(Credit: Redgoldwing/Getty Images)
The Florida-based company that exposed millions of Social Security numbers to hackers last year is facing what appears to be its first fine from a US regulator—although the amount probably isn't as high as affected consumers may have hoped.
National Public Data is facing a $46,000 fine from the California Privacy Protection Agency, which announced the penalty on Thursday. It's the highest amount the agency could penalize the company under California's law regulating data brokers.
Specifically, the agency is punishing the National Public Data “for failing to register and pay an annual fee” under the state’s data deletion law. The regulator notes that California’s Delete Act requires data broker providers to register by January 31, 2024, and pay an annual fee that funds the California Data Broker Registry. If they don’t, then the companies face a fine of $200 per day.
In National Public Data’s case, the company registered on Sept. 18, or 230 days after the deadline, resulting in the $46,000 fine. The company also registered only after the agency contacted it when news of the SSN leak was making headlines.
It’s unclear if the regulator plans on penalizing the company further. But the California agency said it'll bring the current penalty before an administrative law judge. "The CPPA’s five-member board ultimately decides whether to adopt or modify the judge’s decision. At that point, the agency’s decision becomes reviewable by a California court," the CPPA told PCMag.
All the penalty money collected will then be used to fund "the Data Brokers’ Registry Fund to offset costs incurred in implementing and enforcing the Delete Act, including the development of California’s first-of-its-kind accessible deletion mechanism," the agency added.
The penalty amount may disappoint consumers hoping for a larger restitution. But National Public Data itself indicated last year that attorneys general in all 50 states and the Federal Trade Commission are investigating the company for last year’s breach. Meanwhile, California's Consumer Privacy Act does allow residents to sue a company for a data breach when their nonencrypted personal information has been lost to hackers.
National Public Data’s parent company, Jerico Pictures, tried to file for bankruptcy in a Florida court as it also faced a wave of class action lawsuits. But the judge rejected the bankruptcy filing after US Trustee for Florida, Mary Ida Townson told the court: “The Debtor [Jerico Pictures] lacks the income and resources to demonstrate a reasonable likelihood of rehabilitation.” Meanwhile, another court document showed the company only made a net profit of $865,149 on revenue of $1.2 million for 2023 and $475,526 in 2022.
Although it remains unclear if or when other regulators will take further action, National Public Data has shut down. Salvatore Verini, the owner of Jerico Pictures, didn’t respond to a request for comment.
Editor's note: This story has been updated with comment from the California Privacy Protection Agency.