed to Operate in New York
  • Mortgage Companies
  • Insurance Companies
  • Service Providers
  • State-Chartered Banks
  • Licensed Lenders
  • Private Bankers
  • 3rd Party Vendors

What Happens If I'm In Violation?

Fines for violations of 23 NYCRR 500 are substantial.
Here are our estimates of what the fines could be based on the NY Banking Law:

$2,500/day during which violation continues.

$15,000/day in the event of any reckless or unsound practice.

$75,000/day in the event of knowing and willful violation.

The full title of the HIPAA Security Rule decree is “Security Standards for the Protection of Electronic Protected Health Information”, and as the official title suggests, the ruling was created to define the exact stipulations required to safeguard electronic Protected Health Information (ePHI), specifically relating to how the information is stored and transmitted between digital devices.

Running a medical facility today means focusing on the safety and security of your patients and their data. Not only is this an ethical responsibility, it is also a legal one.

That’s why every hospital and health care provider needs to be prepared to maintain HIPAA IT compliance.

Being compliant is about more than just signing some paperwork. It’s about working around the clock to make sure you’re protected from an unexpected attack.

Being compliant isn’t easy. But if you want to succeed as a healthcare provider, it’s necessary.

Who Does HIPAA Apply To?

Anyone who works in healthcare or does business with healthcare clients that require access to health data must be HIPAA compliant. Organizations include:

  • Hospitals
  • Nursing homes
  • Health clinics
  • Dentists
  • Workers Compensation Attorneys
  • Insurance Companies
  • Doctors 
  • Pharmacies
  • Psychologists
  • Chiropractors
  • Medical Billing
  • Businesses storing PHI data
What Defines Protected Health Information (PHI)?
What Happens if I'm In Violation

HIPAA Violations and Fines are determined by the level of culpability (knowing) and whether or not corrective action has been taken; the following chart outlines the penalties:

Penalty TierLevel of CulpabilityMinimum Penalty per ViolationMaximum Penalty per ViolationAnnual Penalty Limit 
Tier 1Reasonable Efforts$127$63,973$1,919,173
Tier 2Lack of Oversight$1,280$63,973$1,919,173
Tier 3Neglect – Rectified within 30 days$12,794$63,973$1,919,173
Tier 4Neglect – Not Rectified within 30 days$63,973$1,919,173$1,919,173

Our Working Process


Consult and Onboarding

Discovery and discussion of your business needs, goals and vision.
Onboard and align mutual commitments to a protected and profitable business relationship.
Roles, expectations and deadlines are discussed and defined by both parties.


IT Audit and Guidence

An IT audit allows us to define your IT benchmark on where your business is at and where it needs to be.
This is used to develop a plan for your best used security practices, administrative, technical and physical safeguards.


Planning and Implemention

A plan is mapped out with you and all stakeholders. The project is designed with business disruption kept to a minimum.
Our plan is executed, your business is running as it should. You operate in peace of mind and confidence.


Strategy and Maintenance

Periodic review of strategy as goals and milestones are met. Adaptation to evolving needs of business and maintenance of growth cycle.
Regular consultations are scheduled at your convenience.


Send us a Message