Of course it's the attackers themselves who are primarily responsible if they break into your organization's network and steal or expose the data you have there, including information about your customers. But if you didn't protect it from their attacks, does that mean you were asking for it, and should also be considered civilly or even criminally culpable? Is that a "blame the victim" idea, or just a risk that you incur when you opt to collect personal information about others? How much is enough when it comes to the protective measures you take?
Make your opinion known by voting in this poll over at the Sophos Naked Security web site, where they ask the simple "yes or no" question of whether companies should be held responsible for a customer data breach.