Efferri wrote:Keylog the suspected user's terminal. This will eliminate any legal issues (I am assuming the terminal and IT equipment is owned by the company)... Keylogging will also eliminate encryption as an obstacle.
Plus, if you AREN'T who you say you are, it will be a little more difficult to install a keylogger and have logs sent to you remotely. Problem Solved.
Mmmmm, that is not completely correct, and no offense intended Efferri but just hear me out a sec. I have been dealing with legal issues like this for a major Fortune 100 Financial institution for years now and have a lot of experience in this area (preventing data leakage and prosecuting those who would sell your trade secrets).
I have seen employees successfully sue their employers for tactics like that EVEN when their is a signed agreement acknowledging no expectation of privacy on company owned equipment. This type of tactic CAN fall into the realm of violating your employees rights even if you own the equipment and is very tricky to handle in court, because you have selected THAT employee for a level of monitoring beyond the rest of your employees it can also fall into the realm of discrimination.
Personally I would avoid this type of situation altogether and deploy a tool like Vontu as Don suggested. It is forensically sound, generally accepted as a standard in legal communities for IP (Intellectual Property) loss cases and keeps your company protected from discrimination responses from your employees.
CEPT, CREA, C|EH, MCSE:Security (too many others that I don't care about to list)