The regulatory world and the machine: Harmonizing legal requirements and the systems they affect

The past decade has seen a substantial increase in the issuance of privacy and security regulations governing personal information. Ensuring system and organizational compliance is both more important and more difficult than ever before, as the penalties have become more severe, and regulations more complex and nuanced. This also presents substantial difficulties for multi-national companies, as different states, countries, or regions do not adhere to a uniform standard, resulting in a mixed set of regulations for the systems they govern. In this work, I describe a framework to address this issue, referred to as requirements water marking, wherein requirements from different jurisdictions that govern the same system may be evaluated and reduced to a single standard of care, establishing a “high water mark” for regulatory compliance and reducing requirements complexity. The framework, which draws on work in requirements specification languages and requirements comparison, allows engineers and legal experts to systematically simplify compliance and determine both high and low standards of care, while maintaining traceability back to the original legal text. In addition, I investigate the proposed value of legal requirements models, demonstrating the relationship between proposed value of these models to organizational decision-making and the validity of the model.

[1]  R. Yin Case Study Research: Design and Methods , 1984 .

[2]  Annie I. Antón,et al.  Legal requirements acquisition for the specification of legally compliant information systems , 2009 .

[3]  Sara A. Needles The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law , 2009 .

[4]  Robert O. Keohane,et al.  Designing Social Inquiry: Scientific Inference in Qualitative Research. , 1995 .

[5]  Travis D. Breaux,et al.  Reconciling multi-jurisdictional legal requirements: A case study in requirements water marking , 2012, 2012 20th IEEE International Requirements Engineering Conference (RE).

[6]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[7]  Jan Jürjens,et al.  A framework to support alignment of secure software engineering with legal regulations , 2011, Software & Systems Modeling.

[8]  Birgit Pfitzmann,et al.  Regulations Expressed As Logical Models (REALM); ; IBM Research Report; , 2005 .

[9]  Björn Regnell,et al.  A Feasibility Study of Automated Natural Language Requirements Analysis in Market-Driven Development , 2002, Requirements Engineering.

[10]  Leonid Kof,et al.  Natural Language Processing: Mature Enough for Requirements Documents Analysis? , 2005, NLDB.

[11]  Sepideh Ghanavati,et al.  Measurement-oriented comparison of multiple regulations with GRL , 2012, 2012 Fifth IEEE International Workshop on Requirements Engineering and Law (RELAW).

[12]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[13]  Annie I. Antón,et al.  Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[14]  M. Dark Data Breach Disclosure: A Policy Analysis , 2012 .

[15]  Travis D. Breaux,et al.  Regulatory Requirements Traceability and Analysis Using Semi-formal Specifications , 2013, REFSQ.

[16]  Mario Piattini,et al.  Legal requirements reuse: a critical success factor for requirements quality and personal data protection , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[17]  U. Flick An introduction to qualitative research, 4th ed. , 2009 .

[18]  Harvey J. Greenberg Validation of decision support systems , 1988 .

[19]  Travis D. Breaux,et al.  A cross-domain empirical study and legal evaluation of the requirements water marking method , 2013, Requirements Engineering.

[20]  John Mylopoulos,et al.  Capturing Variability of Law with Nómos 2 , 2012, ER.

[21]  Travis D. Breaux,et al.  Managing multi-jurisdictional requirements in the cloud: towards a computational legal landscape , 2011, CCSW '11.

[22]  Mehrdad Sabetzadeh,et al.  Consistency Checking of Conceptual Models via Model Merging , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[23]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[24]  Gerardo Canfora,et al.  A comprehensive characterization of NLP techniques for identifying equivalent requirements , 2010, ESEM '10.