- Company A is liable for civil charges.
- The employee is liable for civil and possibly criminal charges.
- The attacker is liable for civil and definitely criminal charges.
In countries where Civil Law is applied, Company A has "in contrahendo" and "in vigilando" responsibilities. Company A has in contrahendo responsabilities because the company breached a contract and also if the employee happens to have had a criminal record or bad references from previous employers, because it failed of doing due diligence when they hired the employee. Does the employee have a criminal record or bad references from past employers? if not, then...
In vigilando responsibility because Company A is responsible for "watching" what the employee does during working hours. Did the company take reasonable steps to ensure something like this doesn't happen, or this employee happens to do whatever he wants with no supervision? Is it common for these things to happen? was this the first time? did the employee took an unreasonable amount of effort to circumvent company's security? how long was this data exposed? (1 second, 1 hour, months?)
A lot can be done to prove it (how often they report to a supervisor, whether there's security cameras, sysadmin logs, strict firewall rules, good security policies & practices and how they're being enforced, how often passwords are reset)
All of this has to be proven in court (Company B has to prove A was negligent, A has to prove they were not and that this data breach could not be reasonably prevented); which is why sometimes company B may never sue A, unless a lot was at stake.
Is company A liable? Yes. Will they sue? Who knows.
I don't get how Company C's NDA was breached, it is my understanding C was hired to catch the attacker after the data leak happened. If that's the case I don't see how C is liable for anything.
If company C had already been hired by A before the leak to keep their documents safe, then B can sue both A & C; and A can sue C.
But this is not set in stone. If the data from company B that were leaked documents how they pursued illegal activities, the whole thing changes entirely.
Btw this theoretical scenario sounds very real. Contact a lawyer.
PS. Forgot to say that in order to sue for civil charges, the plaintiff must prove they were harmed in some way. If no damage was made to B, then they can't sue.