While I don't agree with the release of customer information in the manner of the OP, can you provide a link to an authoritative source for the laws you cite? I ask because I don't believe your characterization of the law is correct, at least on a federal level, in the United States, with regard to non-financial information.
Id be happy to find it for you. I may have the order of things wrong there subsections and whatnaught, but as per FTC laws, you are not allowed to divulge living customer's information to anyone but business partners. I found the specific link the New Zealand's equivilent, which is more or less the same, because I believe quantumkiwi is based in NZ, however give me a moment and I'll find the U.S version, and link it.
http://www.business.ftc.gov/privacy-and-security/consumer-privacy
If you start here, there are a list of laws and guides. This section, Financial Privacy Rule (Privacy of consumer financial information) is pretty good, it has a lot of info that pertains to banks and financial institutions, but it also talks about personal information and the definitions of customers under non financial circumstances.
Yes, I'm quite familiar with the law myself, which is why I asked for clarification. I believe you may be confusing what is illegal by statute or regulation, and what is recommended by the FTC as privacy best practices.
No matter, I won't prolong the debate any longer... I just don't like to give big brother more power than he has already taken for himself.
QuantumKiwi, take the good advice you've received in this thread. Legal or not, customers aren't usually in a hurry to do business with a company that may release their information in the case of a dispute.