Introduction to the Case

The California privacy regulator has filed a court petition to impose a fine on a data broker that suffered a significant data breach, resulting in the loss of hundreds of millions of Social Security numbers, in one of the largest data breaches of the previous year.

Background on the California Privacy Protection Agency (CPPA)

The California Privacy Protection Agency (CPPA), the body responsible for enforcing California’s state rules on data protection and privacy rights, known as the California Consumer Privacy Act (CCPA), announced on Thursday that it is seeking a fine of $46,000 against National Public Data. This action is due to the company’s failure to register as a data broker in the state.

Details of the Data Breach

National Public Data gained notoriety following a data breach in April 2024, where hackers stole the company’s databases containing Social Security numbers and other personal information. The breach involved approximately three billion records affecting around 270 million individuals, although much of the data appeared to be inaccurate. This incident was one of the largest data breaches of 2024, measured by the number of records stolen.

Aftermath of the Breach

Subsequent to the breach, the data broker filed for bankruptcy protection, citing an inability to pay its debts. However, a Florida bankruptcy court rejected the company’s petition in November 2024. This rejection left the door open for creditors and other authorities to pursue legal action against the data broker.

Current Legal Action

The CPPA stated on Thursday that its enforcement division had filed a claim against National Public Data last year for failing to register with the agency as a data broker. The CPPA is now continuing to pursue the $46,000 fine from the company, following the bankruptcy court’s ruling.

Role of Data Brokers

Data brokers are entities that collect and sell individuals’ personal information, such as location data, for profit. In California, data brokers are required to register with the CPPA. Those operating in the state had to register by January 31, 2024, or face fines of up to $200 per day. National Public Data did not register until September 18, 2024, more than seven months after the deadline, and only did so after being contacted by the agency’s enforcement officials.

Enforcement Actions by the CPPA

The action against National Public Data represents the CPPA’s sixth enforcement effort against a data broker since its inception. The previous five actions resulted in settlement agreements, according to the agency.

Response from National Public Data

Salvatore Verini, the owner of Jerico Pictures, the parent company of the hacked data broker National Public Data, did not respond to a request for comment regarding the situation.