Re: Just another tax.
If a company provides a mechanism by which an employee can transfer client's savings to their own account without anyone needing to approve the transfer, no audit picking it up, etc. then I would suggest they should be liable. In this case the employee was doing the transfer to an outside party as part of their job and *copied* the data in the process. Can't really do that with money...
If the data which was being provided to the outside party had gone AWOL then the company should be liable. I don't know enough about this specific case to say for sure if Morrisons should be liable for the data breach, but as a principle of law it seems odd that a company should be considered responsible for the actions of its staff when they are NOT doing what the company has instructed them to do.
If a company has rules in place to prevent data breaches (and suitable technology too) and someone specifically does something against those rules it has to come down to what measures were in place to stop it being possible or to detect it had occurred before the data could get out of the building.