Assessing the accuracy of legal implementation readiness decisions

Abstract-Software engineers regularly build systems that are required to comply with laws and regulations. To this end, software engineers must determine which requirements have met or exceeded their legal obligations and which requirements have not. Requirements that have met or exceeded their legal obligations are legally implementation ready, whereas requirements that have not met or exceeded their legal obligations need further refinement. Research is needed to better understand how to support software engineers in making these determinations. In this paper, we describe a case study in which we asked graduate-level software engineering students to assess whether a set of software requirements for an electronic health record system met or exceeded their corresponding legal obligations as expressed in regulations created pursuant to the U.S. Health Insurance Portability and Accountability Act (HIPAA). We compare the assessment made by graduate students with an assessment made by HIPAA compliance subject matter experts. Additionally, we contrast these results with those generated by a legal requirements triage algorithm. Our findings suggest that the average graduatelevel software engineering student is ill-prepared to write legally compliant software with any confidence and that domain experts are an absolute necessity. Our findings also indicate the potential utility of legal requirements metrics in aiding software engineers as they make legal compliance decisions

Defining the Internet of Devices: Privacy and Security Implications

Presented at the 2014 Privacy Law Scholars Conference, hosted by the George Washington University Law School in Washington, DC, June 2014.What observers have called the Internet of Things (IoT) presents privacy and security challenges for contemporary society. The conceptual model of the IoT evolved rapidly from technologies used to track parts in industrial supply chain management to a diverse set of smart technologies. This rapid evolution has merged several conceptually distinct technologies into a single, difficult-to-define concept. A key difficulty is defining what constitutes a “thing.” The term has been used to refer both to the things sensed, such as a star or the contents of a refrigerator, and to the things that do the sensing (devices). We argue that the Internet of Things is better conceptualized as an Internet of Devices (IoD) because devices, not things, act in a digital form and connect to the Internet. Along with the other requirements of an effective IoD, technologists and policy makers must develop standards, network protocols, identity management solutions, and governance for the IoD to address privacy and security challenges a priori rather than retrofitted after the fact. Privacy and security cannot easily be added to a system that is already deployed and established. In this paper, we define the IoT and the IoD and summarize the independent technologies from which they have evolved. We provide a five-stage general policy framework for evaluating privacy and security concerns in the IoD. Our framework seeks to provide a consistent approach to evaluating privacy and security concerns across all IoD technologies while remaining flexible enough to adapt to new technical developments

Global guidance on environmental life cycle impact assessment indicators: impacts of climate change, fine particulate matter formation, water consumption and land use

Purpose Guidance is needed on best-suited indicators to quantify and monitor the man-made impacts on human health, biodiversity and resources. Therefore, the UNEP-SETAC Life Cycle Initiative initiated a global consensus process to agree on an updated overall life cycle impact assessment (LCIA) framework and to recommend a non-comprehensive list of environmental indicators and LCIA characterization factors for (1) climate change, (2) fine particulate matter impacts on human health, (3) water consumption impacts (both scarcity and human health) and 4) land use impacts on biodiversity. Methods The consensus building process involved more than 100 world-leading scientists in task forces via multiple workshops. Results were consolidated during a 1-week Pellston Workshop™ in January 2016 leading to the following recommendations. Results and discussion LCIA framework: The updated LCIA framework now distinguishes between intrinsic, instrumental and cultural values, with disability-adjusted life years (DALY) to characterize damages on human health and with measures of vulnerability included to assess biodiversity loss. Climate change impacts: Two complementary climate change impact categories are recommended: (a) The global warming potential 100 years (GWP 100) represents shorter term impacts associated with rate of change and adaptation capacity, and (b) the global temperature change potential 100 years (GTP 100) characterizes the century-scale long term impacts, both including climate-carbon cycle feedbacks for all climate forcers. Fine particulate matter (PM2.5) health impacts: Recommended characterization factors (CFs) for primary and secondary (interim) PM2.5 are established, distinguishing between indoor, urban and rural archetypes. Water consumption impacts: CFs are recommended, preferably on monthly and watershed levels, for two categories: (a) The water scarcity indicator “AWARE” characterizes the potential to deprive human and ecosystems users and quantifies the relative Available WAter REmaining per area once the demand of humans and aquatic ecosystems has been met, and (b) the impact of water consumption on human health assesses the DALYs from malnutrition caused by lack of water for irrigated food production. Land use impacts: CFs representing global potential species loss from land use are proposed as interim recommendation suitable to assess biodiversity loss due to land use and land use change in LCA hotspot analyses. Conclusions The recommended environmental indicators may be used to support the UN Sustainable Development Goals in order to quantify and monitor progress towards sustainable production and consumption. These indicators will be periodically updated, establishing a process for their stewardship

Mining rule semantics to understand legislative compliance

Privacy legislation in the United States is distributed throughout separate documents that empower different federal authorities to regulate industry. Federal authorities in turn develop corresponding regulations intended to ensure that organizations satisfy legislative objectives. Organizations in regulated industries (e.g. healthcare and financial institutions) face significant challenges when developing policies and systems that are properly aligned with relevant privacy regulations. We analyze privacy regulations derived from the Health Insurance Portability and Accountability Act (HIPAA) that affect information sharing practices and consumer privacy in healthcare systems. Our analysis shows specific natural language semantics that formally characterize rights, obligations, and the meaningful relationships between them required to build value into systems. Furthermore, we evaluate semantics for rules and constraints necessary to develop machine-enforceable policies that bridge between laws, policies, practices, and system requirements. We believe the results of our analysis will benefit legislators, regulators and policy and system developers by focusing their attention on natural language policy semantics that are implementable in software systems. 1