Thank you all for your opinions and insight. Today I will talk to the powers that be and offer them 2 options.
1- Pursue legal prosecution (FBI)
2- Prevention and Preservation

Since this is there decision I will try to inform them with what I know and some of hte insight you have provided. I understand the ramifications of both and appreciate all your input. Once the powers that be decide what it is they want to do I will post here once again.

As several people stated I was hoping to get more information regarding the option to preserve and prevent, however, after reading JP post it is evident that there is so much hardware and software that will need to be examined, tested, and rebuilt.

The recommendation has been made to start with the router and I understand the reasoning. Changing admin passwords and verifying the access list is a great place to start.
My question is this. Why not start with the Active directory accounts and work from the Exchange Server out to the router since that seems to be the target? There is a webmail interface on an external website. My bet is that he has an admin account on the Exchange server and is using the webmail interface to look in peoples email folders........ Comments? Or suggestions for locking this down?