DBAs are only responsible for a small part of data security. We make sure that only those allowed to access data may access data, according to the rules laid down by Management. For example, I'm sure that the DBAs in Facebook do their job very well. If data is abused, it is usually not the DBA that is responsible for the abuse. I regard the act of whistleblowing as a special case. This is a moral issue.

 If a DB-server is kept fully patched, then the DBA is not responsible, should a DB-server by breached by some very new zero-day exploit. If backups are too easily accessible by those not authorised, then the person responsible for taking care of backups is responsible. This may or may not be the DBA. The DBA is responsible to check that the backups restore as they should to sound DBs often and regularly.

Now, if there is a data-breach and the DB-login-password is too weak, easily guessed or not changed in a long time, then the DBA is responsible. Likewise if the DBAs gave out logins with too many rights (not everybody needs write-rights, for example), then the DBA is responsible, unless the DBA's better judgement was overridden by someone above him/her.

 However, if data-breach happens because the developers insisted that the application user has enhanced rights so that they may save time by using Entity-Framework, then the person who overrode the DBA is responsible, in the event of a data-breach by means of poor coding in the application.

  If someone with the authority to order data, orders data and then leaks it, the DBA is not responsible. The person who leaks the data is.