Being a Notes user now for over 15 years I am just amazed that any company would not require data to be encrypted locally. It is an IBM policy that all Notes databases are encrypted when local replicas are created. A desktop tool even goes to the point of emailing your manager when an unencrypted database has been replicated locally.
Also being a veteran, this particular case just amazed me that it even happened. Then to hear on NPR that the employee had no authorization to even work on the data remotely just killed me. This is another classic example of what not do to and how important proper procedures and education of employees is far more important than any technology. Kevin Mitnicks book, The Art of Deception, goes well over this entire concept.
Should sensitive data be stored on laptops?