Logical Specification of the GLBA and HIPAA Privacy Laws (CMU-CyLab-10-007)

Despite the wide array of frameworks proposed for the formal specification and analysis of privacy laws, there has been comparatively little work on expressing large fragments of actual privacy laws in these frameworks. We attempt to bridge this gap by presenting what we believe to be the most complete logical formalizations of the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) to date. Specifically, we formalize §§6802 and 6803 of GLBA and §§164.502, 164.506, 164.508, 164.510, 164.512, 164.514, and 164.524 of HIPAA. The remaining sections of both laws are not stated in terms of operational requirements, and therefore cannot be formalized in our model. Along the way, we also give a novel extension of an existing privacy logic with real-time features and fixed point operators; these provide the expressive power necessary to capture legal clauses found in GLBA and HIPAA involving bounded-time obligations and reuse of information. This work was partially supported by the U.S. Army Research Office contract on Perpetually Available and Secure Information Systems (DAAD19-02-1-0389) to Carnegie Mellon CyLab, the NSF Science and Technology Center TRUST, the NSF CyberTrust grant “Privacy, Compliance and Information Risk in Complex Organizational Processes” and the AFOSR MURI “Collaborative Policies and Assured Information Sharing”. The first author was also supported under an NSF Graduate Research Fellowship. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the U.S. Army Research Office, National Science Foundation, or the Air Force Office of Scientific Research.