Worrying level of blame redirection.
There seem to be conflicting issues.
(1) a company shouldn't be able to wash its hands of something an employee does under all circumstances
(2) a company shouldn't be liable for what an employee does under all circumstances
As reported, the employee had legitimate access to the data and decided to make an extra copy. I would guess that most sysadmin types have the ability to do this undetected at some time or other (see virtually every Who Me? episode).
Analogies are always dodgy, but without total mind control how do you prevent employees breaking the law? Does ever employee have to have another employee monitor every keystroke? Should every employer institute a strp search including major bodily orifices every time an employee enters or leaves the workplace? If an employee working from home downloads porn onto a work PC is the company liable? I (think I) know that if someone manages to sneak drugs onto your property without your knowledge or consent you are still liable under English law.
Bottom line; it isn't clear how Morrisons could, within normal business constraints, have prevented this. It may rest on how reasonable it is to have all external access (USB and other exchangeable media such as CD/DVD) disabled on all machines and all data in and out of the network heavily inspected for signs of illegal transfer. However you are then heading towards military levels of security and the consequent costs.
Also worrying is the mention of insurance, which seems to suggest that the business should not go to the expense of policing the workplace and instead just insure against any fine. Very financial industry where fines for breaches of regulations are often treated as the cost of doing business.