SSN disclosures and the law

An anonymous reader writes: I recently recieved an email from a US based publicly traded company that I used for income tax services. The content of the email was a screenshot which prominently displayed my SSN. I expressed concern to the company that they chose to send this information over the web in an unencrypted format. The company's response was to offer a verbal apology, explain that it was a one time violation of company policy, and offer a year of credit monitoring service. I think their mishandling of an SSN probably would result in some legal trouble for the company if reported to the government. What sort of fines/other punishment is the company liable for in this case if pursued in court? I'm trying to decide if it's worthwhile to sue them or take the monitoring service and let it go.