California Regulator Fines Florida Data Broker After SSN Breach

California Regulator Pursues Fine Against Data Broker

The privacy regulator in California is requesting a court order to impose a fine on a data broker following a substantial data breach involving hundreds of millions of Social Security numbers. This incident stands as one of the most significant data compromises of the previous year.

CPPA Action and CCPA Regulations

The California Privacy Protection Agency (CPPA), responsible for enforcing California’s data protection and privacy regulations – collectively known as the CCPA – announced on Thursday its pursuit of a $46,000 penalty against National Public Data. The reason for this action is the company’s failure to register as a data broker within the state.

Details of the 2024 Data Breach

National Public Data gained notoriety after a data breach in April 2024. During this event, malicious actors successfully stole databases containing Social Security numbers and other sensitive personal information. The compromised data encompassed approximately three billion records, potentially impacting around 270 million individuals. It is important to note that a significant portion of this data was later found to be inaccurate.

The scale of the theft positioned it as one of the largest data breaches of 2024, measured by the sheer volume of records accessed.

Bankruptcy Filing and Court Ruling

Following the breach, National Public Data filed for bankruptcy protection, citing an inability to meet its financial obligations. However, in November 2024, a Florida bankruptcy court dismissed the company’s petition. This decision opened the possibility for creditors and regulatory bodies to initiate legal proceedings against the data broker.

Continued Enforcement Efforts

The CPPA stated that its enforcement division initially filed a claim against National Public Data last year for non-compliance with data broker registration requirements. Now, following the bankruptcy court’s ruling, the agency is continuing its efforts to secure the $46,000 fine.

Data Broker Registration Requirements

Data brokers operate by collecting and selling individuals’ personal information, including location data, for financial gain. Those operating within California were mandated to register with the CPPA by January 31, 2024, to avoid penalties of up to $200 per day.

National Public Data did not register until September 18, 2024 – over seven months past the deadline. According to the CPPA, the registration occurred only after contact from the agency’s enforcement officials.

CPPA's Broader Enforcement Record

The CPPA reports that its action against National Public Data represents its sixth enforcement initiative targeting data brokers since its establishment. The agency notes that the previous five cases were resolved through settlement agreements.

Lack of Response from Company Owner

Salvatore Verini, the owner of Jerico Pictures – the parent company of National Public Data – did not respond to requests for comment regarding this matter.

Key Takeaways

• California is actively enforcing its data privacy laws.
• Failure to register as a data broker can result in significant fines.
• Large-scale data breaches continue to pose a substantial risk to personal information.