The US doesn't, as far as I'm aware, have any encoded right to one's personal data. Furthermore, copyright in the US does not extend to databases, such as a list of records. So there isn't a clear legal regime under which to prosecute someone for holding onto records they recieved improperly. Physical property and even some coyrightable data would be a different story.
The City said they were going to go for a fraud and abuse case. I have 0 experience with that subject, but I would assume there would have to be an action, or intent of an action, to make it a crime. I wonder if the data simply existing on a hard drive would be enough to convict.
Now that I think about it, I don't think I have a strong moral conviction against a judge ordering someone to delete data that contains sensitive information they received in error. Jail time and a fine? Absolutely not. Forcing them to delete (and confirming deletion)? Yes.
