Managing multi-jurisdictional requirements in the cloud: towards a computational legal landscape

Abstract

Although cloud services allow organizations to transfer the planning and setup to the service provider and thus reduce costs through reuse, these services raise new questions regarding the privacy and security of personal information stored in and transferred across systems in the cloud. Prior to cloud services, personal information was commonly stored within the owning or licensing company's locality where the company maintained its facilities. Cloud services, however, move data to remote, potentially unknown, locations maintained by third parties. The responsibility for data protection and integrity no longer remains exclusively with its owner or licensee, but with these third parties. Thus, both parties must identify and manage the many regulatory requirements that govern their services and products in this multi-jurisdictional environment. To simplify this problem, we are developing methods to extract and codify regulatory requirements from government laws. We apply previously validated metrics to measure gaps and overlaps between the codified regulations. Our findings include a semi-formalization of the legal landscape using operational constructs for high- and low-watermark practices, which correspond to high- and low standards of care, respectively. Business analysts and system developers can use these watermarks to reason about compliance trade-offs based on perceived businesses costs and risks. We discovered and validated these constructs using seven U.S. state data breach notification laws that govern transactions of financial and health information of residents of these seven states.