Yeah, but far from all people who leak data can be assumed to have technical competence. Mounting a forensics dist and just reading the data off a laptops drive is easy, but not for everyone. Also, connecting to stuff on the company intranet (by stealing the vpn key off the drive and logging in via another computer or live cd) would be mighty suspicious? And any attack where you (say) connect to the presumed VPN with a computer placed in front of the monitored one, letting it transparently forward the "legit" data back home while you connect to internal services from the one in front would also presumably be detected, unless this system doesn't correlate activity on the internal protected services also?