I think this is about the degree of liability and whether sufficient precautions were indeed taken; and in the case of someone in the payroll department being able to dump personal details so easily, this does not seem to be the case.
Companies find it often very easy to pin the blame on "rogue" individuals. The banks did this over LIBOR and Wall Street apparently over ever had a few "rogue" traders during the financial crisis.