Abstract
The purpose of this proposal is to explain legal issues in cloud computing, as it is an emerging information technology field. It is one of the most notable developments in the field of information technology. Legal issues for cloud computing are also related to privacy issues because inappropriate and unauthorized access to data and information in the cloud computing environment has been intended to be eliminated. Some legal issues have been reviewed, and qualitative research methods have been employed in this proposal as any pilot study has been included. Privacy issues in cloud computing have been emphasized in this paper. These issues are important because laws between the two countries are being discussed around privacy issues. However, it is proposed to employ quantitative research methods for the proposed research. In the presence of Sarbanes Oxley Act and the USA Patriot Act, it does not affect the company doing business in the US and having servers of the service provider in Argentina as the US law may ask for information from the bank in the US. Thus, the bank must have given this information to the service provider. Otherwise, it should have given permission. The business would not be affected very much because of these laws and applicable to every organization in the US. It is proposed that research should be conducted to find legal issues in this regard so that the relationship among organizations may be made smooth and normal. It is recommended that a cloud computing environment should be equipped with being able to perform under emerging legal issues.
Key Words: Legal Cloud Computing, Privacy in Cloud Computing, Legal Issues, Sarbanes Oxley Act, and the USA Patriot Act
Introduction
Cloud computing is one of the recent developments in technology, and it has become a significant development through which businesses and parties share information and data. One of the most pressing and legal and ethical issues in cloud computing these days is related to privacy specifically. In simple words, intrusions and illegal entry into the cloud computing environment are required to be stopped. There are several laws which may be used to deal with legal issues related to cloud computing, and they include the Sarbanes Oxley Act and the US Patriot Act. However, these laws are not adequate and enough to deal with this emerging field of cloud computing; therefore, it is proposed to research on this issue. An example has been taken to discuss this issue in detail where the client and service provider of cloud computing belong to two different countries. Cloud computing is an emerging and important field where privacy-related issues are going to be critically important because there are increasing incidents of intrusions and data theft in this field.
The significance of the Study
There are some issues around cloud computing, and they are linked with the legal domain. These issues are related to the ability of parties over the use and control of the data in the cloud computing platform. Cloud computing is widely used, and there is rich literature around it to express an issue and concern about it. So that businesses and parties can work and do business smoothly. This study aims to offer legal issues in cloud computing, which are also linked with privacy issues broadly. The study would highlight how service providers, customers, and third parties interact with each other and the legal issues emerging from their interaction. The study would be important as it has shed light on the legal perspective of cloud computing.
Scenario for the Paper
The paper explains the legal issues in cloud computing, and the scenario in which the paper has been written is about service provider and customer belonging to two different countries. It is assumed that I am a bank and doing business in the US. The banking data are on a cloud while its servers are in Argentina. The US asks for data and information from the cloud. The paper would answer under this scenario, whether it is allowed under US or Argentina laws? Are there any problems related to business and law enforcement? There are some issues highlighted in the research (Bowen, 2011). The answers under the scenario would be given in the discussion section of this paper, but before this, the literature review follows this chapter. In the literature review, legal issues in cloud computing have been reviewed.
Objectives of the Study
The following are the objectives:
- To explain legal issues in cloud computing
- To explain the interaction between the service provider and customer in the cloud computing environment
- To refer to the laws of the US and Argentina regarding legal issues in cloud computing
Literature Review
Legal issues surround privacy issues because legal issues emerge when the data is under the risk of being accessed by the third party. There are some legal issues which should be agreed upon by the service provider and the customer of cloud computing (Reeta, Sri, and Bhukya, 2013).
There are some legal issues as well as privacy concerns regarding the governance of law and jurisdiction. Virtually, a service provider of cloud computing makes it confirmed that it would be legally bound under the laws of its own country. In the result, all disputes would be presented before the courts of the country which provides the cloud computing services. However, customers of cloud computing may demand to amend this clause and may ask to bring legal cases and disputes to their own country. It may not be possible, but it may be possible if the service provider is a large multinational corporation. Its significant magnitude may make it feasible to be answerable to courts in different countries. However, it may also be possible that there is not any statement or provision regarding the possible legal battle between the parties because it may be left in the situation when such situation arises (Bigo et al., 2012).
There is an important legal issue regarding cloud computing about the data location. Regarding data location, service providers have the upper hand, and they usually ask explicitly to have data of their customers in any location. These locations may be multiple locations, and it may be one location because it is up to the requirements and needs of the service provider of cloud computing. However, maintaining data at different and multiple locations is also favorable to the privacy and security of the data and information in the cloud. However, having data in multiple locations may also affect cloud computing in terms of issues of export control and having the provisions in the contract regarding extraterritorial storage (Charlebois, Palmour, and Knoppers, 2016).
There is an essential aspect of cloud computing and related legal issues when it relates to the privacy and confidentiality of data on cloud computing. Data on cloud computing should have a specific purpose, and it cannot be used other than stated and communicated purposes. An example of this can be given that a customer record of interests and preferences of products can only be used for findings and exploring the interests and purposes. There are contracts between the service providers and the customer regarding data outsourcing. Moreover, there is legally binding that data would not be disclosed to the third party without the authorization of the original two parties. There should be an explicit description of this that the data would be used specifically for stated purposes (Pearson and Benameur, 2010).
Legal issues for the security of the data are critical because data security is of fundamental importance. When service providers are expected to ensure data security that they limit themselves to reasonable security levels or they try to match their security mechanism to industry standards, however, these standards of security may be questioned and concerned because they may not fulfill the requirements of data security. There should be periodic development and rise in the security controls of the data under which service provider should inform the client regarding security breaches and loopholes. There should be an independent security mechanism of security between the parties (Islam, Manivannan, and Zeadally, 2016).
There is another issue which is related to the data access to e-discovery. The service of cloud computing should be understood in terms of architecture and design, but it is also stated that it is not a necessity at all. For the preparation of e-discovery, knowledge of the format and data access tools are needed. These e-discovery requirements cannot be fulfilled if there is no knowledge format of the data storage. It is noted that some service providers of cloud computing do not provide data access tools which make e-discovery into a cumbersome and time-consuming task for the client (Lawton, Stacey, and Dodd, 2014). Around this need of cloud computing, data access for e-discovery is a very important legal issue (Kaufman, 2009).
Legal issue regarding the end user’s responsibility is also crucial in this regard because there should be responsibility on the shoulders of end users as well. It is an obvious legal issue between the client and the service provider of the cloud computing under which service provider makes it part of the contract that the client should abide by the end user’s responsibility under the contract with the service provider. In case of a third party’s use of data in the cloud computing, the service provider may agree with a third party as well under which the data can be shared with the third party by the client as well. In the result, the parties have to comply with the terms and conditions of the service provider of cloud computing (Damenu and Balakrishna, 2015).
In a nutshell, legal issues of cloud computing surround the concept that inappropriate and unauthorized use of data in cloud computing should not be allowed. The service provider may transfer the responsibility of the customer that data and information should not be used in an inappropriate and unauthorized manner. For this purpose, the customer has to be responsible so that data cannot be used other than purposes which are not mentioned in the contract. However, services in the cloud computing might not be in total control of the customer because the service provider has the control over the system of cloud computing, but the customer may inform the service provider of inappropriate and unauthorized usage of cloud computing. It is beneficial for the security and privacy of customer data as well because the service provider would know how unwanted persons and groups can use data. Moreover, it is legally binding on the customer to stop the usage of data in an inappropriate and unauthorized way (Marchini, 2012).
The service provider has the right to suspend the accounts of end users; and this can be specified in the contract signed between the service provider and the client. If it is mentioned and included in the contract between customer and service provider, then it is legally binding that service providers can suspend the account over noncompliance of terms and conditions. However, there is a possibility that the customer can limit the ability and control of the service provider in suspending the account. There might be a statement of rights between the two immediate parties so that the suspension of accounts can be acceptable for both parties. There are also emergency security issues as well under which service provider can suspend an account because of emerging security issues (Winkler, 2011).
Legal issues related to service suspension and termination are very important because these aspects of the relationship between service provider and customer ensure the long-term healthy relationship between the two parties. However, it is a typical right of the service provider to suspend and terminate an account, but it has to tell the customer regarding its decisions and justification for the decision. There must be something against the terms and conditions set by the service provider under which the account can be terminated. However, the customer should be given time to engage and take the services of an alternative provider. Moreover, the data should be accessible to the customer before completing the termination process. The data would be available for the customer for a specified period. Thus, legal issues regarding termination of cloud computing platform or account are very serious issues to be addressed by both of the parties (Gonzalez et al., 2012).
Methodology
This proposal has adopted the review-based methodology because the purpose of this paper is to identify a gap which can be filled by research on the topic. Legal issues in cloud computing have been reviewed in the literature review section of this paper, and then the discussion has been done based on this literature review. Moreover, the laws of the United States and Argentina have been used to draw findings under the given scenario where a bank has to provide information to the service provider present in Argentina. The qualitative research approach has been used in this paper because of the nature of explanatory research. The purpose of this paper is to explain legal issues and furthermore; the aim is to explore further issues in legal issues in the emerging cloud computing systems (Moylan, Derr and Lindhorst, 2015).
The use of a qualitative approach in this paper has served two purposes. First, it has opened the course of research in which research studies have been invited to have their findings in the domain of cloud computing. Thus, the paper has been able to have findings from different sources. Second, the use of a qualitative approach has served the purpose to invite future research in the field of cloud computing. It is a qualitative research approach which has been employed in this paper, and it has drawn attention for future research on the topic.
But this proposal proposes to research by using quantitative research where the target audience would be the customers using cloud computing. It is proposed to conduct this research to find legal issues on cloud computing by getting responses from organizations using cloud computing. Thus, these organizations would be the target audience.
Ethical considerations have been observed in this paper, and the methodology of the paper has embraced ethical considerations. The research studies used in this paper have been properly referenced, and researchers have been acknowledged for their research work. However, the findings of this paper are the outcome of this paper which has been drawn in light of the given scenario. Moreover, the reliability and validity issues of qualitative research have been fulfilled as qualitative research methods are reliable and valid in drawing findings from the reviewed studies.
Discussion and Findings
Discussion
There are some legal issues in cloud computing which have been emerging from the review of literature in this study. There are issues regarding governing laws and jurisdiction which is especially important in the context of the scenario in which the laws of the US and Argentina might be facing each other. It is because of the data location as a service provider has the right to store the data on multiple geographical locations, and it increases the jurisdictional issues. The service provider aims to ensure the privacy and confidentiality of the data along with the security of it. The cloud computing environment makes it possible that the data is in the hands of multiple parties and the security of data should be ensured. There is an end-user responsibility, but the service provider has the upper hand. The primary issue around the cloud computing environment is to stop and eliminate unauthorized and inappropriate usage of cloud computing data. There is control of service provider regarding suspension and termination of end-user accounts, but the customer might have its say on these issues. All of these issues are important legal,and the law should address these issues. However, the most important aspect of legal issues is related to jurisdiction.
Above legal issues have been taken from the literature review of this paper while the scenario of the paper asks the stance in the sharing of information and data between two jurisdictions. In the given scenario, the US is asking for information from the cloud computing environment, and the servers are in Argentina. It means that there should be some law or legal support between two countries to comply with this US demand under which information about the bank can be provided to the US. Moreover, there should be an agreement of service provider as well to provide information to the third party which is the US government in this situation. For this purpose, the US laws and the nature of the organization should be analyzed in light of the legal and privacy issues highlighted in this paper.
The bank is a US bank, and it is a financial institution. Any financial institution or bank is highly sensitive regarding data, and the government has laws to make it comply with those laws. A bank cannot remain in business without complying with laws. The bank is in the US, and it has been using the cloud computing environment of which servers are in Argentina. Issues are related with privacy and confidentiality of data. Moreover, banks and their operations are also subject to laws in the US.
Findings
Some of the important issues related with cloud computing are related to privacy and confidentiality. Legal guidance on these issues is very important because companies cannot ask personally to another company that information should be provided. These issues can be solved and discussed through getting help from the laws.
The paper finds that the Sarbanes Oxley Act of 2002 has provisions for all companies in the US if they are publicly traded to have their internal controls regarding financial reporting. These internal controls are not only related to financial matters, but they are also related to information technology systems. Companies should document, test, and maintain those controls so that the information remains protected and secure in the organization for law enforcement agencies. In this way, legal issues related to confidentiality and privacy can be solved by getting help from the laws of the US.
The provision of the USA Patriot Act allows the law enforcement agencies access to the data and information to them which are accessible in the US or accessible from the US. The bank is in the US, and it is accessible by law enforcement agencies; therefore, it is mandatory under the US laws to give security and intelligence agencies access to the data and information stored in the cloud computing environment. Thus, there is not as such need of a treaty between the two countries and the US laws apply to the bank situated in the US. However, having a treaty between the two countries would be very effective. On the other hand, the bank should have informed the service provider of these US laws so that there is no objection by service provider regarding the use of data by a third party, i.e., the US government and its law enforcement agencies.
Conclusion
The paper concludes that some legal issues surround the cloud computing environment, and these issues are very important to consider. The explanation of legal issues in cloud computing has given the idea of different legal issues which are essential in cloud computing. Notably, these issues are related to the prevention of unauthorized and inappropriate access to the data; therefore, security and privacy have been highlighted. The most important legal issue relates to jurisdiction as data and information in the cloud computing environment should be stored between two countries and should be protected and secured through the legal system.
The objective of this paper has also been to explain the interaction between the service provider and the customer in a cloud computing environment. For this purpose, the bank in the US and the servers in the cloud computing environment in Argentina has been discussed. It is legally binding on the bank in the US to comply with the US laws under which it has to share information to the US law enforcement agencies. The bank should have taken permission from the service provider to share the information with the third party as it is legally binding on it. Thus, the paper has highlighted that there are legal issues which should be considered in the cloud computing environment and these issues are mainly related to privacy issues as well. It is recommended to take these legal issues in cloud computing very seriously so that this emerging and fast developing domain of information technology cannot face any hurdle or problem.
References
Bigo, D., Boulet, G., Bowden, C., Carrera, S., Jeandesboz, J., &Scherrer, A. (2012). Fighting cybercrime and protecting privacy in the cloud. European Parliament, Directorate General for Internal Policies, Policy Department C: Citizens’ Rights and Constitutional Affairs.
Bowen, J. A. (2011). Legal issues in cloud computing. Cloud Computing: Principles and Paradigms, 593-613.
Charlebois, K., Palmour, N., &Knoppers, B. M. (2016). The adoption of cloud computing in the field of genomics research: the influence of ethical and legal issues. PloS one, 11(10), e0164347.
Damenu, T. K., &Balakrishna, C. (2015, September). Cloud security risk management: A critical review. In 2015 9th International Conference on Next Generation Mobile Applications, Services and Technologies (pp. 370-375). IEEE.
Gonzalez, N., Miers, C., Redigolo, F., Simplicio, M., Carvalho, T., Näslund, M., &Pourzandi, M. (2012). A quantitative analysis of current security concerns and solutions for cloud computing. Journal of Cloud Computing: Advances, Systems and Applications, 1(1), 11.
Islam, T., Manivannan, D., &Zeadally, S. (2016). A classification and characterization of security threats in cloud computing. Int. J. Next-Gener. Comput, 7(1).
Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security& Privacy, 7(4), 61-64.
Lawton, D., Stacey, R., & Dodd, G. (2014). eDiscovery in digital forensic investigations. CAST Publication Number 32/14.
Marchini, R. (2012). Cloud Computing: A Practical Introduction to Legal Issues, BSI Standards, 2010. Market, 3 Journal Of Intellectual Property. Information Technology and E-Commerce Law, 12.
Moylan, C. A., Derr, A. S., & Lindhorst, T. (2015). Increasingly mobile: How new technologies can enhance qualitative research. Qualitative Social Work, 14(1), 36-47.
Pearson, S., &Benameur, A. (2010, November). Privacy, security and trust issues arising from cloud computing. In 2010 IEEE Second International Conference on Cloud Computing Technology and Science (pp. 693-702). IEEE.
Reeta, S., Sri, K., &Bhukya, D. (2013). Data Protection and Cloud Computing: a Jurisdictional Aspect.
Winkler, V. J. (2011). Securing the Cloud: Cloud computer Security techniques and tactics. Elsevier.
Yimam, D., & Fernandez, E. B. (2016). A survey of compliance issues in cloud computing. Journal of Internet Services and Applications, 7(1), 5.
