In summary...
Taking the laptop with him on vacation - not a problem.
Having client data available in the clear on the laptop - a problem
Whose problem? If there was a policy prohibiting the use of confidential data without encryption, or prohibiting it from use on mobile devices, or requiring encryption on all mobile devices - he deserved it.
If the security policies were lax, and this poor sap just happened to be unlucky enough to be the first one to lose a device with critical data in the clear, then he's just a patsy.
Biting the hand that feeds IT
