Is unintended release of personal information negligence?
Some of us have speculated that at some point a court will decide that an unintended release of data might be considered negligence, and thus find liability. In other words, that in the right situation (right situation legally - wrong situation from any other point of view) a judge may find that the information release would not have happened if the entity had appropriate security in place. The threshold for negligence in such a situation is not clear - so it may not be tested unless the breach is blatant.
Techdirt reports that the FTC just fined a US company for revealing private data, saying that inadequate data security can be an unfair business practice. It's only a matter of time before we see this theory tested - probably in a class action suit. Read the Techdirt post