Skip to main content

A legal cross-references taxonomy for reasoning about compliance requirements

Abstract

Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from non-compliance. Laws and regulations contain internal cross-references to portions of the same legal text, as well as cross-references to external legal texts. These cross-references introduce ambiguities, exceptions, as well as other challenges to regulatory compliance. Requirements engineers need guidance as to how to address cross-references in order to comply with the requirements of the law. Herein, we analyze each external cross-reference within the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Gramm–Leach–Bliley Act (GLBA), and the GLBA Financial Privacy Rule to determine whether a cross-reference either introduces a conflicting requirement, a conflicting definition, or refines an existing requirement. Herein, we propose a legal cross-reference taxonomy to aid requirements engineers in classifying cross-references as they specify compliance requirements. Analyzing cross-references enables us to address conflicting requirements that may otherwise thwart legal compliance. We identify five sets of conflicting compliance requirements and recommend strategies for resolving these conflicts.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Notes

  1. 1.

    45 CFR Parts 160, 162, and 164.

  2. 2.

    15 USC, Subchapter I, Sec. 6801–6809.

  3. 3.

    16 CFR Part 313.

  4. 4.

    http://www.law.cornell.edu/uscode/.

  5. 5.

    http://uscode.house.gov/popularnames/popularnames.htm.

  6. 6.

    http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl.

  7. 7.

    http://www.presidency.ucsb.edu/index.php.

  8. 8.

    http://www.archives.gov/federal-register/codification/numeric-executive-orders.html.

  9. 9.

    http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf.

  10. 10.

    http://www.ftc.gov/privacy/glbact/glbsub1.htm.

  11. 11.

    http://www.ftc.gov/os/2000/05/65fr33645.pdf.

  12. 12.

    http://www.cms.gov/clia/.

  13. 13.

    42 U.S.C. 300gg.

  14. 14.

    5 U.S.C. 552a.

  15. 15.

    12 U.S.C. § 1681s.

  16. 16.

    http://www.ftc.gov/os/2000/12/fcrafrn.pdf.

  17. 17.

    Pub. L. No. 73–66, 48 Stat. 162 (1933) (repealed 1999).

  18. 18.

    http://www.opensecrets.org/lobby/top.php?indexType=c.

References

  1. 1.

    Antón AI, Earp JB (2004) A requirements taxonomy for reducing web site privacy vulnerabilities. Requir Eng J 9(3):169–185

    Article  Google Scholar 

  2. 2.

    Antón AI, Earp JB, Carter RA (2003) Precluding incongruous behavior by aligning software requirements with security and privacy policies. Inf Softw Technol 45(14):967–977

    Article  Google Scholar 

  3. 3.

    Bench-Capon TJM, Robinson GO, Routen TW, Sergot MJ (1987) Logic programming for large scale applications in law: a formalisation of supplementary benefit legislation. In: 1st international conference on AI and Law, 1987, pp 190–198

  4. 4.

    Berenbach B, Gruseman D, Cleland-Huang J (2010) Application of just in time tracing to regulatory codes. In: 8th conference on systems engineering research

  5. 5.

    Boehm B, In H (1996) Identifying quality-requirements conflicts. IEEE Softw 13(2):25–35

    Article  Google Scholar 

  6. 6.

    Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems, PhD Thesis, NCSU

  7. 7.

    Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20

    Article  Google Scholar 

  8. 8.

    Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE international requirements engineering conference 2006, pp 46–55

  9. 9.

    Cholvy (1999) Checking regulation consistency by using SOL-resolution. In: 7th international conference on AI & Law, pp 73–79

  10. 10.

    Cleland-Huang J, Czauderna A, Gibiec M, Emenecker J (2010) A machine learning approach for tracing regulatory codes to product specific requirements. In: 32nd IEEE international conference on software engineering

  11. 11.

    Cohen ML, Olson KC (2000) Legal research, West

  12. 12.

    Damian DE, Zowghi D (2003) Requirements engineering challenges in multi-site software development organizations. Requir Eng J 8:149–160

    Article  Google Scholar 

  13. 13.

    Easterbrook S, Nuseibeh B (1995) Managing inconsistencies in an evolving specification. In: Proceedings of the 2nd IEEE international symposium on requirements engineering, pp 48–55

  14. 14.

    Emmerich W, Finkelstein A, Montangero C, Antonelli S, Armitage S, Stevens R (1999) Managing standards compliance. Trans Softw Eng 25(6):836–851

    Article  Google Scholar 

  15. 15.

    van Engers TM, Boekenoogen MR (2003) Improving legal quality: an application report. In: 9th international conference on AI and Law, pp 284–292

  16. 16.

    2010 Global Information Survey, Ernst & Young, 2010

  17. 17.

    Ghanavati S, Amyot D, Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: Proceedings of the 17th IEEE international conference on requirements engineering, pp 133–142

  18. 18.

    Glaser BG (1978) Theoretical sensitivity. Sociology Press, Mill Valley, CA

    Google Scholar 

  19. 19.

    Glaser BG, Strauss AL (1967) The discovery of grounded theory. Aldine Transaction, Chicago

    Google Scholar 

  20. 20.

    Hamdaqa M, Hamou-Lhadj A (2009) Citation analysis: an approach for facilitating the understanding and the analysis of regulatory compliance documents. In: 6th international conference on information technology: new generations, pp 278–283

  21. 21.

    Hart HM Jr, Wechsler H, Fallon RH Jr, Manning JF, Meltzer DJ, Shapiro DL (2009) The federal courts and the federal system, 6th edn. Foundation Press, Minneapolis

  22. 22.

    Hohfeld WN (1913) Some fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):16–59

    Article  Google Scholar 

  23. 23.

    Karlsson L, Dahlstedt AG, Regnell B, Natt och Dag J, Persson A (2007) Requirements engineering challenges in market-driven software development-an interview study with practioners. Inf Softw Technol 49:588–604

    Google Scholar 

  24. 24.

    Krebs B (2009) Choice point breach, exposed 13,750 consumer records. The Washington Post. http://voices.washingtonpost.com/securityfix/2009/10/choicepoint_breach_exposed_137.html. Accessed 19 Oct 2009

  25. 25.

    van Lamsweerde A, Darimont R, Letier E (1998) Managing conflicts in goal-driven requirements engineering. IEEE Trans Softw Eng 24(11):908–926

    Article  Google Scholar 

  26. 26.

    Massey AK, Otto PN, Antón AI (2009) Prioritizing legal requirements. In: 2nd international workshop on RE and Law

  27. 27.

    Maxwell JC, Antón AI (2009) Developing production rule models to aid in acquiring requirements from legal texts. In: 17th international IEEE requirements engineering conference, pp 101–110

  28. 28.

    Maxwell JC, Antón AI (2010) A refined production rule model for aiding in regulatory compliance. NCSU technical report TR-2010-3, ftp://ftp.ncsu.edu/pub/unity/lockers/ftp/csc_anon/tech/2010/TR-2010-3.pdf

  29. 29.

    Maxwell JC, Antón AI (2010) The production rule framework: developing a canonical set of software requirements for compliance with law. In: 1st ACM international health informatics symposium

  30. 30.

    Maxwell JC, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international requirements engineering conference

  31. 31.

    May MJ, Gunter CA, Lee I (2006) Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: 19th IEEE computer section foundations workshop, pp 85–97

  32. 32.

    Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE international requirements engineering conference, pp 5–14

  33. 33.

    Otto PN, Antón AI, Baumer DL (2007) The choice point dilemma: how data brokers should handle the privacy of personal information. IEEE Secur Priv 5(5):15–23

    Article  Google Scholar 

  34. 34.

    Robinson WN, Fickas S (1994) Supporting multi-perspective requirements engineering. In: 1st IEEE international requirements engineering conference, pp 206–215

  35. 35.

    Siena A, Mylopoulos J, Perini A, Susi A (2009) Designing law-compliant software requirements. In: 28th international conference on conceptual modeling

  36. 36.

    Thurimella AK, Bruegge B (2007) Evolution in product line requirements engineering: a rationale management approach. In: 15th IEEE requirements engineering conference, pp 254–257

  37. 37.

    Vijayan J (2011) Stanford hospital blames contractor for data breach. http://www.computerworld.com

  38. 38.

    Vijayan J (2011) Defense Dept. Hit with $4.9B Lawsuit over data breach. http://www.computerworld.com

  39. 39.

    Watt v. Alaska, 451 U.S. 259, 285-86 (1981) (Stewart, J., dissenting) (quoting Theodore Sedgwick & John Norton Pomeroy. A treatise on the rules which govern the interpretation and construction of statutory and constitutional law 14 (2nd edn., Baker, Voorhis & Co. 1874)

  40. 40.

    Yin RK (2003) Case study research: design and methods. In: Applied social research methods series, vol 5, 3rd ed

  41. 41.

    Young JD (2010) Commitment analysis to operationalize software requirements from privacy notices. Requir Eng J 16:33–46

    Article  Google Scholar 

  42. 42.

    Zhang P, Koppaka L(2007) Semantics-based legal citation network. In: 11th international conference on AI and Law, pp 123–130

Download references

Acknowledgments

This work was partially supported by the Army Research Office managed by the NCSU Secure Open Systems Initiative, NSF ITR grant #0325269, and NSF Science of Design Grant # 0725144. We thank the members of ThePrivacyPlace reading group for their comments.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Jeremy C. Maxwell.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Maxwell, J.C., Antón, A.I., Swire, P. et al. A legal cross-references taxonomy for reasoning about compliance requirements. Requirements Eng 17, 99–115 (2012). https://doi.org/10.1007/s00766-012-0152-5

Download citation

Keywords

  • Requirements engineering
  • Conflicting requirements
  • Regulatory compliance
  • Software compliance engineering
  • Financial systems
  • Healthcare IT