Hmmm... in this age where GPRS/HSPA cards are getting cheap maybe it's time for "dumb" laptops which know nowt except how to connect to home base (and can therefore be blocked on loss) and any personal info to be held server-side only.
This as part of defence in depth - biometrics, HD encryption, MAC filtering at VPN server, maybe a separate GSM-mil network to run the cards on etc. etc.