Requirements Engineering

, Volume 17, Issue 2, pp 99–115 | Cite as

A legal cross-references taxonomy for reasoning about compliance requirements

  • Jeremy C. Maxwell
  • Annie I. Antón
  • Peter Swire
  • Maria Riaz
  • Christopher M. McCraw
RE'11 Best Papers


Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from non-compliance. Laws and regulations contain internal cross-references to portions of the same legal text, as well as cross-references to external legal texts. These cross-references introduce ambiguities, exceptions, as well as other challenges to regulatory compliance. Requirements engineers need guidance as to how to address cross-references in order to comply with the requirements of the law. Herein, we analyze each external cross-reference within the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Gramm–Leach–Bliley Act (GLBA), and the GLBA Financial Privacy Rule to determine whether a cross-reference either introduces a conflicting requirement, a conflicting definition, or refines an existing requirement. Herein, we propose a legal cross-reference taxonomy to aid requirements engineers in classifying cross-references as they specify compliance requirements. Analyzing cross-references enables us to address conflicting requirements that may otherwise thwart legal compliance. We identify five sets of conflicting compliance requirements and recommend strategies for resolving these conflicts.


Requirements engineering Conflicting requirements Regulatory compliance Software compliance engineering Financial systems Healthcare IT 



This work was partially supported by the Army Research Office managed by the NCSU Secure Open Systems Initiative, NSF ITR grant #0325269, and NSF Science of Design Grant # 0725144. We thank the members of ThePrivacyPlace reading group for their comments.


  1. 1.
    Antón AI, Earp JB (2004) A requirements taxonomy for reducing web site privacy vulnerabilities. Requir Eng J 9(3):169–185CrossRefGoogle Scholar
  2. 2.
    Antón AI, Earp JB, Carter RA (2003) Precluding incongruous behavior by aligning software requirements with security and privacy policies. Inf Softw Technol 45(14):967–977CrossRefGoogle Scholar
  3. 3.
    Bench-Capon TJM, Robinson GO, Routen TW, Sergot MJ (1987) Logic programming for large scale applications in law: a formalisation of supplementary benefit legislation. In: 1st international conference on AI and Law, 1987, pp 190–198Google Scholar
  4. 4.
    Berenbach B, Gruseman D, Cleland-Huang J (2010) Application of just in time tracing to regulatory codes. In: 8th conference on systems engineering researchGoogle Scholar
  5. 5.
    Boehm B, In H (1996) Identifying quality-requirements conflicts. IEEE Softw 13(2):25–35CrossRefGoogle Scholar
  6. 6.
    Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems, PhD Thesis, NCSUGoogle Scholar
  7. 7.
    Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20CrossRefGoogle Scholar
  8. 8.
    Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE international requirements engineering conference 2006, pp 46–55Google Scholar
  9. 9.
    Cholvy (1999) Checking regulation consistency by using SOL-resolution. In: 7th international conference on AI & Law, pp 73–79Google Scholar
  10. 10.
    Cleland-Huang J, Czauderna A, Gibiec M, Emenecker J (2010) A machine learning approach for tracing regulatory codes to product specific requirements. In: 32nd IEEE international conference on software engineeringGoogle Scholar
  11. 11.
    Cohen ML, Olson KC (2000) Legal research, WestGoogle Scholar
  12. 12.
    Damian DE, Zowghi D (2003) Requirements engineering challenges in multi-site software development organizations. Requir Eng J 8:149–160CrossRefGoogle Scholar
  13. 13.
    Easterbrook S, Nuseibeh B (1995) Managing inconsistencies in an evolving specification. In: Proceedings of the 2nd IEEE international symposium on requirements engineering, pp 48–55Google Scholar
  14. 14.
    Emmerich W, Finkelstein A, Montangero C, Antonelli S, Armitage S, Stevens R (1999) Managing standards compliance. Trans Softw Eng 25(6):836–851CrossRefGoogle Scholar
  15. 15.
    van Engers TM, Boekenoogen MR (2003) Improving legal quality: an application report. In: 9th international conference on AI and Law, pp 284–292Google Scholar
  16. 16.
    2010 Global Information Survey, Ernst & Young, 2010Google Scholar
  17. 17.
    Ghanavati S, Amyot D, Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: Proceedings of the 17th IEEE international conference on requirements engineering, pp 133–142Google Scholar
  18. 18.
    Glaser BG (1978) Theoretical sensitivity. Sociology Press, Mill Valley, CAGoogle Scholar
  19. 19.
    Glaser BG, Strauss AL (1967) The discovery of grounded theory. Aldine Transaction, ChicagoGoogle Scholar
  20. 20.
    Hamdaqa M, Hamou-Lhadj A (2009) Citation analysis: an approach for facilitating the understanding and the analysis of regulatory compliance documents. In: 6th international conference on information technology: new generations, pp 278–283Google Scholar
  21. 21.
    Hart HM Jr, Wechsler H, Fallon RH Jr, Manning JF, Meltzer DJ, Shapiro DL (2009) The federal courts and the federal system, 6th edn. Foundation Press, MinneapolisGoogle Scholar
  22. 22.
    Hohfeld WN (1913) Some fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):16–59CrossRefGoogle Scholar
  23. 23.
    Karlsson L, Dahlstedt AG, Regnell B, Natt och Dag J, Persson A (2007) Requirements engineering challenges in market-driven software development-an interview study with practioners. Inf Softw Technol 49:588–604Google Scholar
  24. 24.
    Krebs B (2009) Choice point breach, exposed 13,750 consumer records. The Washington Post. Accessed 19 Oct 2009
  25. 25.
    van Lamsweerde A, Darimont R, Letier E (1998) Managing conflicts in goal-driven requirements engineering. IEEE Trans Softw Eng 24(11):908–926CrossRefGoogle Scholar
  26. 26.
    Massey AK, Otto PN, Antón AI (2009) Prioritizing legal requirements. In: 2nd international workshop on RE and LawGoogle Scholar
  27. 27.
    Maxwell JC, Antón AI (2009) Developing production rule models to aid in acquiring requirements from legal texts. In: 17th international IEEE requirements engineering conference, pp 101–110Google Scholar
  28. 28.
    Maxwell JC, Antón AI (2010) A refined production rule model for aiding in regulatory compliance. NCSU technical report TR-2010-3,
  29. 29.
    Maxwell JC, Antón AI (2010) The production rule framework: developing a canonical set of software requirements for compliance with law. In: 1st ACM international health informatics symposiumGoogle Scholar
  30. 30.
    Maxwell JC, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international requirements engineering conferenceGoogle Scholar
  31. 31.
    May MJ, Gunter CA, Lee I (2006) Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: 19th IEEE computer section foundations workshop, pp 85–97Google Scholar
  32. 32.
    Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE international requirements engineering conference, pp 5–14Google Scholar
  33. 33.
    Otto PN, Antón AI, Baumer DL (2007) The choice point dilemma: how data brokers should handle the privacy of personal information. IEEE Secur Priv 5(5):15–23CrossRefGoogle Scholar
  34. 34.
    Robinson WN, Fickas S (1994) Supporting multi-perspective requirements engineering. In: 1st IEEE international requirements engineering conference, pp 206–215Google Scholar
  35. 35.
    Siena A, Mylopoulos J, Perini A, Susi A (2009) Designing law-compliant software requirements. In: 28th international conference on conceptual modelingGoogle Scholar
  36. 36.
    Thurimella AK, Bruegge B (2007) Evolution in product line requirements engineering: a rationale management approach. In: 15th IEEE requirements engineering conference, pp 254–257Google Scholar
  37. 37.
    Vijayan J (2011) Stanford hospital blames contractor for data breach.
  38. 38.
    Vijayan J (2011) Defense Dept. Hit with $4.9B Lawsuit over data breach.
  39. 39.
    Watt v. Alaska, 451 U.S. 259, 285-86 (1981) (Stewart, J., dissenting) (quoting Theodore Sedgwick & John Norton Pomeroy. A treatise on the rules which govern the interpretation and construction of statutory and constitutional law 14 (2nd edn., Baker, Voorhis & Co. 1874)Google Scholar
  40. 40.
    Yin RK (2003) Case study research: design and methods. In: Applied social research methods series, vol 5, 3rd edGoogle Scholar
  41. 41.
    Young JD (2010) Commitment analysis to operationalize software requirements from privacy notices. Requir Eng J 16:33–46CrossRefGoogle Scholar
  42. 42.
    Zhang P, Koppaka L(2007) Semantics-based legal citation network. In: 11th international conference on AI and Law, pp 123–130Google Scholar

Copyright information

© Springer-Verlag London Limited 2012

Authors and Affiliations

  • Jeremy C. Maxwell
    • 1
    • 2
  • Annie I. Antón
    • 1
  • Peter Swire
    • 3
  • Maria Riaz
    • 1
  • Christopher M. McCraw
    • 1
  1. 1.Department of Computer ScienceNorth Carolina State UniversityRaleighUSA
  2. 2.Allscripts Healthcare SolutionsRaleighUSA
  3. 3.Moritz College of LawOhio State UniversityColumbusUSA

Personalised recommendations