No need to be, but this is a bad example because if the company can prove you were wreckless intentionally, they have an easy court case and someone now liable for all damages
.... Never worked for for a company that did training in such a way. The training is mandatory because they are usually required to show these items for their insurances. Usually you have weeks if not months notice and have to renew it annually or some dumb crap. They are also usually done on their training websites. 3 companies I have worked for just deactivate your AD account if you don't get it done in a timely manner. Companies who can lose millions or lose actual information that will hurt other companies and get sued do not mess around with their responsibility on such.
Mom and pop shop.. it wouldn't matter much in the first place. Restore the data, reset passwords and call it a day. Medical, military, or such... No fun.
Negligence of that order would surely be prosecuted.
You mean falling for a phishing scam? You must not have any experience in security if you truly believe that they're going to prosecute someone for that lmao.
Of course, if the employee openly expressed their carelessness and distain for their employer that changes things but that seems unlikely to be the case in reality.