David G. Gordon

Reconciling multi-jurisdictional legal requirements: A case study in requirements water marking

Companies that own, license, or maintain personal information face a daunting number of privacy and security regulations. Companies are subject to new regulations from one or more governing bodies, when companies introduce new or existing products into a jurisdiction, when regulations change, or when data is transferred across political borders. To address this problem, we developed a framework called “requirements water marking” that business analysts can use to align and reconcile requirements from multiple jurisdictions (municipalities, provinces, nations) to produce a single high or low standard of care. We evaluate the framework in an empirical case study conducted over a subset of U.S. data breach notification laws that require companies to secure their data and notify consumers in the event of data loss or theft. In this study, applying our framework reduced the number of requirements a company must comply with by 76% across 8 jurisdictions. We show how the framework surfaces critical requirements trade-offs and potential regulatory conflicts that companies must address during the reconciliation process. We summarize our results, including surveys of information technology law experts to contextualize our empirical results in legal practice.

Regulatory requirements traceability and analysis using semi-formal specifications

Information systems are increasingly distributed and pervasive, enabling organizations to deliver remote services and share personal information, worldwide. However, developers face significant challenges in managing the many laws that govern their systems in this multi-jurisdictional environment. In this paper, we report on a computational requirements document expressible using a legal requirements specification language (LRSL). The purpose is to make legal requirements open and available to policy makers, business analysts and software developers, alike. We show how requirements engineers can codify policy and law using the LRSL and design, debug, analyze, trace, and visualize relationships among regulatory requirements. The LRSL provides new constructs for expressing distributed constraints, making regulatory specification patterns visually salient, and enabling metrics to quantitatively measure different styles for writing legal and policy documents. We discovered and validated the LRSL using thirteen U.S. state data breach notification laws.

Assessing regulatory change through legal requirements coverage modeling

Developing global markets offer companies new opportunities to manufacture and sell information technology (IT) products in ways unforeseen by current laws and regulations. This innovation leads to changing requirements due to changes in product features, laws, or the locality where the product is sold or manufactured. To help developers rationalize these changes, we introduce a preliminary framework and method that can be used by requirements engineers and their legal teams to identify relevant legal requirements and trace changes in requirements coverage. The framework includes a method to translate IT regulations into a legal requirements coverage model used to make coverage assertions about existing or planned IT systems. We evaluated the framework in a case study using three IT laws: Californias Confidentiality of Medical Records Act, the U.S. Health Information Portability and Accountability Act (HIPAA) and amendments from the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the India 2011 Information Technology Rules. Further, we demonstrate the framework using three scenarios: new product features are proposed; product-related services are outsourced abroad; and regulations change to address changes in the market.

Managing multi-jurisdictional requirements in the cloud: towards a computational legal landscape

Although cloud services allow organizations to transfer the planning and setup to the service provider and thus reduce costs through reuse, these services raise new questions regarding the privacy and security of personal information stored in and transferred across systems in the cloud. Prior to cloud services, personal information was commonly stored within the owning or licensing companys locality where the company maintained its facilities. Cloud services, however, move data to remote, potentially unknown, locations maintained by third parties. The responsibility for data protection and integrity no longer remains exclusively with its owner or licensee, but with these third parties. Thus, both parties must identify and manage the many regulatory requirements that govern their services and products in this multi-jurisdictional environment. To simplify this problem, we are developing methods to extract and codify regulatory requirements from government laws. We apply previously validated metrics to measure gaps and overlaps between the codified regulations. Our findings include a semi-formalization of the legal landscape using operational constructs for high- and low-watermark practices, which correspond to high- and low standards of care, respectively. Business analysts and system developers can use these watermarks to reason about compliance trade-offs based on perceived businesses costs and risks. We discovered and validated these constructs using seven U.S. state data breach notification laws that govern transactions of financial and health information of residents of these seven states.

Comparing requirements from multiple jurisdictions

Increasingly, information systems are becoming distributed and pervasive, enabling organizations to deliver services remotely to individuals and to share and store personal information worldwide. However, system developers face significant challenges in identifying and managing the many laws that govern their services and products. To address this challenge, we investigate a method to codify, analyze, and trace relationships among requirements from different regulations that share a common theme of data breach notification. To measure gaps and overlaps between regulations, we applied previously validated requirements metrics. Our findings include a formalization of the legal landscape using operational constructs for high- and low-watermark practices, which business analysts and system developers can use to reason about compliance trade-offs based on perceived businesses costs and risks. We discovered and validated these constructs using five U.S. state data breach notification laws that govern transactions of financial and health information of state residents.

Toward benchmarks to assess advancement in legal requirements modeling

As software engineers create and evolve information systems to support business practices, these engineers need to address constraints imposed by laws, regulations and policies that govern those business practices. Requirements modeling can be used to extract important legal constraints from laws, and decide how, and evaluate if an information system design complies to applicable laws. To advance research on evaluating requirements modeling formalisms for the representation of legal information, we propose several benchmarks that we believe represent important challenges in modeling laws and requirements governing information systems, and evaluating the compliance of these requirements with laws. While incomplete, the proposed set of benchmarks covers a range of challenges in modeling laws and requirements that we observed in privacy and security law: from the possibility to trace model fragments to law fragments, to the ability to distinguish modalities in law, and to model relations between requirements and law fragments, needed when evaluating compliance. Benchmarks can be used as a checklist when designing and discussing requirements formalisms that support legal requirements modeling. Each benchmark is motivated by related work, a brief legal excerpt, and our experience in modeling regulations.

Mapping legal requirements to IT controls

Information technology (IT) controls are reusable system requirements that IT managers, administrators and developers use to demonstrate compliance with international standards, such as ISO 27000 standard. As controls are reusable, they tend to cover best practice independently from what specific government laws may require. However, because considerable effort has already been invested by IT companies in linking controls to their existing systems, aligning controls with regulations can yield important savings by avoiding noncompliance or unnecessary redesign. We report the results of a case study to align legal requirements from the U.S. and India that govern healthcare systems with three popular control catalogues: the NIST 800-53, ISO/IEC 27002:2009 and the Cloud Security Alliance CCM v1.3. The contributions include a repeatable protocol for mapping controls, heuristics to explain the types of mappings that may arise, and guidance for addressing incomplete mappings.

The regulatory world and the machine: Harmonizing legal requirements and the systems they affect

The past decade has seen a substantial increase in the issuance of privacy and security regulations governing personal information. Ensuring system and organizational compliance is both more important and more difficult than ever before, as the penalties have become more severe, and regulations more complex and nuanced. This also presents substantial difficulties for multi-national companies, as different states, countries, or regions do not adhere to a uniform standard, resulting in a mixed set of regulations for the systems they govern. In this work, I describe a framework to address this issue, referred to as requirements water marking, wherein requirements from different jurisdictions that govern the same system may be evaluated and reduced to a single standard of care, establishing a “high water mark” for regulatory compliance and reducing requirements complexity. The framework, which draws on work in requirements specification languages and requirements comparison, allows engineers and legal experts to systematically simplify compliance and determine both high and low standards of care, while maintaining traceability back to the original legal text. In addition, I investigate the proposed value of legal requirements models, demonstrating the relationship between proposed value of these models to organizational decision-making and the validity of the model.

What Engineers Should Know about US Security and Privacy Law

As new technology challenges our assumptions about security and privacy, lawmakers respond by attempting to curb and avoid the most egregious risks to the public. In this article, the authors examine how emerging US security and privacy laws create new requirements that constrain software development affecting business owners and developers who want to design security and privacy into IT systems.