"I have client data on my machines. I have a responsibility, defined in NZ law and other places as well as a simple reasonable expectation by my clients to do the best I can to protect their data. Now I have to wonder how much extra work I should be doing - whereas I would often let them do updates in the past (sometimes a great way to fix corrupted files where all else fails) now I have to think a lot more about those updates and whether or not they could constitute a breach in privacy. And I have to make sure my co-workers are aware of the same issue. Do we risk a privacy lawsuit by allowing updates to run on a machine while it's in our possession?"
Do you risk a privacy lawsuit by NOT allowing updates to run and leaving a hole open by which a hacker can invade your system and pilfer your client files? Sounds like pick your poison to me, especially if the software required for your business can't be run on anything but Windows.