Privacy Insider Newsletter | Data Privacy News Delivered Weekly

National Public Data Breach: Big Risk, Little Reward

Written by Arlo Gilbert | Aug 22, 2024 1:00:00 PM

Hello all, and happy Thursday! 

With nearly 3 billion records exposed, the National Public Data breach is up there with the largest data breaches of all time. Technically, that dubious honor belongs to Yahoo, whose 2013 breach affected 3 billion accounts. National Public Data’s breach only exposed 2.9 billion records (which doesn’t necessarily mean 2.9 billion individuals). 

Fortunately, a significant portion of the exposed data appears to be inaccurate. This, too, is unsurprising considering that National Public Data is alleged to have collected it via scraping.  

But this suggests another question: Why would National Public Data undertake this incredibly risky, ethically dubious mass collection of personal information for data that isn’t even accurate? Why put your organization at risk in this way when the payoff is so unreliable? One can only assume that these questions were simply never considered. 

Best, 

Arlo 

P.S. If you don’t know where your data lives, you don’t know if it’s generating excess risk for your organization. Register for our upcoming webinar, A Sneak Peek into Data Mapping, to find out how data mapping can give you insight into and control over the data you handle. 


 

Highlights from Osano

New this week

The Privacy Insider Podcast, Episode 4: Don’t Be Evil: In the Hot Seat of Data Privacy (Part 1) with Keith Enright, Chief Privacy Officer at Google

Listen 

In case you missed it...

Learn how Lattice puts privacy first by building compliance into marketing operations

Recent Webinars (watch the recording)

The Cost of Noncompliance: More Than Just Fines

Upcoming Webinars

A Sneak Peek into Data Mapping: What Implementation Really Looks Like

Thursday. August 29th | Save Your Seat

When AI meets PI: Assessing and governing AI from a privacy perspective

Thursday, September 12th | Save Your Seat

 

Top Privacy Stories of the Week

CIPA-Style Litigation Surfaces in Arizona: Spy Pixel Class Action Litigation Update 

Class action complaints across the state of Arizona allege that certain common uses of pixel-tracking technology in marketing emails violate Arizona’s Telephone, Utility, and Communication Service Records Act. The complaints contend that the information procured by these pixels (e.g. information indicating when an email is opened and read) constitutes a “communication service record” as defined by the act. The act forbids organizations from obtaining communication service records without consent by fraudulent, deceptive, or false means. 

Read more 

Texas Leading the Charge on Privacy Enforcement 

Recent activity out of Texas suggests the Lone Star State is trying to stake its claim to being a lead authority on alleged consumer protection and privacy violations. The Texas attorney general's office recently netted a USD 1.4 billion settlement with Meta over alleged nonconsensual biometric data use. The office followed that up with a lawsuit against automaker GM claiming it sold driving data to insurance companies without knowledge or consent. Additionally, the attorney general's office has sent more than 100 compliance letters to companies citing a lack of data broker registrations in violation of the Data Broker Law. More enforcement actions may be on the horizon, particularly regarding the Texas Data Privacy and Security Act. 

Read more 

California Age-Appropriate Design Code Partially Cleared to Come into Effect After Legal Challenge 

A US Court issued an opinion partially upholding—and partially vacating—the District Court for the Northern District of California’s preliminary injunction preventing the California Age-Appropriate Design Code Act (CAADCA) from going into effect. Specifically, the opinion upheld the district court’s injunction related to privacy impact assessment (PIA) provisions. Although the court's decision has not yet gone into effect, businesses subject to the CCPA may soon find themselves on the hook for complying with many provisions in the CAADCA. 

Read more 

Switzerland Recognizes Adequacy of US-Swiss Data Transfers 

The Swiss Federal Council has added the US to the list of countries with an adequate level of data protection. Effective September 15, 2024, US organizations that certify to the Swiss–U.S. Data Privacy Framework (DPF) can commence receiving transfers of personal data from Switzerland without implementing additional safeguards. 

Read more 

National Public Data Breach: Data Broker Found to Have Publicly Published Its Own Passwords 

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. Recently, it was discovered that another NPD data broker (which shares access to the same consumer records) inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. 

Read more 

 

Like what you hear from the Privacy Insider newsletter?

There's more to explore:

🎙️The Privacy Insider Podcast

We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.

📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands

The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.

If you’re interested in working at Osano, check out our Careers page