A sometime-TV-actor from Florida who started a second career running a data broker business from his home office — which suffered a massive breach of millions of records last year — faces probes by the US Federal Trade Commission, Congress, the California Privacy Protection Agency and virtually every US state attorney general, as well as private litigation, court filings obtained by MLex show. The eye-opening tale of Salvatore Verini Jr. illustrates how lightly regulated the data broker industry remains in the absence of a US national privacy law.
A self-described actor and producer, Salvatore Verini Jr., hyped gigs with Hollywood stars like Burt Reynolds. But the Florida man whose second career was running a data broker business — which suffered a massive breach of hundreds of millions of records — now faces probes by the US Federal Trade Commission and virtually every state privacy enforcer, court filings show.The California Privacy Protection Agency also appears poised to issue a $46,000 fine against National Public Data for failing to register in California as a data broker, according to a claim the agency filed in a bankruptcy action in Florida. But the CPPA appears to be only one of a long list of regulators investigating Verini’s one-man, home-based online background-check company in preparation for possible enforcement action.
Congressional investigators are looking into the breach as well, with a House committee calling it “staggering in light of the alleged compromised information and potential harm to so many victims.”
The National Public Data case shows how lightly regulated the data broker industry remains in the absence of a US national privacy law, and how that regulatory vacuum can have serious ramifications for consumers. New laws like California’s recently enacted Delete Act have started to bring more transparency to the industry through its requirement that data brokers register each year. The new law will also soon allow California consumers to delete data held by companies that generally have no direct interaction with consumers, but that collect, hold and trade in large amounts of their personal data.
Most states, however, continue to lack a requirement for data brokers to register, or other rules specific to data brokers. The CPPA, concerned about data broker compliance, recently launched an enforcement sweep to uncover companies that have failed to comply with California’s registration requirements (see here).
Operated by Verini’s Jerico Pictures and based in Pompano Beach, Florida, National Public Data is a subscription data service, allowing institutional clients to perform a rapid background check through an automated online connection, according to court filings in Verini’s bankruptcy case and a related proposed class action suit in which National Public Data is the defendant.
In Vernini’s case, the sometime actor and producer operated National Public Data out of his home office, with no staff, according to his bankruptcy filing. Yet, that apparent shoe-string operation was able to assemble massive databases of personal data on hundreds of millions of people in the US and other countries.
“Debtor faces substantial uncertainty facing regulatory challenges by the Federal Trade Commission and more than 20 states with civil penalties for data breaches,” Verini said in a court filing explaining his reason for seeing Chapter 11 bankruptcy (see here). An FTC spokesperson declined to comment today when asked about the FTC investigation disclosed in the NPB court filing.
Verini reported income of about $1.6 million in 2023 and 2024, but he told the bankruptcy court that he needed to file for bankruptcy protection because the data breach “creates a wide range of liabilities upon the Debtor,” including “extensive potential liabilities” to “defend the lawsuits” triggered by the breach, which “caused a massive exposure” of personally identifiable information.
Virtually every US state attorney general from Alabama to Wyoming, as well as the District of Columbia and territories including American Samoa, Puerto Rico and Guam, were listed as creditors in Verini’s bankruptcy case in the US Southern District of Florida. The class action suit, also filed in the Southern District of Florida (see here), alleges National Public Data scraped personal information about millions of consumers “from non-public sources,” yet the company failed to take basic security protections for that volume of data.
“Defendant failed to adequately protect Plaintiff’s and Class Members PII — and failed to even encrypt or redact this highly sensitive information,” said the suit filed in August, which was stayed by Verini’s bankruptcy filing. “This unencrypted, unredacted PII was compromised, published, and then sold on the Dark Web, due to Defendant's negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data.”
National Public Data was breached in December 2023, when a hacker known by his online handle of USDoD accessed the company’s database of 2.9 billion records, which were reportedly put on the dark web for sale for $3.5 million. Data compromised in the breach allegedly included names, e-mail addresses, phone numbers, Social Security numbers, mailing addresses and dates of birth. By the time Jerico Pictures filed for bankruptcy, more than a dozen lawsuits had been filed by individuals whose information was compromised.
John Yanchunis, a prominent data breach and privacy lawyer who represents plaintiffs in one of the suits against Verini and NPD, said it remains a mystery how the defendants were able to acquire so much personal information about so many people. Given that National Public Data has no significant concrete business assets, the focus of the litigation now is on making sure that the data can’t be used to do more harm, he said.
“If nothing else, we want [the data] destroyed,” Yanchunis told MLex. “How he got that volume of information, to me, is incredible, and he did not protect it.”
—CPPA enforcement—
While the CPPA's claim isn't large, it would be a milestone for the first stand-alone privacy regulator in US history as one of the first monetary civil penalties the agency has handed out. The CPPA declined to comment on its NPD investigation today, but its issues were detailed in its filing in the bankruptcy case.
California state law requires data brokers that have operated as data brokers during the previous calendar year to register annually with the CPPA before Jan. 31 of the following year. The CPPA’s enforcement division notified National Public Data of its failure to register in September, according to court filings. The company subsequently completed the registration around Sept. 18.
The company then filed for bankruptcy on Oct. 2, but National Public Data failed to list the California regulator as a creditor, the CPPA said in a late October court filing. “The bankruptcy filing did not include the Agency on its bankruptcy schedules, nor did National Public Data notify the CPPA’s Enforcement Division in advance of the filing,” the CPPA said.
The amount of $46,000 is based on a daily fine of $200 for failing to register with the CPPA’s data broker registry in time, multiplied by 230 days, the amount of time between the Jan. 31 deadline and NPD’s Sept. 18 registration.
“Although the underlying fine is contingent upon approval by the CPPA’s board, the CPPA’s Enforcement Division preserves its claim that National Public Data owes an administrative fine of no less than $46,000,” the agency said in a filing with the bankruptcy court Oct. 29.
The sometime-actor said he is not completely destitute, however, saying in the bankruptcy filing that he has “ownership of several TV Show episodes that may have residual value.” Verini’s website, salvatoreverini.com, says he is an actor and writer who also produces content on A+E, FYI Network, Amazon and Discovery. Verini said he landed his “first national television role on Burt Reynolds' ‘B.L. Stryker',” a TV series in 1989 and 1990 starring the late Reynolds as a private detective.
Casting records with the TV series, however, list Verini as appearing in only a single episode in 1990 — as an unnamed “student” in an uncredited role — in a series that also starred Ozzie Davis and Rita Moreno.
— One-man show —
The House Committee on Oversight and Responsibility wrote Verini in August, saying that it was concerned that the breach could be “one of the largest cyberattacks ever in terms of impacted individuals.” The committee said it wanted more information.
“The Committee requests a briefing to confirm the veracity of the attack, and if accurate, assess the potential impacts of the breach to the U.S. government, businesses, and the American people, as well as National Public Data’s response to the attack,” the committee said in the letter.
National Public Data said it filed for bankruptcy in early October because it can't generate sufficient revenue to address “the extensive potential liabilities” or “defend the lawsuits” that were triggered by the data breach, which “caused a massive exposure of” personally identifiable information. According to the company, the hacker violated the firm’s security infrastructure and accessed a database containing the Personally Identifiable Information that included millions of records.”
Chapter 11 gives a debtor temporary relief from creditors while a business reorganizes its assets to continue to exist as a viable firm. In its motion-to-dismiss, the United States Trustee argued that National Public Data failed to file an accurate list of creditors and that there “does not appear to be a reasonable likelihood that the Debtor will have a meaningful bankruptcy reorganization in the face of the costs of completing adequate noticing to creditors.”
After a hearing on Oct. 30 that included lawyers representing the FTC, the bankruptcy court dismissed Verini’s Chapter 11 filing, recognizing that he lacked the assets to reorganize. Verini’s lawyer, Angelo A. Gasparri, didn't reply to a message from MLex seeking comment. Verini didn't immediately respond to an e-mail sent to his personal profile website.
National Public Data appears to have been a home-based operation run by Verini himself. “The enterprise maintains no dedicated physical offices. The owner/operator maintains the operations of company from his home office, and all infrastructure is housed in independent data centers,” Verini said in his bankruptcy filing.
Verini said his insurance company had declined coverage for the data breach, and that he had only limited assets, including the TV episodes.
According to Verini’s website entertainment industry profile, after his professional acting career began with "B.L. Stryker," his most recent project appears to be a 2019 reality TV show called “Country Daze,” which has six episodes that can be streamed from Amazon.
Please e-mail editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers.