Managing Multi-Jurisdicational Requirements in a Computational Legal Landscape

Increasingly, information systems are becoming distributed and pervasive, enabling organizations to deliver services remotely to individuals and to share and store personal information, worldwide. However, system developers face significant challenges in identifying and managing the many laws that govern their services and products in this new multi-jurisdictional environment. To address this challenge, we apply the concept of a computational requirements document to multiple U.S. state regulations that share a common theme, data breach notification. The document is expressible using a formal requirements specification language (RSL), which allows document authors to codify, design, debug, analyze, trace, and visualize relationships among requirements from different policies and regulations. To measure gaps and overlaps between regulations, we applied previously validated requirements metrics. Our findings include a formalization of the legal landscape using operational constructs for highand low-watermark practices, which correspond to highand low standards of care, respectively. Business analysts and system developers can use these watermarks to reason about compliance trade-offs based on perceived businesses costs and risks. We discovered and validated these constructs using five U.S. state data breach notification laws that govern transactions of financial and health information of residents of these five states. † Engineering and Public Policy This research was supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program.