Jump to content
digitalcarbon

a case for browser based cad

Recommended Posts

Posted (edited)
On 12-4-2018 at 9:12 PM, digitalcarbon said:

 

do you sign a liability agreement (for your clients) accepting liability for the storage of all their data sitting on your HD in your office?

Yes, that is part of the terms of the agreement, for a project for which I have to sign a specific liability and confidentiality agreement any and all information in any form that is considered confidential has to be kept secure as well as under controlled access (i.e. not just knowing who has access, but anyone who has access to any part of that particular information, even if it is only one document of many, has to sign that liability and confidentiality agreement as well). This liability and confidentiality in some cases includes talking about the project with someone else in a public place (.e.g. when having a lunch outside the office, or when a visitor for a colleague is within hearing distance) then you also have to make sure no such confidential information is discussed if others could hear it. Under such an agreement both the office and the individual employee who signed the agreement can be held liable for data leaks/losses.

Apart from that, almost all agreements with clients have a clause about keeping the data residing in the office secure from unauthorized access (e.g. visitors) or to be returned to the client without keeping copies.

Of course there are projects which will go public at some point and then the restrictions are (or become) much more relaxed when most of the information becomes public, but then we still have to keep the original files secure to avoid tampering with the original documents just in case.

 

So all drives (including backup drives) are encrypted, all prints, documentation etc. related to projects get shredded in a paper shredder with a P5 classification minimum when it's no longer needed and all old drives that are discarded get wiped first and then physically destroyed/shredded. There is even a dedicated floppy/CD shredder available (not one of those included with paper shredders that break a CD in a few big chunks but one that is at least a P3 class cross cut shredder).

 

With a cloud provider you just have to believe them on their word they will take similar precautions to keep your data safe, unless they allow you or an independent third party auditor to physically inspect the premises and procedures.

 

One to keep in mind is that even when OneDrive, Dropbox etc. claim that your data is encrypted on their servers that this is usually when they are in a state of rest (i.e. not being worked on). Once you start working on a file it becomes decrypted and therefore vulnerable to unauthorized access. How large that vulnerability is will depend on various factors and may vary from cloud provider to cloud provider.

 

So for confidential information I still wouldn't rely on cloud providers at the moment if I can't use additional protections measures for confidential data (e.g. encrypted containers within an encrypted connection).

 

If your projects don't have/require that level of confidentiality and you do feel comfortable with a specific cloud based provider then feel free to use it if you want. But I think it would be a good idea to have a non-cloud based alternative as well for clients with projects that they consider to be confidential.

Edited by Art V
  • Like 1

Share this post


Link to post
On 13-4-2018 at 7:51 PM, B Cox said:

If you think you would be immune from litigation if your clients information was stolen regardless of them having you sign a liability agreement, you've got another thing coming.  More likely you would have them sign an indemnity clause.

If the client requires you to sign such a liability and confidentiality agreement, they most likely would not sign an indemnity clause that would keep you safe.

It could be an option if you are not working on a project that the client has declared confidential, of after you have handed over all information with proof that you have no copies at all in your possession anymore so that you can shift the full responsibility for the data back to the client.

Share this post


Link to post
On 13-4-2018 at 1:46 PM, Christiaan said:

 

Isn't that what PI insurance is for?

Yes, but only to some extent and only for the financial part, this assuming the insurance could cover the potential financial damages (which may not always be the case depending on project size unless you are willing to pay very hefty insurance premiums).

Share this post


Link to post
On 13-4-2018 at 9:14 PM, Jim Smith said:

So I do see the need and value for some limited cloud based CAD interfaces but I'm convinced that the person/firm who has the overall responsibility should still have to maintain the "parent" file physically on their server or hard drive and act as the gate keeper of all information that is added or subtracted from the parent file.

^This I agree with completely. For personal use I do use some cloud based things as I can see where it can be useful, but even then I won't put any confidential/privacy sensitive information on them without additional safeguarding (e.g. a well and properly encrypted container holding the data (i.e. a password protected word file does not classify a secure).)

 

On 13-4-2018 at 9:14 PM, Jim Smith said:

If a parent file is on a cloud & as Mr Zuckerberg proved this week, even those supposedly in charge of data can't, or won't ensure the safety and veracity of data means Cloud drawing files would be next to useless in maintaining accountably. 

Yet, despite advice from my side to be cautious with privacy sensitive information, some people I know recently still proclaimed that data in a private Facebook group would be perfectly safe as only they could access it. (and of course Facebook (or whatever cloud provider for that matter), which they forgot). Now some of them are getting a bit nervous about this.

 

Unless the cloud provider has a system that even they cannot tamper with, that shows who accessed what, when, where, how and why you are going to have a hard time proving any data leak was not your fault.

 

The new General Data Protection Regulation (GDPR) of the EU that becomes effective soon even will hold you accountable/liable if your cloud provider messes up and leaks the data if you didn't take additional precautions to prevent unauthorized access to confidential/privacy sensitive data (e.g. encrypting the files on your end before uploading to the cloud, or using encrypted data containers etc.).

 

Some companies are contacting me for re-approval of being on their contact list (e.g. newsletter) because of the upcoming GDPR, others don't seem to be doing anything so far. It is estimated that half of those who are going to be affected by the GDPR are still not ready to meet the requirements. Of course the EU is on the other side of the spectrum on this kind of stuff than e.g. the US, so perspectives on this are or can be quite different.

Share this post


Link to post
On 4/15/2018 at 5:27 AM, Art V said:

If the client requires you to sign such a liability and confidentiality agreement, they most likely would not sign an indemnity clause that would keep you safe.

It could be an option if you are not working on a project that the client has declared confidential, of after you have handed over all information with proof that you have no copies at all in your possession anymore so that you can shift the full responsibility for the data back to the client.

 

Was there a point of this beyond my original comment?  Its exactly what I just said?

Edited by B Cox

Share this post


Link to post

Guys, I think we are missing the point...lets back it up a bit...

 

there is legal security and there is mechanical security...

 

i can work for your secure office with all your servers in the basement and sign all the "i will be honest" papers you want...but i could still in 6 months burn the place down as i run out the back door with all your data on a thumb drive...

 

sure, you will have a legal means to get me but the damage is done because i posted all your data on the internet...

 

security is never an absolute 100% in any configuration (its all probabilities)

 

machines need maintenance (& the bldgs they are in) & people need to be trained and kept happy...(a good work environment)

 

i would rather have a trained "Formula 1" pit crew managing my "car" then me having to stop and get out to do my own tire changes.

 

i would rather buy a car that has a good safety track record then try to build my own just because Subaru will not guarantee 100% safety. 

 

i would rather buy a bullet proof vest that has a good safety record than build my own just because they will not guarantee 100% safety.

 

the whole legal argument is about assigning blame...it is not about the mechanics of truly trying to reduce the probability of failures.

 

the last statement is the only thing that i am interested in.

 

 

Share this post


Link to post
2 hours ago, digitalcarbon said:

Guys, I think we are missing the point...lets back it up a bit...

.... the whole legal argument is about assigning blame...it is not about the mechanics of truly trying to reduce the probability of failures.

the last statement is the only thing that i am interested in.

 

 

So it comes down to who/what do you trust. Frankly I don't trust ANYTHING online, especially my livelihood.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

 

    • 7150 Riverwood Drive
    • Columbia, Maryland 21046, USA
    • Contact Us | 410.290.5114

 

  • © 2018 Vectorworks, Inc. All rights reserved.
  • Vectorworks, Inc. is part of the Nemetschek Group.
×