A third-party contractor running a database without password protection...
That should amount to criminal negligence.
and then: ...have been set to "public" in error, since access needed to be open to multiple organizations, including the police and towing and storage companies.
That is (criminal) gross incompetence at work. Anybody not applying a segregated and security-in-depth design must be mandated to pay for any and all possible and potential losses from now to eternity for anybody potentially exposed.
And the C-suite should be publicly flogged.