Thinking about it...it's a tough one
As has been mentioned, if you say "No they can't be held responsible." then all breaches could be just blamed on a rouge employee. But if all reasonable checks and protections were put in to stop data being stolen, but that rogue employee managed to discover a way round said restrictions, then surely you can't blame the company. Especially if those holes weren't massively obvious.
Don't spies operate on a friendly bases. As in, keep your enemies close, hide in plan sight. Be friendly, act trustworthy so that no one suspects. Would you say the FBI is responsible for Robert Hanssen's actions or was that just a man in a position of trust who knew how to exploit that position.
If Morrisons did everything they could to avoid such a lose yet the person managed to find the tiniest of holes, then surely you can't blame Morrisons.