Because they said the database was unencrypted. Companies don't tell people the database is unencrypted if it's, you know, encrypted (even just a part of it).
The credit card was encrypted while name, adress and date of birth wasnt. Negligence is a
"Conduct that falls below the standards of behavior established by law for the protection of others against unreasonable risk of harm. A person has acted negligently if he or she has departed from the conduct expected of a reasonably prudent person acting under similar circumstances."
Its common practice to not encrypt personal information such as name, address and date of birth. If there is negligence, it will most likely not have anything to do with the name, adress and date of birth database not being encrypted.