Morrisons to be sued by 2,000 staff - BBC News
http://www.bbc.co.uk/news/business-34648404

One good win and this will become very popular.

As this was done by someone illegally (rather than a hack) - are they liable

I guess from my point of view - if someone in my team stole my phone can I sue my employer v someone broke into the building because the company left the door open
Now to me common sense says no to the 1st and yes to the second

I'm not sure that's a good analogy. It's more like your employer handed over your phone to someone else who then flogged it on ebay.

Having said that, I'm not entirely clear what Morrisons did that was wrong exactly. They'd employed this guy as an auditor so he would have had access to their systems. I suppose you can argue that the staff records system should be separate from the financial one to a certain extent but if people want to get paid there has to be an interface somewhere. It's going to be very hard, if not impossible to firewall your internal systems from other parts of the business without making actually running the day to day operation very difficult and/or expensive.

Not sure - To me the person who stole the data (Auditor) could be the Security Guard and was authorised to access the Data (Security Guard - my floor and so take my phone)

I guess it depends on whether he was employed as a member of staff or as a contractor. In either case he needed a certain level of access to do the job he was being paid for and the case comes down to whether he was given more access than he needed for the job he was doing and whether it was foreseeable that he presented a risk and when. At the end of the day it only takes one disgruntled employee with sufficient access to properly bugger up any business especially with the speed at which information can be distributed these days.