The client was protecting all corporate information by storing it on secure servers behind a second set of firewalls and monitoring it with an IDS. This was a good plan, but it ignored the human factor. It's good to trust employees, as that makes for a healthy relationship and helps engender employee loyalty, but the organization still must take the proper steps to ensure that all employees are trained to perform their duties properlyincluding learning how to use technology securely. Employees must understand exactly how their actions may threaten the organization.
This generally calls for implementing security-awareness training that explains these issues to employees, including not to keep local, unauthorized copies of any corporate information in less secure places. You may also need to perform periodic checks of the filesystems, either by searching all user files (raising a privacy issue) or by these kinds of penetration tests.
Make sure that you secure the local administrator accounts on NT workstations. This is a popular way to gain unauthorized access to NT machines.