Morally? A bit grey, but often when you dig into the details for the cases of businesses unlike individuals, it is a resounding "Yes".
Legally? Depends on the jurisdiction I suppose.
https://www.theguardian.com/australia-news/2022/oct/22/austr...
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
This is for data breaches, but similar laws exists for all sort of conduct related to negligence in securing and adequately protecting privacy, safety, health, and so on.