Requirements Engineering

, Volume 18, Issue 2, pp 147–173 | Cite as

A cross-domain empirical study and legal evaluation of the requirements water marking method

  • David G. Gordon
  • Travis D. Breaux
RE 2012


Companies that own, license, or maintain personal information face a daunting number of privacy and security regulations. Companies are subject to new regulations from one or more governing bodies, when companies introduce new or existing products into a jurisdiction, when regulations change, or when data are transferred across political borders. To address this problem, we developed a framework called “requirements water marking” that business analysts can use to align and reconcile requirements from multiple jurisdictions (municipalities, provinces, nations) to produce a single high or low standard of care. We evaluate the framework in two empirical case studies covering a subset of U.S. data breach notification laws and medical record retention laws. In these studies, applying our framework reduced the number of requirements a company must comply with by 76 % across 8 jurisdictions and 15 % across 4 jurisdictions, respectively. We show how the framework surfaces critical requirements trade-offs and potential regulatory conflicts that companies must address during the reconciliation process. We summarize our results, including surveys of information technology law experts to contextualize our empirical results in legal practice.


Legal requirements Requirements comparison Requirements reconciliation Conflicts 



We thank the CMU Requirements Engineering Lab for participating in reviews of our research protocol and early drafts on this manuscript, and we thank the International Association of Privacy Professionals (IAPP) for allowing us to recruit survey participants through their Global Privacy Summit. This research was supported by the U.S. Department of Homeland Security (Grant Award #2006-CS-001-000001) and Hewlett-Packard Labs Innovation Research Program (Award #CW267287).


  1. 1.
    American Health Information Management Association (1999) Practice Brief. Retention of Health Information (updated)Google Scholar
  2. 2.
    Bobkowska A, Kowalska M (2010) On efficient collaboration between lawyers and software engineers when transforming legal regulations to law-related requirements. In: 2nd International Conference Information Technology, pp 105–109Google Scholar
  3. 3.
    Bogner A, Littig B, Menz W (2009) Interviewing experts. Palgrave Macmillan, UKGoogle Scholar
  4. 4.
    Breaux TB, Anton AI, Boucher K, Dorfman M (2008) Legal requirements, compliance and practice: an industry case study in accessibility. In: IEEE 16th International Req’ts Engr. Conf., pp 43–52Google Scholar
  5. 5.
    Breaux TD, Gordon DG (2011) Regulatory requirements as open systems: structures, patterns and metrics for the design of formal requirements specifications. Carnegie Mellon University Technical Report CMU-ISR-11-100Google Scholar
  6. 6.
    Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems. Ph.D. Thesis, North Carolina State UniversityGoogle Scholar
  7. 7.
    Bryan Cave LLP (2006) Wisconsin data-security law imparts obligation to issue consumer notification in case of security breach. Data Security Bulletin.
  8. 8.
    Corbin J, Strauss A (2007) Basics of qualitative research: techniques and procedures for developing grounded theory, Sage Publications, California, USAGoogle Scholar
  9. 9.
    Dekhtyar A, Dekhtyar O, Holden J, Hayes JH, Cuddeback D, Kong W-K (2011) On human performance in assisted requirements tracing: statistical analysis. In: 19th IEEE International Req’ts Engineering Conference, pp 111–120Google Scholar
  10. 10.
    Falessi D, Cantone G, Canfora G (2010) Comprehensive characterization of NLP techniques for identifying equivalent requirements. In: ACM-IEEE International symposium empirical software engineering and measurement, vol 18, pp 1–10Google Scholar
  11. 11.
    Flick U (2009) An introduction to qualitative research, 4th edn. Sage Publications Ltd, California, USAGoogle Scholar
  12. 12.
    Gacitua R Sawyer P Gervasi V (2010) On the effectiveness of abstraction identification in requirements engineering. In: 18th IEEE International Conference Req’ts. Engineering, pp 5–14Google Scholar
  13. 13.
    Gervasi V Zhowghi D (2011) Mining requirements links.In: Req’ts Engneering: Fnd. Software Qual., LNCS, vol 6606, 96–201Google Scholar
  14. 14.
    Ghanavati S, Amyot D Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: IEEE 17th international requirements engineering conference pp 133–142Google Scholar
  15. 15.
    Gordon DG, Breaux TD Managing Multi-jurisdictional requirements in the cloud: toward a computational legal landscape. In: 3rd ACM cloud computing security workshop (CCSW’11) pp 83–94Google Scholar
  16. 16.
    Gordon DG, Breaux TD (2012) Reconciling multi-jurisdictional requirements: a case study in requirements water marking. In: 20th IEEE international requirements engineering conferenceGoogle Scholar
  17. 17.
    Greenspan S (1993) Panel on recording requirements assumptions and rationale. In: IEEE international symposium req’ts engineering, pp 282–285Google Scholar
  18. 18.
    Cleland-Huang J, Czauderna A, Gibiec M, Emenecker J (2010) A machine-learning approach for tracing regulatory codes to product specific requirements. In: IEEE international software engineering conference, pp 155–164Google Scholar
  19. 19.
    Kroes N (2011) The clear role of public authorities in cloud computing. Digital Agenda Comissioner—Neelie KroesGoogle Scholar
  20. 20.
    Maxwell JC, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international req’ts engineering conference pp 197–206Google Scholar
  21. 21.
    National Conference of State Legislatures (2012) State security breach notification laws. Available
  22. 22.
    Otto PN, Anton AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE International req’ts engineering conference pp 5–14Google Scholar
  23. 23.
    Schlag PJ (1985) Rules and standards. 33 UCLA L. Rev., p 379Google Scholar
  24. 24.
    Randolph J (2005) Free-marginal multirater kappa (multirater K[free]): an alternative to fleiss’ fixed-marginal multirater kappa. Joensuu learning and instruction symposiumGoogle Scholar
  25. 25.
    Rifaut A, Ghanavati S (2012) Measurement-oriented comparison of multiple regulations with GRL. In: IEEE 5th workshop on requirements engineering and law pp 7–16Google Scholar
  26. 26.
    Sabetzadeh M, Nejati S, Liaskos S, Easterbrook S, Chechik M (2007) Consistency checking of conceptual models via model merging. In:15th IEEE international req’ts. engineering conference pp 221–230Google Scholar
  27. 27.
    Siegel S, Castellan N (1988) Nonparametric statistics for the social sciences. 2nd edn, McGraw-Hill, New York, USAGoogle Scholar
  28. 28.
    Siena A, Mylopoulos J, Perinir A, Susi A (2008) From laws to requirements. In: 1st international work. req’ts engineering and law, pp 6–10Google Scholar
  29. 29.
    Taber CW, Thomas CL (2009) Taber’s cyclopedic medical dictionary. 21st edn, F.A. Davis Publications, Philadelphia, USAGoogle Scholar
  30. 30.
    United States Office of the Actuary (2009) State health expenditure accounts: state of provider 1980–2009. Available:
  31. 31.
    Urquhart J (2011) Regulation, automation, and cloud computing. CNET. Available:
  32. 32.
    Warrens M (2010) Inequalities between multi-rater kappas. Advances in data analysis and classification, pp 271–286Google Scholar
  33. 33.
    Weitzner D (2011) Privacy law scholars conference keynote address, deputy chief technology officer in the white house office of science and technology policyGoogle Scholar
  34. 34.
    Yin RK (2009) Case study research: design and methods. 4th edn, Sage Publications, California, USAGoogle Scholar
  35. 35.
    Yu E (1993) Modeling organizations for information systems requirements engineering. In: international symposium req’ts engineering pp 34–41Google Scholar
  36. 36.
    Zou X, Settimi R, Cleland-Huang J (2010) Improving automated requirements trace retrieval: a study of term-based enhancement methods. Empir Soft Engr 15:119–146CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  1. 1.Engineering and Public PolicyCarnegie Mellon UniversityPittsburghUSA
  2. 2.Institute for Software ResearchCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations