As to negligence, well we will have to see. It could be that any company given the security would have little reason to also encrypt, plus or minus one major hole. It could have been the PS3 being trusted so heavily that opened up the personal data which would be negligence. It could be some guy managed to get private info on a higher up and guess his password through social engineering in which case their security system would hold no fault in this (people are dumb after all). Taking the PSN down still makes me lean at PS3 related, but I again add the caveat that there is no concrete evidence I can back this up with.
Your logic does make sense, its possible that it is the case, theres other valid logic though. So, Ill let the judge decide whether Sony knew or not and lets not forget, if it was likely enough to justify telling your customer before getting the confirmation.