RE'11 Best Papers

Requirements Engineering

, Volume 17, Issue 2, pp 99-115

First online:

A legal cross-references taxonomy for reasoning about compliance requirements

  • Jeremy C. MaxwellAffiliated withDepartment of Computer Science, North Carolina State UniversityAllscripts Healthcare Solutions Email author 
  • , Annie I. AntónAffiliated withDepartment of Computer Science, North Carolina State University
  • , Peter SwireAffiliated withMoritz College of Law, Ohio State University
  • , Maria RiazAffiliated withDepartment of Computer Science, North Carolina State University
  • , Christopher M. McCrawAffiliated withDepartment of Computer Science, North Carolina State University

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from non-compliance. Laws and regulations contain internal cross-references to portions of the same legal text, as well as cross-references to external legal texts. These cross-references introduce ambiguities, exceptions, as well as other challenges to regulatory compliance. Requirements engineers need guidance as to how to address cross-references in order to comply with the requirements of the law. Herein, we analyze each external cross-reference within the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Gramm–Leach–Bliley Act (GLBA), and the GLBA Financial Privacy Rule to determine whether a cross-reference either introduces a conflicting requirement, a conflicting definition, or refines an existing requirement. Herein, we propose a legal cross-reference taxonomy to aid requirements engineers in classifying cross-references as they specify compliance requirements. Analyzing cross-references enables us to address conflicting requirements that may otherwise thwart legal compliance. We identify five sets of conflicting compliance requirements and recommend strategies for resolving these conflicts.


Requirements engineering Conflicting requirements Regulatory compliance Software compliance engineering Financial systems Healthcare IT