I have seen clients use LEM primarily a reporting SEIM with limited active response. In one instance of an active response, the user was locked out of the network - and the user happened to be the CEO. He was not amused. You need to be really careful when constructing an active response.
As suggested by curtisi, you can try to disable the offending account , but the the mass copying of a folder happens too quickly.
However, you can try to limit the copy operation to once per second. Any more than that could result in an account lockout. In theory it could work, but I have not seen this implemented.
Ultimately if the person is leaving the company his account should be locked BEFORE the person is given notice of termination.
If files are moved or deleted by accident, there should be other mechanisms in place to should handle that situation.
Amit Shah
Loop1 Systems