Abstract
Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from non-compliance. Laws and regulations contain internal cross-references to portions of the same legal text, as well as cross-references to external legal texts. These cross-references introduce ambiguities, exceptions, as well as other challenges to regulatory compliance. Requirements engineers need guidance as to how to address cross-references in order to comply with the requirements of the law. Herein, we analyze each external cross-reference within the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Gramm–Leach–Bliley Act (GLBA), and the GLBA Financial Privacy Rule to determine whether a cross-reference either introduces a conflicting requirement, a conflicting definition, or refines an existing requirement. Herein, we propose a legal cross-reference taxonomy to aid requirements engineers in classifying cross-references as they specify compliance requirements. Analyzing cross-references enables us to address conflicting requirements that may otherwise thwart legal compliance. We identify five sets of conflicting compliance requirements and recommend strategies for resolving these conflicts.
Similar content being viewed by others
Notes
45 CFR Parts 160, 162, and 164.
15 USC, Subchapter I, Sec. 6801–6809.
16 CFR Part 313.
42 U.S.C. 300gg.
5 U.S.C. 552a.
12 U.S.C. § 1681s.
Pub. L. No. 73–66, 48 Stat. 162 (1933) (repealed 1999).
References
Antón AI, Earp JB (2004) A requirements taxonomy for reducing web site privacy vulnerabilities. Requir Eng J 9(3):169–185
Antón AI, Earp JB, Carter RA (2003) Precluding incongruous behavior by aligning software requirements with security and privacy policies. Inf Softw Technol 45(14):967–977
Bench-Capon TJM, Robinson GO, Routen TW, Sergot MJ (1987) Logic programming for large scale applications in law: a formalisation of supplementary benefit legislation. In: 1st international conference on AI and Law, 1987, pp 190–198
Berenbach B, Gruseman D, Cleland-Huang J (2010) Application of just in time tracing to regulatory codes. In: 8th conference on systems engineering research
Boehm B, In H (1996) Identifying quality-requirements conflicts. IEEE Softw 13(2):25–35
Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems, PhD Thesis, NCSU
Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20
Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE international requirements engineering conference 2006, pp 46–55
Cholvy (1999) Checking regulation consistency by using SOL-resolution. In: 7th international conference on AI & Law, pp 73–79
Cleland-Huang J, Czauderna A, Gibiec M, Emenecker J (2010) A machine learning approach for tracing regulatory codes to product specific requirements. In: 32nd IEEE international conference on software engineering
Cohen ML, Olson KC (2000) Legal research, West
Damian DE, Zowghi D (2003) Requirements engineering challenges in multi-site software development organizations. Requir Eng J 8:149–160
Easterbrook S, Nuseibeh B (1995) Managing inconsistencies in an evolving specification. In: Proceedings of the 2nd IEEE international symposium on requirements engineering, pp 48–55
Emmerich W, Finkelstein A, Montangero C, Antonelli S, Armitage S, Stevens R (1999) Managing standards compliance. Trans Softw Eng 25(6):836–851
van Engers TM, Boekenoogen MR (2003) Improving legal quality: an application report. In: 9th international conference on AI and Law, pp 284–292
2010 Global Information Survey, Ernst & Young, 2010
Ghanavati S, Amyot D, Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: Proceedings of the 17th IEEE international conference on requirements engineering, pp 133–142
Glaser BG (1978) Theoretical sensitivity. Sociology Press, Mill Valley, CA
Glaser BG, Strauss AL (1967) The discovery of grounded theory. Aldine Transaction, Chicago
Hamdaqa M, Hamou-Lhadj A (2009) Citation analysis: an approach for facilitating the understanding and the analysis of regulatory compliance documents. In: 6th international conference on information technology: new generations, pp 278–283
Hart HM Jr, Wechsler H, Fallon RH Jr, Manning JF, Meltzer DJ, Shapiro DL (2009) The federal courts and the federal system, 6th edn. Foundation Press, Minneapolis
Hohfeld WN (1913) Some fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):16–59
Karlsson L, Dahlstedt AG, Regnell B, Natt och Dag J, Persson A (2007) Requirements engineering challenges in market-driven software development-an interview study with practioners. Inf Softw Technol 49:588–604
Krebs B (2009) Choice point breach, exposed 13,750 consumer records. The Washington Post. http://voices.washingtonpost.com/securityfix/2009/10/choicepoint_breach_exposed_137.html. Accessed 19 Oct 2009
van Lamsweerde A, Darimont R, Letier E (1998) Managing conflicts in goal-driven requirements engineering. IEEE Trans Softw Eng 24(11):908–926
Massey AK, Otto PN, Antón AI (2009) Prioritizing legal requirements. In: 2nd international workshop on RE and Law
Maxwell JC, Antón AI (2009) Developing production rule models to aid in acquiring requirements from legal texts. In: 17th international IEEE requirements engineering conference, pp 101–110
Maxwell JC, Antón AI (2010) A refined production rule model for aiding in regulatory compliance. NCSU technical report TR-2010-3, ftp://ftp.ncsu.edu/pub/unity/lockers/ftp/csc_anon/tech/2010/TR-2010-3.pdf
Maxwell JC, Antón AI (2010) The production rule framework: developing a canonical set of software requirements for compliance with law. In: 1st ACM international health informatics symposium
Maxwell JC, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international requirements engineering conference
May MJ, Gunter CA, Lee I (2006) Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: 19th IEEE computer section foundations workshop, pp 85–97
Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE international requirements engineering conference, pp 5–14
Otto PN, Antón AI, Baumer DL (2007) The choice point dilemma: how data brokers should handle the privacy of personal information. IEEE Secur Priv 5(5):15–23
Robinson WN, Fickas S (1994) Supporting multi-perspective requirements engineering. In: 1st IEEE international requirements engineering conference, pp 206–215
Siena A, Mylopoulos J, Perini A, Susi A (2009) Designing law-compliant software requirements. In: 28th international conference on conceptual modeling
Thurimella AK, Bruegge B (2007) Evolution in product line requirements engineering: a rationale management approach. In: 15th IEEE requirements engineering conference, pp 254–257
Vijayan J (2011) Stanford hospital blames contractor for data breach. http://www.computerworld.com
Vijayan J (2011) Defense Dept. Hit with $4.9B Lawsuit over data breach. http://www.computerworld.com
Watt v. Alaska, 451 U.S. 259, 285-86 (1981) (Stewart, J., dissenting) (quoting Theodore Sedgwick & John Norton Pomeroy. A treatise on the rules which govern the interpretation and construction of statutory and constitutional law 14 (2nd edn., Baker, Voorhis & Co. 1874)
Yin RK (2003) Case study research: design and methods. In: Applied social research methods series, vol 5, 3rd ed
Young JD (2010) Commitment analysis to operationalize software requirements from privacy notices. Requir Eng J 16:33–46
Zhang P, Koppaka L(2007) Semantics-based legal citation network. In: 11th international conference on AI and Law, pp 123–130
Acknowledgments
This work was partially supported by the Army Research Office managed by the NCSU Secure Open Systems Initiative, NSF ITR grant #0325269, and NSF Science of Design Grant # 0725144. We thank the members of ThePrivacyPlace reading group for their comments.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Maxwell, J.C., Antón, A.I., Swire, P. et al. A legal cross-references taxonomy for reasoning about compliance requirements. Requirements Eng 17, 99–115 (2012). https://doi.org/10.1007/s00766-012-0152-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-012-0152-5