The Financial Collapse of National Public Data: Key Takeaways

Earlier this year, National Public Data (NPD) experienced a massive data breach, exposing sensitive information of 2.9 billion individuals. This breach has sent shockwaves through the company’s financial stability, leading it to file for Chapter 11 bankruptcy on October 2, 2024. The incident not only highlights the risks companies face in today’s global financial system, but also mirrors some of the broader economic challenges that have persisted since the Great Recession.

The financial crises faced by NPD echo the systemic vulnerabilities seen in major financial institutions during the 2008 financial crisis, when companies like Lehman Brothers and Bear Stearns collapsed under the weight of subprime mortgage issues. Much like the fallout from that era, NPD is now grappling with an overwhelming burden of class action lawsuits, regulatory oversight, and operational losses. The breach puts into perspective how businesses, even outside of Wall Street, are deeply tied to broader economic growth and financial market stability.

With NPD’s limited assets and the high cost of responding to the breach, the company’s collapse could have wider implications, similar to how failing financial firms during the Great Recession affected the broader economy. The incident raises concerns about investor confidence and how financial shocks can ripple through even smaller sectors of the global economy.

The breach comes at a time when the Federal Reserve is managing a delicate balance between monetary policy, inflation control, and safeguarding financial stability. While the unemployment rate remains relatively low, any corporate failure like NPD's can have unforeseen consequences on the broader banking system and housing market, as we’ve seen in the aftermath of crises involving mortgage-backed securities and home prices plunging in the late 2000s.

NPD’s collapse serves as a stark reminder of how vulnerable even non-financial businesses are to the pressures that once primarily threatened banking and financial services sectors. As financial regulators and oversight bodies, much like the Board of Governors of the Federal Reserve System, continue to monitor such incidents, questions about the company’s ability to recover, much like many institutions in early 2009, remain at the forefront of industry discussions.

• What happened?
  Earlier this year, a hacker stole a massive database from National Public Data (NPD), containing sensitive information from 2.9 billion individuals worldwide.
  
• What did the hacker do?
  The stolen data was posted for sale online, putting billions of people’s personal information at risk, including names, addresses, and possibly more sensitive data.
  

• Lawsuits across the country:
  NPD now faces class action lawsuits in several states. These lawsuits have been filed by individuals whose data was compromised, seeking compensation for the breach.
  
• Government investigations:
  Multiple federal and state government bodies are investigating the breach. This includes oversight from the U.S. House Committee on Oversight and Accountability, which aims to understand how the breach occurred and whether NPD followed legal requirements for data protection.
  

• No insurance coverage:
  NPD’s general liability insurance does not cover data breaches. This means that all the financial costs, including legal fees, regulatory penalties, and any compensation to victims, must be paid out of the company’s own pockets.
  
• Mounting costs:
  The financial burden includes:
  
  • Lawsuit settlements: The company will likely have to pay significant sums to settle the class action lawsuits.
    
  • Regulatory compliance: NPD must also cover the costs of complying with government investigations and any fines that may result.
    
  • Notifying victims: NPD is responsible for notifying all 2.9 billion individuals affected by the breach, which can be a massive expense in itself. They may also have to offer credit monitoring services, further increasing costs.
    
• Chapter 11 bankruptcy:
  Facing these overwhelming financial responsibilities, NPD filed for Chapter 11 bankruptcy. This type of bankruptcy allows the company to restructure its debts and attempt to remain in business while managing the crisis.

• What does NPD have?
  After the breach, the company’s financial state looks grim:
  
  • Checking account balance: NPD has only $33,105 in its bank account. This is a very small amount, especially considering the massive costs they’re facing.
    
  • Office equipment: The company owns $5,445 worth of office equipment, such as computers and furniture. This won’t go far in covering their upcoming expenses.

• What does NPD owe?
  The company is facing significant costs due to the breach, which include:
  
  • Legal costs: NPD will need to pay lawyers and settlements for the class action lawsuits filed by people affected by the breach.
    
  • Notification costs: NPD must contact every single person affected by the breach—2.9 billion people—which could cost millions.
    
  • Regulatory compliance: There will also be government fines and expenses as they cooperate with state and federal investigations.
    
• High likelihood of collapse:
  Because NPD’s assets are so small compared to their liabilities, it is highly unlikely the company will be able to survive this breach financially. Most of the company’s money will be drained by lawsuits and legal fees, leaving little chance of recovery.

• What is credit monitoring?
  When a company experiences a data breach, they often offer affected individuals credit monitoring services. This service helps people keep an eye on their credit reports to detect any potential fraud caused by the breach.
  
• Why are people not signing up?
  Many of the people affected by this breach already have credit monitoring from previous breaches, like from other companies they’ve dealt with in the past. This is called a low "take rate", meaning fewer people are interested in signing up for a new credit monitoring service because they’re already covered elsewhere.

• What are class action lawsuits?
  These are lawsuits where a group of people who were harmed by the same incident—like a data breach—sue the company together. In this case, millions of individuals are part of these lawsuits against NPD.
  
• Why are these so expensive?
  Class action lawsuits can result in huge settlements, especially when millions of people are involved. Lawyers’ fees alone can be incredibly high, and NPD may have to pay compensation to each individual affected by the breach. This is expected to be the biggest cost NPD will face in trying to resolve this crisis.

Data breaches are becoming more common and more expensive. This is leading not only to financial strain but also to bankruptcies for companies that can't handle the fallout. Let’s break down why this is happening:

Average cost per breach
The average global cost of a data breach in 2024 has risen to $4.88 million, a 10% increase from 2023, according to IBM. This sharp increase shows how financially devastating breaches can be, even for well-established companies.

• Healthcare sector: Change Healthcare breach
  One of the biggest breaches of the year occurred in the healthcare industry, where Change Healthcare suffered a major data breach. This incident compromised sensitive patient information, causing both financial and reputational damage to the company.
  
• Tech sector: Snowflake breach
  In the tech industry, Snowflake, a company specializing in cloud-based data solutions, also experienced a significant breach. This not only hurt their customers but also damaged trust in the company’s ability to protect the data they manage.

• Why smaller companies struggle:
  Smaller businesses are often ill-prepared to deal with the financial aftermath of a breach. They may not have the financial reserves or cyber insurance to absorb the costs of legal action, victim compensation, and other expenses.
  
• Bankruptcy becoming more common:
  As the cost of breaches increases, bankruptcy is becoming a more likely outcome for smaller companies that can’t afford the high price tag. With millions in expenses and not enough revenue to cover them, many of these companies have no choice but to shut down.
  

• 23andMe’s $30 million settlement:
  Even large, well-known companies aren’t immune to the devastating effects of data breaches. In 2023, 23andMe, a genetic testing company, experienced a massive breach that exposed millions of customer records. They ended up paying a $30 million class action settlement as a result.
  
• Leadership changes and stock decline:
  Following the breach, 23andMe’s leadership faced a wave of resignations, and the company’s stock price plummeted. This shows how a data breach can cause long-term damage to even large, successful businesses.
  

Data breaches can shake the very foundation of a company, threatening not only its financial health but also its ability to stay in business. Let’s dive into why this happens and how companies can protect themselves.

• Steve Cobb’s prediction:
  According to Steve Cobb, Chief Information Security Officer (CISO) at SecurityScorecard, more companies will struggle to survive after a data breach due to the immense financial strain involved.
  
  • Legal costs, regulatory fines, victim compensation, and loss of business can add up quickly.
    
  • Smaller companies are especially vulnerable, but even large businesses are not immune.
    

• Data as a valuable asset:
  Data is incredibly valuable for businesses. It helps them make decisions, improve customer experiences, and grow profits. But this value also makes data a top target for cybercriminals looking to steal or exploit it.
  
• Why criminals want data:
  Hackers steal data to commit identity theft, financial fraud, or sell it on the black market. This makes protecting data critical for any company that handles sensitive information.
  

To survive a data breach, businesses need to focus on cyber risk management. By preparing for potential breaches, companies can minimize the damage and increase their chances of bouncing back.

• David White’s advice:
  David White, co-founder of Axio, stresses the importance of understanding the financial impact of a potential data breach. This means businesses should ask, "What would happen to us financially if a breach occurred?"
  
  • Quantifying cyber risk helps companies prepare for the worst-case scenario.
    
  • It also helps leadership make smarter decisions about cybersecurity investments.

• What is cyber insurance?
  Cyber insurance is a type of coverage that helps companies recover financially after a breach. It can cover the cost of legal fees, compensation to victims, notification costs, and more.
  
• Steve Cobb’s advice:
  Cobb emphasizes that companies need to thoroughly review their cyber insurance policies to make sure they are adequately covered. Many businesses don’t realize they have gaps in their policies, leaving them vulnerable to major costs.
  

• What is an incident response plan?
  An incident response plan is a detailed strategy that outlines how a company will respond to a cyberattack. It helps the business act quickly and efficiently to minimize the damage.
  
• Key components of a strong plan:
  
  • Quicker negotiation: If a breach involves a ransom demand, having a plan can speed up negotiations with the attacker.
    
  • Better data control: The plan helps companies quickly identify what data was compromised and take steps to protect other sensitive information.
    
  • Faster discovery: A good response plan allows businesses to detect and understand breaches more quickly, which limits the damage.
    

Smaller companies, like National Public Data (NPD), are at a greater risk of financial collapse after a data breach. Without the necessary financial safeguards, these businesses can quickly face devastating consequences. In the wake of such breaches, proactive cybersecurity measures are essential for any company handling sensitive data. However, as data breaches rise, so do the associated costs, making cyber risk management and insurance critical for long-term survival in today's global financial system.

The economic crisis caused by data breaches bears similarities to the broader challenges faced by the financial sector during the recession since World War II and the Great Recession. Like the financial panic in late 2008 and early 2009, when Lehman Brothers filed for bankruptcy, companies today are navigating uncertain waters. The policy response to the crisis of data breaches should focus on stabilizing the financial system through reform and consumer protection acts, such as the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.

In November 2008, the U.S. government implemented the Troubled Asset Relief Program (TARP) to support systemically important institutions, reflecting the need to protect important financial institutions throughout the system. In a similar vein, businesses today, especially those vulnerable to cyberattacks, must seek assistance and support to avoid becoming the next casualty. Lessons from the onset of the financial crisis underscore the importance of stress testing, as Fed Chair Jerome Powell and the Governors of the Federal Reserve continue to focus on financial stability across sectors, including through financial products like cyber insurance.

Small and medium-sized businesses should take a page from the broader policy responses following the crisis by actively managing cyber risk to prevent collapse. Cyber insurance acts as a vital financial cushion, similar to the role keeping interest rates low plays in stabilizing the economy. By engaging in major reforms and stress testing their own vulnerabilities, companies can be better prepared for future challenges.

As seen during the recessions since the Great Depression, systemic vulnerabilities across industries can have ripple effects on the US economy and global financial markets. The Consumer Financial Protection Bureau and the Financial Stability Oversight Council both play crucial roles in maintaining stability, but businesses must also take responsibility for securing their data.

In today’s interconnected world, the cost of a breach goes beyond just financial loss. The impact is felt throughout the financial system, affecting trust in businesses and the global financial system as a whole. Companies, large and small, must take lessons for the future from past crises and ensure they are fully prepared to face the rising tide of cyber threats and breaches.