Recently, a large UK shopping chain had the staff payroll database leaked (including bank details, all unencrypted)
We've been told that we cannot take legal action and have so far been denied compensation as although our data was stolen, it wasn't an external breach, it was someone internal leaking the data with privileged access.
In this situation, who takes the blame?