In response to your question, there were two particular policies that are relevant here: first, employees have a responsibility to report incidents; second, data that's sensitive should be encrypted before it's put on any particular portable storage device.
On February 14th, 2013. See this statement in context.