Liability at the coproate level depends on what controls, policies, and procedures a corporation has in place. I wouldn't put much liabillity on a corporation that has clear, well defined policies in place regarding protection of information, and can document that the policies are communicated to employees. Evaluation of information protection and system controls is part and parcel of every project we do. No project is considered so important that we can skip those steps. That philosophy is drive by senior management, so it is very effective.
If a corporation has the policies and procedures in place, and an employee does someething stupid and loses data, then the employee should be liable, perhaps criminally.