National Public Data, the Florida-based company responsible for exposing millions of Social Security numbers to hackers last year, is now facing a fine from a U.S. regulator—though the penalty amount may fall short of consumer expectations.

The California Privacy Protection Agency (CPPA) has imposed a $46,000 fine on National Public Data, the maximum penalty permitted under California’s data broker regulations. The agency announced the enforcement action on Thursday, citing the company’s failure to comply with the state's data deletion law.

According to the regulator, National Public Data did not register or pay the required annual fee under California’s Delete Act, which mandates data brokers to register by January 31, 2024, and contribute to the California Data Broker Registry. Companies that fail to comply face a daily fine of $200. In this case, the company registered on September 18—230 days past the deadline—resulting in the accumulated $46,000 penalty.

The company’s registration came only after CPPA reached out, following widespread media coverage of the Social Security number leak. It remains uncertain whether additional penalties will be levied, but the CPPA confirmed that the current fine will be presented to an administrative law judge. "The CPPA’s five-member board ultimately decides whether to adopt or modify the judge’s decision. At that point, the agency’s decision becomes reviewable by a California court," the CPPA stated to PCMag.

Funds collected from the penalty will be directed to the Data Brokers’ Registry Fund to support the implementation and enforcement of the Delete Act, including the development of California’s first-of-its-kind data deletion system, according to the agency.

While the fine may seem minimal to those affected by the data breach, National Public Data remains under scrutiny. Last year, the company acknowledged that attorneys general from all 50 states, along with the Federal Trade Commission (FTC), were investigating the incident. Additionally, California's Consumer Privacy Act grants residents the right to sue businesses for data breaches that expose nonencrypted personal information.

National Public Data’s parent company, Jerico Pictures, has also faced significant legal challenges. In an attempt to manage mounting lawsuits, the company sought bankruptcy protection in a Florida court. However, the filing was dismissed after U.S. Trustee for Florida, Mary Ida Townson, stated: "The Debtor [Jerico Pictures] lacks the income and resources to demonstrate a reasonable likelihood of rehabilitation." Financial records indicate that the company reported a net profit of $865,149 on $1.2 million in revenue for 2023 and $475,526 in 2022.

Although further regulatory actions remain uncertain, National Public Data has ceased operations. Jerico Pictures' owner, Salvatore Verini, has not provided any public comment on the situation.