The California Privacy Protection Agency (CPPA) has moved to penalize National Public Data, the Florida-based broker responsible for one of the most significant data breaches in 2024. The state regulator is petitioning the court to impose a $46,000 fine following the company’s failure to comply with mandatory data broker registration requirements.
A Massive Security Failure
In April 2024, National Public Data suffered a catastrophic security incident. Hackers successfully exfiltrated databases containing approximately three billion records. This massive breach exposed the Social Security numbers and sensitive personal information of an estimated 270 million individuals, ranking it among the largest cybersecurity failures of the year.
Legal Hurdles and Bankruptcy Rejection
Following the breach, the company attempted to seek bankruptcy protection, claiming an inability to satisfy its mounting debts. However, in November 2024, a Florida bankruptcy court rejected the petition. This ruling effectively cleared the path for authorities and creditors to pursue legal action against the firm.
Why California is Targeting National Public Data
The California Privacy Protection Agency, which oversees compliance with the California Consumer Privacy Act (CCPA), initiated enforcement proceedings due to the company’s failure to register as a data broker. Under state law, entities operating in California were required to register by January 31, 2024, or face daily penalties of up to $200.
According to the CPPA, National Public Data did not register until September 18, 2024—more than seven months past the deadline—and only did so after being contacted by enforcement officials. The agency is now seeking a fine of $46,000 to hold the broker accountable for this regulatory oversight.
Ongoing Enforcement Efforts
This action marks the sixth enforcement effort initiated by the CPPA against a data broker since the agency’s inception. While the previous five cases concluded in settlement agreements, the current push against National Public Data highlights the state’s aggressive stance on data protection. Salvatore Verini, owner of Jerico Pictures—the parent company of National Public Data—has not provided a response to requests for comment regarding the pending fine.