Detention is probably not going to cut it this time around. According to the Chicago Sun-Times, a former Chicago Public Schools contractor named Kristi Sims stands accused of stealing data pertaining to 80,000 employees, volunteers and vendors from a school database.

The case illustrates the complexity of the client/vendor relationship, specifically when it comes to accountability following the exposure of personal data. Determining where the liability may fall could depend as much on pre-existing contracts as it does any kind of state law.

“The CPS incident brings up a lot of best practices because we see this a lot with respect to schools, with respect health care facilities, with respect to all businesses that hold this identifiable data. They're working with vendors every day,” said Valerie Montague, a privacy professional and a partner with Nixon Peabody.