Reconciling multi-jurisdictional legal requirements: A case study in requirements water marking

Companies that own, license, or maintain personal information face a daunting number of privacy and security regulations. Companies are subject to new regulations from one or more governing bodies, when companies introduce new or existing products into a jurisdiction, when regulations change, or when data is transferred across political borders. To address this problem, we developed a framework called “requirements water marking” that business analysts can use to align and reconcile requirements from multiple jurisdictions (municipalities, provinces, nations) to produce a single high or low standard of care. We evaluate the framework in an empirical case study conducted over a subset of U.S. data breach notification laws that require companies to secure their data and notify consumers in the event of data loss or theft. In this study, applying our framework reduced the number of requirements a company must comply with by 76% across 8 jurisdictions. We show how the framework surfaces critical requirements trade-offs and potential regulatory conflicts that companies must address during the reconciliation process. We summarize our results, including surveys of information technology law experts to contextualize our empirical results in legal practice.

[1]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[2]  Annie I. Antón,et al.  Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[3]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[4]  U. Flick An introduction to qualitative research, 4th ed. , 2009 .

[5]  Peter Sawyer,et al.  On the Effectiveness of Abstraction Identification in Requirements Engineering , 2010, 2010 18th IEEE International Requirements Engineering Conference.

[6]  Gerardo Canfora,et al.  A comprehensive characterization of NLP techniques for identifying equivalent requirements , 2010, ESEM '10.

[7]  Jane Cleland-Huang,et al.  A machine learning approach for tracing regulatory codes to product specific requirements , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[8]  Travis D. Breaux,et al.  Managing multi-jurisdictional requirements in the cloud: towards a computational legal landscape , 2011, CCSW '11.

[9]  Mehrdad Sabetzadeh,et al.  Consistency Checking of Conceptual Models via Model Merging , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[10]  Jane Cleland-Huang,et al.  Improving automated requirements trace retrieval: a study of term-based enhancement methods , 2010, Empirical Software Engineering.

[11]  Annie I. Antón,et al.  A legal cross-references taxonomy for identifying conflicting software requirements , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[12]  Jane Huffman Hayes,et al.  On human analyst performance in assisted requirements tracing: Statistical analysis , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[13]  Didar Zowghi,et al.  Mining Requirements Links , 2011, REFSQ.

[14]  Mauro Overend,et al.  Interviewing the Experts , 2014 .

[15]  Ian Alexander,et al.  An introduction to qualitative research , 2000, Eur. J. Inf. Syst..

[16]  Anna Bobkowska,et al.  On efficient collaboration between lawyers and software engineers when transforming legal regulations to law-related requirements , 2010, 2010 2nd International Conference on Information Technology, (2010 ICIT).

[17]  R. Yin Case Study Research: Design and Methods , 1984 .

[18]  Annie I. Antón,et al.  Legal requirements acquisition for the specification of legally compliant information systems , 2009 .

[19]  J. Gosby MEDIA REVIEWS: Basics of Qualitative Research - Techniques and Procedures for Developing Grounded Theory 2nd Edition by A. Strauss and J. Corbin. Sage Publications, , 2000 .

[20]  John Mylopoulos,et al.  From Laws to Requirements , 2008, 2008 Requirements Engineering and Law.