Reasonableness Meets Requirements: Regulating Security and Privacy in Software

By Otto, Paul N. | Duke Law Journal, November 2009 | Go to article overview

Reasonableness Meets Requirements: Regulating Security and Privacy in Software


Otto, Paul N., Duke Law Journal


ABSTRACT

Software security and privacy issues regularly grab headlines amid fears of identity theft, data breaches, and threats to security. Policymakers have responded with a variety of approaches to combat such risk. Suggested measures include promulgation of strict rules, enactment of open-ended standards, and, at times, abstention in favor of allowing market forces to intervene. This Note lays out the basis for understanding how both policymakers and engineers should proceed in an increasingly software-dependent society. After explaining what distinguishes software-based systems from other objects of regulation, this Note argues that policymakers should pursue standards-based approaches to regulating software security and privacy. Although engineers may be more comfortable dealing with strict rules, this Note explains why both policymakers and engineers benefit from pursuing standards over rules. The nature of software development prevents engineers from ever guaranteeing security and privacy, but with an effective regulatory standards framework complemented by engineers' technical expertise, heightened security, and privacy protections can benefit society.

INTRODUCTION

On October 20, 2008, Anne Pressly, a television anchorwoman in Little Rock, Arkansas, was discovered in her home after having been attacked and severely beaten. (1) Although she spent the next week at a hospital, Ms. Pressly never regained consciousness and ultimately passed away on October 25. (2) The attack quickly gained national media attention, (3) especially because the beating was particularly savage and yet apparently random. (4)

In addition to attracting national media attention, the situation surrounding Ms. Pressly's attack and subsequent hospitalization also inspired curiosity among hospital employees within the St. Vincent Health System. Within a month of Ms. Pressly's death, the hospital announced the firing of several employees for "improperly accessing [her] medical records. (5)

In cases the media follows, there have been many breaches of patients' privacy rights through unauthorized access to medical records. (6) The suspension or termination of hospital employees often follows such breaches, owing to the strict privacy protections put in place by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (7) and its resulting regulations regarding the security and privacy of medical records. (8) As a news article describing the Pressly situation mentions, however, "you still have to wonder ... why is there not more limited access to those [medical] records--especially with a prominent individual when you could really expect an unauthorized person would get overly curious? Why does the hospital allow any employee access to records they do not need to see?" (9)

The problem of unauthorized access to private information is not limited to the healthcare domain, nor is the general problem restricted to unauthorized access. Personally identifiable information (10)--whether financial, medical, or otherwise private--is threatened by identity theft, (11) data breaches, (12) and fraud, (13) among other threats. Misuse of personally identifiable information has increased as more information enters electronic form, thus facilitating both its exchange and exposure on a larger scale. The transition to electronic record systems has necessitated the development of complex software systems (14) to manage the creation, storage, and transmission of electronic information.

Increasingly, laws and regulations specify how software systems must implement data security and privacy measures. Some legal requirements regarding security and privacy emerge in advance of software system development to control the direction of software use. (15) Other security and privacy requirements emerge in response to perceived excesses or threats from existing software systems. (16) In both scenarios, policymakers (17) must make decisions about the means through which they seek to control software design, development, and deployment. …

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Reasonableness Meets Requirements: Regulating Security and Privacy in Software
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Full screen

matching results for page

Cited passage

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited passage

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.