[PeterisP]

If these are voting records, which are public, it may well be that haven't done anything prohibited even if they intentionally distributed all this data to everyone.

As in, the company didn't want to distribute this data, so it's a breach, and the person who did that would be guilty of stealing the company's confidentional information (i.e. the modelling info) but it seems quite likely that purely (re-)distributing the core data of people's names and addresses doesn't actually violate any US laws at all; US privacy laws (outside of medical data) are very lax compared to e.g. EU.

I could imagine that victims of a future identity theft might have a civil claim against company if/when real losses have occurred, but it's quite possible that if the CEO personally published all this data, filmed all of this, and sent to the prosecutor's office, that no crime (according to current USA privacy laws) could be found there.