Insurance
I seem to remember that in the earlier ruling, when Morrisons asked how they were supposed to have protected themselves against a rogue employee, the judge basically said "that is what insurance is for". You can't guarantee someone won't circumvent the controls they are responsible for, but as there is always a risk then a business should insure against that risk for when they can't protect people's data. Otherwise employees can't get proper compensation and why should they suffer more than Morrisons.