A cross-domain empirical study and legal evaluation of the requirements water marking method.

Companies that own, license, or maintain personal information face a daunting number of privacy and security regulations. Companies are subject to new regulations from one or more governing bodies, when companies introduce new or existing products into a jurisdiction, when regulations change, or when data are transferred across political borders. To address this problem, we developed a framework called 'requirements water marking' that business analysts can use to align and reconcile requirements from multiple jurisdictions (municipalities, provinces, nations) to produce a single high or low standard of care. We evaluate the framework in two empirical case studies covering a subset of U.S. data breach notification laws and medical record retention laws. In these studies, applying our framework reduced the number of requirements a company must comply with by 76 % across 8 jurisdictions and 15 % across 4 jurisdictions, respectively. We show how the framework surfaces critical requirements trade-offs and potential regulatory conflicts that companies must address during the reconciliation process. We summarize our results, including surveys of information technology law experts to contextualize our empirical results in legal practice. [ABSTRACT FROM AUTHOR]