Well they could have not put the information on a portable hard drive in the first place. They could have encrypted it. They could have ensured it wasn't left somewhere someone could walk off with it without anyone knowing. I think a few people dropped the ball in this incident.

They can't completely eliminate the risk of insider theft but they can limit who has access to critical information to people who need it and understand the risks. And they can limit what they can do with it to an extent by blocking USB transfers.