61
I L T A N E T . O R G
• Secure Disposal Requirements (45 CFR
§ 164.310(d)(2)(i)): HIPAA mandates that
covered entities implement policies to
ensure the secure destruction of PHI when
it is no longer needed.
Penalties under HIPAA's enforcement rules range
from $100 to $50,000 per violation, with annual
maximums reaching $1.5 million depending
on the level of negligence. Similar to the CCPA
mentioned above, these fines are calculated per
violation and can, therefore, escalate quickly.
NY DFS Cybersecurity Regulation
The New York Department of Financial Services
(NY DFS) Cybersecurity Regulation (23 NYCRR
500) mandates secure data disposal:
• Disposal of Nonpublic Information
(Section 500.13): Covered entities are
required to implement policies and
procedures for securely disposing of
nonpublic information once it is no longer
needed for business operations or legal
purposes.
Non-compliance with this regulation can result in
substantial penalties for covered entities. The NY
DFS is authorized to impose civil penalties of up to
$5,000 per violation daily. Accordingly, these fines
can accumulate rapidly, leading to significant
financial consequences for organizations that fail
to adhere to the regulation's requirements.
NY DFS
CYBERSECURITY
RESOURCE
CENTER
https://www.dfs.ny.gov/
industry_guidance/
cybersecurity
>
Penalties
under HIPAA's
enforcement rules
range from $100
to $50,000 per
violation.
