Over my career, I've know of only one universal truth:
A company's security is only as good as it's most retarded user. And while the upper management & HR types target all security policies and procedures for the worker bees, in the trenches, fact is, some of the most prolific offenders are those in the upper echelon.
I don't know how many times I've been approached by an executive, demanding unrestricted access to the internet, and much to my boss's dismay, I will drag my feet and attempt to explain why this always isn't the best idea. When doesn't work, which for most of the higher grade folks doesn't, I explain how the corporate network isn't a democracy, especially in our line of business. They charged my department safeguarding the information, our equipment and our user community, which is a responsibility I take extremely seriously and very personally. And after getting caught up in the US government's OPM debacle, I've come to the conclusion that I would rather be fired by an executive for being a hard ass than being too lax and irresponsible.
So, when I hear about unfortunate situations like this, it makes me furious that the corporation attempts to shirk all responsibility and liability. At the very minimum they should pay for several years of credit record and identity fraud detection. Then they should help minimize the liability to any employees who've been victimized by identity fraud.