Assessing regulatory change through legal requirements coverage modeling

Developing global markets offer companies new opportunities to manufacture and sell information technology (IT) products in ways unforeseen by current laws and regulations. This innovation leads to changing requirements due to changes in product features, laws, or the locality where the product is sold or manufactured. To help developers rationalize these changes, we introduce a preliminary framework and method that can be used by requirements engineers and their legal teams to identify relevant legal requirements and trace changes in requirements coverage. The framework includes a method to translate IT regulations into a legal requirements coverage model used to make coverage assertions about existing or planned IT systems. We evaluated the framework in a case study using three IT laws: California's Confidentiality of Medical Records Act, the U.S. Health Information Portability and Accountability Act (HIPAA) and amendments from the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the India 2011 Information Technology Rules. Further, we demonstrate the framework using three scenarios: new product features are proposed; product-related services are outsourced abroad; and regulations change to address changes in the market.