The problem, and it is likely the same in California, is that many of the data privacy laws are written to address breaches incurred by third party action. In this instance, however, it was their own idiocy that allowed the situation to exist, and it therefore becomes a murky area of the law.
I am not, quite frankly, satisfied with the responses I have received from them either by phone or email. I have not had the opportunity today to look at whether the protections and guidelines of the Graham-Leach-Bliley (sp?) Act will apply here or not and there are some other potential statutes that may apply to the improper handling of sensitive data such as SSN. Strictly speaking, there is also a backdoor claim of a breach of contract if one could apply their own privacy policy appearing on the website to the lack of attention they have paid to the use of data that had no business being in an addressing database.
I *am* glad to see through Tennelle's post that I was not the only one upset by this fiasco. I only wish that the in-house counsel and the executive staff took the matter as seriously as did those of us whose personal data they were so careless with.
Edited on 11/7/2006 5:07 PM