Requirements Engineering

, Volume 17, Issue 2, pp 99–115

A legal cross-references taxonomy for reasoning about compliance requirements


    • Department of Computer ScienceNorth Carolina State University
    • Allscripts Healthcare Solutions
  • Annie I. Antón
    • Department of Computer ScienceNorth Carolina State University
  • Peter Swire
    • Moritz College of LawOhio State University
  • Maria Riaz
    • Department of Computer ScienceNorth Carolina State University
  • Christopher M. McCraw
    • Department of Computer ScienceNorth Carolina State University
RE'11 Best Papers

DOI: 10.1007/s00766-012-0152-5

Cite this article as:
Maxwell, J.C., Antón, A.I., Swire, P. et al. Requirements Eng (2012) 17: 99. doi:10.1007/s00766-012-0152-5


Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from non-compliance. Laws and regulations contain internal cross-references to portions of the same legal text, as well as cross-references to external legal texts. These cross-references introduce ambiguities, exceptions, as well as other challenges to regulatory compliance. Requirements engineers need guidance as to how to address cross-references in order to comply with the requirements of the law. Herein, we analyze each external cross-reference within the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Gramm–Leach–Bliley Act (GLBA), and the GLBA Financial Privacy Rule to determine whether a cross-reference either introduces a conflicting requirement, a conflicting definition, or refines an existing requirement. Herein, we propose a legal cross-reference taxonomy to aid requirements engineers in classifying cross-references as they specify compliance requirements. Analyzing cross-references enables us to address conflicting requirements that may otherwise thwart legal compliance. We identify five sets of conflicting compliance requirements and recommend strategies for resolving these conflicts.


Requirements engineering Conflicting requirements Regulatory compliance Software compliance engineering Financial systems Healthcare IT

Copyright information

© Springer-Verlag London Limited 2012