Date of Original Version
© 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Abstract or Description
Increasingly, information systems are becoming distributed and pervasive, enabling organizations to deliver services remotely to individuals and to share and store personal information worldwide. However, system developers face significant challenges in identifying and managing the many laws that govern their services and products. To address this challenge, we investigate a method to codify, analyze, and trace relationships among requirements from different regulations that share a common theme of data breach notification. To measure gaps and overlaps between regulations, we applied previously validated requirements metrics. Our findings include a formalization of the legal landscape using operational constructs for high- and low-watermark practices, which business analysts and system developers can use to reason about compliance trade-offs based on perceived businesses costs and risks. We discovered and validated these constructs using five U.S. state data breach notification laws that govern transactions of financial and health information of state residents.
Proceedings of the International Workshop on Requirements Engineering and Law (RELAW), 2011, 43-49.