A legal cross-references taxonomy for identifying conflicting software requirements

Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from noncompliance. Laws and regulations contain internal cross-references to portions of the same legal text, as well as cross-references to external legal texts. These cross-references introduce ambiguities, exceptions, as well as other challenges to regulatory compliance. Requirements engineers need guidance as to how to address cross-references in order to comply with the requirements of the law. Herein, we analyze each external cross-reference within the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to determine whether a cross-reference either: introduces a conflicting requirement, a conflicting definition, and/or refines an existing requirement. Herein, we propose a legal cross-reference taxonomy to aid requirements engineers in classifying cross-references as they specify . Analyzing cross-references enables us to address conflicting requirements that may otherwise thwart legal compliance. We identify five sets of conflicting compliance requirements and recommend strategies for resolving these conflicts.