Legally "reasonable" security requirements: A 10-year FTC retrospective

Computers and Security

Volumn 30, Issue 4, 2011, Pages 178-193

  Breaux, Travis D ^a   Baumer, David L ^b  

^a Carnegie Mellon University   (United States)

^b NORTH CAROLINA STATE UNIVERSITY   (United States)

Author keywords

Case study; Legal compliance; Reasonability; Requirements; Security

Indexed keywords

CASE STUDY; LEGAL COMPLIANCE; REASONABILITY; REQUIREMENTS; SECURITY;

INFORMATION TECHNOLOGY; RESEARCH;

LAWS AND LEGISLATION;

EID: 79955475331     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2010.11.003     Document Type: Article

References (47)

1. A.I. Antón, and J.B. Earp A requirements taxonomy for reducing web site privacy vulnerabilities Requirements Engineering Journal 9 3 Spring 2004 169 185 (Pubitemid 39168556)
2. W.H. Baker, C.D. Hylender, and J.A. Valentine Data reach investigations report: a study conducted by the Verizon business RISK Team 2008
3. David L. Baumer, Julie B. Earp, and J.C. Poindexter Internet privacy law: a comparison between the United states and the European Union Computers and Security 23 5 2004 400 412
4. D.A. Bishop To serve and protect: do businesses have a legal duty to protect collections of personal information? Shidler Journal of Law, Commerce and Technology 3 2006 7
5. S. Borkin The HIPAA final security standards and ISO/IEC 17799 In collect. information security reading room July 2003 SANS Institute
6. P. Bowen, J. Hash, and M. Wilson Information security handbook: a guide for managers Oct. 2006 U.S. National Institute of Standards and Technology (NIST) Special Publication 800-100
7. Breaux TD, Antón AI. Analyzing goal semantics for rights, permissions and obligations. In: IEEE 14th international requirements engineering conference, Paris, France; Aug. 2005. p. 177-86.
8. Breaux TD, Antón AI. A systematic method for acquiring regulatory requirements: a frame-based approach. In: 6th International workshop on requirements for high assurance systems (RHAS-6), Delhi, India; Sep. 2007.
9. T.D. Breaux, and A.I. Antón Analyzing regulatory rules for privacy and security requirements IEEE Transactions on Software Engineering 34 1 January/February 2008 5 20 Special Issue on Software Engineering for Secure Systems
10. Breaux TD, Antón AI, Karat C-M, Karat J, Enforceability vs. accountability in electronic policies. In: IEEE 7th international workshop on policies for distributed systems and networks (POLICY'06), London, Ontario; Jun. 2006a. p. 227-30.
11. Breaux TD, Vail MW, Antón AI. Towards compliance: extracting rights and obligations to align requirements with regulations. In: IEEE 14th international requirements engineering conference (RE'06), Minneapolis, Minnesota; Sep. 2006b. p. 49-58
12. Breaux TD, Antón AI, Boucher K, Dorfman M. Legal requirements, compliance and practice: an industry case study in accessibility. In: IEEE 16th international requirements engineering conference (RE'08), Barcelona, Spain; Sep. 2008a. p. 43-52.
13. Breaux TD, Lewis JD, Otto PN, Antón AI. Identifying legal vulnerabilities and critical requirements using criminal court proceedings. In: 24th ACM/SIGAPP Symposium on Applied Computing (ACM SAC'09), Honolulu, Hawaii; Aug. 2008. pp. 355-359.
14. T.D. Breaux, A.I. Antón, and E.H. Spafford A distributed requirements management framework for compliance and accountability Computers and Security 28 1-2 2009 8 17
15. Cheng Betty HC, Konrad Sasha, Campbell Laura A, Wasserman Ronald. Using security patterns to model and analyze security requirements. In: Proc. 2nd international workshop on requirements engineering for high assurance systems (RHAS-2), Kyoto, Japan; Sep. 2003. p. 13-22.
16. C.A. Ciocchetti E-commerce and information privacy: privacy policies as personal information protectors American Business Law Journal 44 Spring, 2007 55
17. J.W. Creswell Research design: qualitative, quantitative and mixed methods approaches 2nd ed. 2003 Sage Publications
18. ®, and Microsoft Corp 2007 eCrime watch survey CSO Magazine Sep. 2007
19. Delahaye D, Etienne J-F, Donzeau-Gouge VV. Reasoning about airport security regulations using the focal environment. In: 2nd international symposium on leveraging applications of formal methods, verification and validation, Paphos; Nov. 2006, p. 45-52.
20. Federal Rules of Civil Procedure, revised Dec. 1, 2007.
21. B.A. Garner Blacks law dictionary 8th ed 2004 ThompsonWest St. Paul, Minnesota
22. Ghanavati S, Amyot D, Peyton L. Towards a framework for tracking legal compliance in healthcare. In: 19th Int'l Conf. Adv. Info. Sys. Engr.; 2007. p. 218-32.
23. B.C. Glaser, and A.L. Strauss The discovery of grounded theory 1967 Aldine Pub. Co. Chicago, IL
24. C.B. Haley, R.C. Laney, J.D. Moffett, and B. Nuseibeh Security requirements engineering: a framework for representation and analysis IEEE Transactions on Software Engineering 34 1 2008 133 153 (Pubitemid 351343906)
25. J.B. Hanson Liability for consumer information security breaches: deconstructing FTC complaints against businesses victimized by consumer information security breaches Shidler Journal of Law, Commerce and Technology 4 2008 11
26. Information Technology Governance Institute, Control objectives for information and related technology (COBIT), Version 4.1; 2007.
27. ISO/IEC15408:2005. Information technology - security techniques - evaluation criteria for IT security; 2005a.
28. ISO/IEC 27001:2005. Information technology - security techniques - information security management systems - requirements; 2005b.
29. ISO/IEC 27002:2005. Information technology - security techniques - code of practice for information security management, 2005c.
30. Karagiannis D, Mylopoulos J, Schwab M. Business process-based regulatory compliance: the case of the Sarbanes-Oxley act, In: IEEE Int'l Req'ts Engr. Conf.; 2007. p. 315-21.
31. R. Kim 2008 Identity fraud survey report: identity fraud continues to decline, but criminals more effective at using all channels Javelin Strategy and Research Feb. 2008
32. S.W. Lee, D. Muthurajan, R.A. Gandhi, D. Yavagal, and G. Ahn Building decision support problem domain ontology from security requirements to engineer software-intensive systems International Journal on Software Engineering and Knowledge Engineering 16 6 Dec. 2006 851 884 (Pubitemid 46181435)
33. Lin L, Nuseibeh B, Ince D, Jackson M, Moffett J, Introducing abuse frames for analysing security requirements. In: IEEE 11th international requirements engineering conference, Sep. 2003. p. 371-2.
34. F. Massacci, J. Mylopoulos, and N. Zannone Computer-aided support for Secure Tropos Automated Software Engineering 14 3 Sep. 2007 341 364 (Pubitemid 47397543)
35. N.R. Mead, and T. Stehney Security quality requirements engineering (SQUARE) methodology, Proc. Software Engineering for Secure Systems (SESS) - building trustworthy applications ACM Software Engineering Notes 30 4 2005 1 7
36. Rebecca T. Mercuri The HIPAA-potamus in health care data security Communications of the ACM 47 7 2004 25 28
37. P.N. Otto Reasonableness meets requirements: regulating security and privacy in software Duke Law Journal 2009
38. K.M. Siegel Protecting the most valuable corporate asset: electronic data, identity theft, personal information and the role of data security in the information age Pennsylvania State Law Review 111 Winter 2007 779
39. G. Sindre, and A.L. Opdahl Eliciting security requirements with misuse cases Requirements Engineering Journal 10 1 Jan. 2005 34 44
40. T.J. Smedinghoff It's all about trust: the expanding scope of security obligations in global privacy and e-transactions law Michigan State Journal of International Law 16 2007 1
41. Toval S, Olmos A, Piattini M. Legal requirements reuse: a critical success factor for requirements quality and personal data protection. In: IEEE Int'l Conf. Req'ts Engr., 2002, pp. 95-103.
42. U.K. Office of government commerce, information technology Infrastructure Library, Version 3 vols. 1-5 2007 The Stationary Office, Ltd. United Kingdom
43. U.S. Federal Trade Commission, Agency announces settlement of separate actions against retailer TJX, and data brokers Reed Elsevier and Seisint for failing to provide adequate security for consumers' data; Mar. 2008.
44. van Lamsweerde A, Elaborating security requirements by construction of intentional anti-models. In: IEEE 26th international conference on software engineering; 2004. p. 148-57.
45. Weiss M, Mouratidis H. Selecting security patterns that fulfill security requirements. In: IEEE 16th international requirements engineering conference; 2008. p. 169-72.
46. Whittle J, Wijesekera D, Hartong M. Executable misuse cases for modeling security concerns. In: IEEE 30th international conference on software engineering, Leipzig, Germany; 2008. p. 121-30.
47. R.K. Yin Case study research 3rd ed. Applied Social research methods Series vol. 5 2003 Sage Publications