Regulatory GRC in the cloud - An explorative comparison of the legal challenges in the European Union and the United States
No Thumbnail Available
URL
Journal Title
Journal ISSN
Volume Title
School of Business |
Master's thesis
Ask about the availability of the thesis by sending email to the Aalto University Learning Centre oppimiskeskus@aalto.fi
Authors
Date
2013
Major/Subject
Information Systems Science
Tietojärjestelmätiede
Tietojärjestelmätiede
Mcode
Degree programme
Language
en
Pages
136
Series
Abstract
Objectives of the study The increasingly prevalent use of cloud services, combined with mounting regulatory pressure driven by recent privacy and security incidents, has indicated the need for a better understanding of the legal challenges in the cloud environment. Although technical and business risks have both been documented by academia, few studies have comprehensively considered the legal dimensions. We aim to provide a broad overview of the legal framework surrounding cloud computing as well as the gaps therein. We also propose a framework for structuring regulatory governance, risk management, and compliance in the cloud environment. Academic background and methodology The main legal challenges in the cloud environment boil down to questions of obscure jurisdiction, control over data ownership, privacy, and third-party access to data. Focusing instead on detailed specifics, few, if any, scholars have attempted to construct what would be most useful from a managerial perspective - a comprehensive overview of the legal landscape complete with ways to combat its risks. Much the same can be said of governance, risk management, and compliance (GRC) frameworks. Even though GRC models have been studied for example from an IT perspective, limited progress has been made in developing a framework aimed specifically at providing guidance for ensuring regulatory compliance and minimizing legal risks. In order to assemble a comprehensive view of the relevant legal framework, we study the cloud service contracts of twenty-one service providers in addition to the main regulatory statutes in the European Union and the United states. The empirical material and focal points have been selected based on their significance for both cloud users and service providers in business-to-business relationships. Findings and conclusions Based on our analysis of the cloud environment, it is evident that the existing legislative framework is severely crippled by various weaknesses. Even though contracts are extensively used to overcome these aforementioned deficiencies, even the broadest and most detailed documentation is futile in face of all the shortcomings. Existing legislation has failed to adapt to modern technologies, remaining fragmented and controversially applied, thus creating conspicuous gaps between a literal interpretation of the statutory texts and the factual use of cloud technologies. Even future legislative reforms are thus unlikely to displace the need for new governance, compliance, and risk management measures focused on legal issues.Description
Keywords
cloud computing, data protection, privacy, security, legislation, standard contracts, governance, compliance, risk management, GRC, B2B transactions