Institute for Software Research
School of Computer Science, Carnegie Mellon University


Managing Multi-Jurisdiational Requirements
in a Computational Legal Landscape

Travis D. Breaux, David G. Gordon*

March 2011


Keywords: Requirements specification, traceability, formal languages, legal requirements, standardization

Increasingly, information systems are becoming distributed and pervasive, enabling organizations to deliver services remotely to individuals and to share and store personal information, worldwide. However, system developers face significant challenges in identifying and managing the many laws that govern their services and products in this new multi-jurisdictional environment. To address this challenge, we apply the concept of a computational requirements document to multiple U.S. state regulations that share a common theme, data breach notification. The document is expressible using a formal requirements specification language (RSL), which allows document authors to codify, design, debug, analyze, trace, and visualize relationships among requirements from different policies and regulations. To measure gaps and overlaps between regulations, we applied previously validated requirements metrics. Our findings include a formalization of the legal landscape using operational constructs for high- and low-watermark practices, which correspond to high- and low standards of care, respectively. Business analysts and system developers can use these watermarks to reason about compliance trade-offs based on perceived businesses costs and risks. We discovered and validated these constructs using five U.S. state data breach notification laws that govern transactions of financial and health information of residents of these five states.

18 pages

*Department of Engineering and Public Policy, Carnegie Mellon University

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by