Just got a call from the IBTS to clarify the situation for me, here are the highlights;
1. Yes, the IBTS knew that employees of the NYBC would be transporting confidential data around on their laptops and bringing it home because they would have to be working late hours on this project, so the IBTS gave them permission to do this.
2. Regarding the statement in the letter that the data was "encrypted with a 256-bit encryption. Those records were transferred to a laptop and re-encrypted with a 256-bit encryption", the person I spoke to said that he didn't really know what that actually meant, maybe the data was unencrypted at some stage and maybe it wasn't, but was happy to confirm that, yes, the laptop mentioned here was the laptop that was stolen.
3. I queried the statement "To our knowledge there has never been a report of a successful attack against a 256-bit encryption key.", he said that this was what he had been told by the NYBC and they took care of all of the encryption stuff.