Skip to main content
SpringerLink
Log in

A cross-domain empirical study and legal evaluation of the requirements water marking method

  • RE 2012
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Companies that own, license, or maintain personal information face a daunting number of privacy and security regulations. Companies are subject to new regulations from one or more governing bodies, when companies introduce new or existing products into a jurisdiction, when regulations change, or when data are transferred across political borders. To address this problem, we developed a framework called “requirements water marking” that business analysts can use to align and reconcile requirements from multiple jurisdictions (municipalities, provinces, nations) to produce a single high or low standard of care. We evaluate the framework in two empirical case studies covering a subset of U.S. data breach notification laws and medical record retention laws. In these studies, applying our framework reduced the number of requirements a company must comply with by 76 % across 8 jurisdictions and 15 % across 4 jurisdictions, respectively. We show how the framework surfaces critical requirements trade-offs and potential regulatory conflicts that companies must address during the reconciliation process. We summarize our results, including surveys of information technology law experts to contextualize our empirical results in legal practice.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23

Similar content being viewed by others

References

  1. American Health Information Management Association (1999) Practice Brief. Retention of Health Information (updated)

  2. Bobkowska A, Kowalska M (2010) On efficient collaboration between lawyers and software engineers when transforming legal regulations to law-related requirements. In: 2nd International Conference Information Technology, pp 105–109

  3. Bogner A, Littig B, Menz W (2009) Interviewing experts. Palgrave Macmillan, UK

  4. Breaux TB, Anton AI, Boucher K, Dorfman M (2008) Legal requirements, compliance and practice: an industry case study in accessibility. In: IEEE 16th International Req’ts Engr. Conf., pp 43–52

  5. Breaux TD, Gordon DG (2011) Regulatory requirements as open systems: structures, patterns and metrics for the design of formal requirements specifications. Carnegie Mellon University Technical Report CMU-ISR-11-100

  6. Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems. Ph.D. Thesis, North Carolina State University

  7. Bryan Cave LLP (2006) Wisconsin data-security law imparts obligation to issue consumer notification in case of security breach. Data Security Bulletin. http://www.bryancave.com

  8. Corbin J, Strauss A (2007) Basics of qualitative research: techniques and procedures for developing grounded theory, Sage Publications, California, USA

  9. Dekhtyar A, Dekhtyar O, Holden J, Hayes JH, Cuddeback D, Kong W-K (2011) On human performance in assisted requirements tracing: statistical analysis. In: 19th IEEE International Req’ts Engineering Conference, pp 111–120

  10. Falessi D, Cantone G, Canfora G (2010) Comprehensive characterization of NLP techniques for identifying equivalent requirements. In: ACM-IEEE International symposium empirical software engineering and measurement, vol 18, pp 1–10

  11. Flick U (2009) An introduction to qualitative research, 4th edn. Sage Publications Ltd, California, USA

  12. Gacitua R Sawyer P Gervasi V (2010) On the effectiveness of abstraction identification in requirements engineering. In: 18th IEEE International Conference Req’ts. Engineering, pp 5–14

  13. Gervasi V Zhowghi D (2011) Mining requirements links.In: Req’ts Engneering: Fnd. Software Qual., LNCS, vol 6606, 96–201

  14. Ghanavati S, Amyot D Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: IEEE 17th international requirements engineering conference pp 133–142

  15. Gordon DG, Breaux TD Managing Multi-jurisdictional requirements in the cloud: toward a computational legal landscape. In: 3rd ACM cloud computing security workshop (CCSW’11) pp 83–94

  16. Gordon DG, Breaux TD (2012) Reconciling multi-jurisdictional requirements: a case study in requirements water marking. In: 20th IEEE international requirements engineering conference

  17. Greenspan S (1993) Panel on recording requirements assumptions and rationale. In: IEEE international symposium req’ts engineering, pp 282–285

  18. Cleland-Huang J, Czauderna A, Gibiec M, Emenecker J (2010) A machine-learning approach for tracing regulatory codes to product specific requirements. In: IEEE international software engineering conference, pp 155–164

  19. Kroes N (2011) The clear role of public authorities in cloud computing. Digital Agenda Comissioner—Neelie Kroes

  20. Maxwell JC, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international req’ts engineering conference pp 197–206

  21. National Conference of State Legislatures (2012) State security breach notification laws. Available https://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx

  22. Otto PN, Anton AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE International req’ts engineering conference pp 5–14

  23. Schlag PJ (1985) Rules and standards. 33 UCLA L. Rev., p 379

  24. Randolph J (2005) Free-marginal multirater kappa (multirater K[free]): an alternative to fleiss’ fixed-marginal multirater kappa. Joensuu learning and instruction symposium

  25. Rifaut A, Ghanavati S (2012) Measurement-oriented comparison of multiple regulations with GRL. In: IEEE 5th workshop on requirements engineering and law pp 7–16

  26. Sabetzadeh M, Nejati S, Liaskos S, Easterbrook S, Chechik M (2007) Consistency checking of conceptual models via model merging. In:15th IEEE international req’ts. engineering conference pp 221–230

  27. Siegel S, Castellan N (1988) Nonparametric statistics for the social sciences. 2nd edn, McGraw-Hill, New York, USA

  28. Siena A, Mylopoulos J, Perinir A, Susi A (2008) From laws to requirements. In: 1st international work. req’ts engineering and law, pp 6–10

  29. Taber CW, Thomas CL (2009) Taber’s cyclopedic medical dictionary. 21st edn, F.A. Davis Publications, Philadelphia, USA

  30. United States Office of the Actuary (2009) State health expenditure accounts: state of provider 1980–2009. Available: http://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/NationalHealthExpendData/NationalHealthAccountsStateHealthAccountsProvider.html

  31. Urquhart J (2011) Regulation, automation, and cloud computing. CNET. Available: http://news.cnet.com/8301-19413_3-20086081-240/regulation-automation-and-cloud-computing

  32. Warrens M (2010) Inequalities between multi-rater kappas. Advances in data analysis and classification, pp 271–286

  33. Weitzner D (2011) Privacy law scholars conference keynote address, deputy chief technology officer in the white house office of science and technology policy

  34. Yin RK (2009) Case study research: design and methods. 4th edn, Sage Publications, California, USA

  35. Yu E (1993) Modeling organizations for information systems requirements engineering. In: international symposium req’ts engineering pp 34–41

  36. Zou X, Settimi R, Cleland-Huang J (2010) Improving automated requirements trace retrieval: a study of term-based enhancement methods. Empir Soft Engr 15:119–146

    Article  Google Scholar 

Download references

Acknowledgments

We thank the CMU Requirements Engineering Lab for participating in reviews of our research protocol and early drafts on this manuscript, and we thank the International Association of Privacy Professionals (IAPP) for allowing us to recruit survey participants through their Global Privacy Summit. This research was supported by the U.S. Department of Homeland Security (Grant Award #2006-CS-001-000001) and Hewlett-Packard Labs Innovation Research Program (Award #CW267287).

Author information

Authors and Affiliations

  1. Engineering and Public Policy, Carnegie Mellon University, Pittsburgh, PA, USA

    David G. Gordon

  2. Institute for Software Research, Carnegie Mellon University, Pittsburgh, PA, USA

    Travis D. Breaux

Authors
  1. David G. Gordon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Travis D. Breaux
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David G. Gordon.

Appendix

Appendix

The context-free grammar for an early version of the LRSL is expressed here in the Extended Backus–Naur Form (EBNF) described in ISO/IEC 14977 (1996E). The term “string” consists of any combination of letters and digits, the term “regex” is a regular expression, and the term ref is a string.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gordon, D.G., Breaux, T.D. A cross-domain empirical study and legal evaluation of the requirements water marking method. Requirements Eng 18, 147–173 (2013). https://doi.org/10.1007/s00766-013-0167-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-013-0167-6

Keywords

Search

Navigation