What, if any, steps do you take to minimize the potential of client personal computers being subject to e-discovery during potential lawsuits when their personal home computers are used for work?
What I have so far:
Don't allow remote access with personal devices.
Only allow web-based email access (through OWA).
Allow web-based VPN access to files and email w/out remote desktop or citrix support.
Allow full-blown VPN access.
- Doesn't seem practical.
- Nothing beyond cookies is stored on the local client machine.
- Access to files via Web-based VPN means they're downloadable to client machine.
- Just like the computer is sitting on the network. (From an e-discovery perspective is there a difference between web-based VPN and client or firewall-based VPN?)
Our users are understandably blinky about their personal computers being subject to e-discovery. Has anyone had to go through e-discovery because of a lawsuit? What policies do you have in place regarding this?
Edited to add
Not using their personal home computers for work is not really feasible. There are instances when they don't anticipate being sick, therefore do not lug home a work computer, and need to work from home through the vpn.
Lets look at this a different way, what you mainly want is to be able to show that data isn't walking out the door and that all relevant/official data must be inside your network. How important this is to the business and how much they are willing to spend on risk mitigation will drive what kind of solution you implement but if you have the budget for it my preference is a full Citrix setup where all sensitive data is locked into a dedicated environment and never leaves it. This is a good strategy even for people in the office, if no documents are edited or transfered out of the Citrix environment then none of the other equipment is in-scope. A sequestered environment with its own file servers, mail servers and tight audited controls showing what data is going in and out can be a lifesaver both to keep sensitive data from taking a walk but also to simplify audits/discovery.
Basically, you're screwed if the other party can convince a judge that people's personal machines may reasonably have information related to the case. You can try to give your side more ammunition to argue that it isn't by enacting (and enforcing!) policies that make it unlikely that company information is going to be there, but ultimately it's not a hard thing for the other side to argue that people may (and that's all it takes -- a may) take work home with them on a USB stick, or send an e-mail from home. Even if you only allow OWA, the browser cache or other history on the home machine may provide useful evidence (say they think that executive X sent an e-mail at a certain time, but the e-mail and all evidence thereof has been obliterated on the mail server, the other side still may want to take a peek at executive X's home machine to see if they were logged into OWA at the time).
The best way to avoid "e-discovery" (and I agree with John, it's a bit of a tosser word) is to not get sued. Given that that's not practical, you're back to "screwed".
Were I work we are actively encouraged to use our home machines rather than use work laptops. There must be tens of thousands within our company that take advantage of this and it is a strategic part of our continuity of business plans.
The set-up we use is terminal services via SSL. All you need on the client pc is a web browser and Java. We login via a web page using our DS Gold cards and a pin and the get the option to open a terminal services session to a server. On the terminal servers we have installed the basic applications we need; MS office, SQL client, putty, various in-house apps, etc. We can also RDP to our own servers from their or vnc to our own desktops.
A new option they have just added for those of us with the new standardised desktops is to instead of choosing to connect to a terminal server we can now connect to our own desktops. You can even take advantage of having multiple screens at home.
Using this method we are always using the company's own machines for working on. Also meas I can use any machine I want. Great if I called out when visiting friends. I've even used an Internet Cafe.
I'm only a user, so I don't know the specific set-up. The only clue to what we use is the name of the java applet. From a google of that it appears we are using software from HOB. Probably HOB WTS Computing and HOB Desktop-on-Demand.
As an end-user I think it's great. Can't comment on the administration, setup or TCO.
It depends on what you mean by "client personal computers". If you mean somebody's work PC in the office, then I'm sorry but you have to comply with the law, and if this means having to hand such a PC over to the cops for forensic investigation or whatever, then so be it (yeah, done it a few times).
If you mean a member of staff's own home PC, it's really none of your business what they do or don't do on it, and none of your business either whether or not the cops come-a-knockin' at their door.
Best approach is to learn to distance yourself from personal matters like that and get on with your job, really.
Of course I could have interpreted this all wrong. "During potential lawsuits" and "e-discovery" are also both open to many different interpretations.
Don't let home workstations be used for work. There's no reason for them to be used that way anyways.