It's a little irritating to read all the comments about how this is really easy, standard industry practice, etc. Please give me a fucking break.
Suppose you're running a church newsletter. You're not computer-literate. You want to send a newsletter. You write out the names of church members and their mailing addresses on a sheet of paper, and accidentally leave it at the copy shop. This is legal.
Now, you do the same thing on a computer that you keep locked in your church. You use it to print out labels, you put the labels on envelopes, and you put the envelopes in the mail. Is it really reasonable that you've broken the law here? Most of this information is available in public databases anyway. You don't know "encryption" from your asshole. Your computer runs Windows 98, and there's no network.
To my mind, if "creating a list on paper" is legal, "creating a list in a computer" should be too. If you want to hit %%loss or misuse%% of personal information, write a law that does that. Penalize a lack of security, don't legislate what security is, because every situation is not the same.