the use of legal ontologies in the development of a system for continuous assurance of privacy...
Post on 18-Dec-2015
213 views
TRANSCRIPT
![Page 1: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/1.jpg)
The Use of Legal Ontologies in the Development of a System for
Continuous Assurance of Privacy Policy Compliance*
Bonnie W. Morris, Ph.D. CPADivision of Accounting
Srinivas Kankanahalli, Ph.D.
Lane Department of Computer Science & Electrical Engineering
West Virginia University
*Funded in part by Lockheed Martin’s Radiant Trust Center of Excellence Program
![Page 2: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/2.jpg)
Outline of Presentation
Motivation Research Plan and Background Our Work in Progress Future Research Directions
![Page 3: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/3.jpg)
Motivation for the Research
The Public is Concerned About Privacy and Infringement of Civil Liberties
Managing Privacy Policy Compliance is a Difficult Problem
There is a Demand for Assurance of Compliance with Privacy Laws and Policies
![Page 4: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/4.jpg)
Public Concern A 2002 survey by the Center for Survey Research &
Analysis at the U Conn for the First Amendment Center and American Journalism Review found: 81% reported that the right to privacy was "essential.” (Up from 78% in 1997.)
In 2001, 72% of voters in North Dakota voted to re-instate “opt-in” privacy protections for financial information
In a 2000 survey, the Pew Internet & American Life Project found that: 86% support opt-in privacy policies before companies use personal information.
Source: http://www.epic.org/privacy/survey/
![Page 5: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/5.jpg)
Managing Privacy Compliance is Difficult!
U.S. laws are a “patchwork”– US PATRIOT Act – Gramm-Leach-Bliley Act– HIPAA– ECA– Video Privacy Act!
Many organizations also are subject to international privacy laws, such as the EU’s Data Protection Act.
![Page 6: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/6.jpg)
Demand for Assurance
Senator Lieberman, chair of the Senate Governmental Affairs Committee, requested a GAO audit of four government agencies’ compliance with privacy laws and directives.
![Page 7: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/7.jpg)
Demand for Assurance, continued
A survey by Harris Interactive, February 19, 2002 found that – most consumers do not trust business to handle
their personal information properly– 84% responded that independent verification of
company privacy policies should be a requirement.
Source: http://www.epic.org/privacy/survey/
![Page 8: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/8.jpg)
Continuous or On-Demand Assurance?
It probably doesn’t matter.
The same infrastructure is
required for both.
![Page 9: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/9.jpg)
Research Plan and Background
![Page 10: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/10.jpg)
Organizational, architectural, and system design changes are needed to
support continuous assurance
A method of marking up or tagging data elements that are subject to privacy policies
Mapping of natural language text-based statutes and policies into rules implemented in a computer system
Maybe a “black box” to document access and sharing of personal information and to record audit tests.
![Page 11: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/11.jpg)
Mapping Policy to Rules
It is common practice when developing KBS to first build an intermediate or conceptual model before building a symbolic level model.– Aids in verification and validation– Supports future maintenance– Aids in the reuse.
Source: Visser, et al. 1997
![Page 12: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/12.jpg)
Legal Ontology-Definitions
An ontology is an explicit conceptualization of a domain (Gruber, 1992)
A legal ontology is a conceptualization of laws or statutes, in general.
A statute-specific ontology is the instantiation of a legal ontology for a specific statute.
![Page 13: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/13.jpg)
Research Approach
Identify the target statute Pick an ontology Separate control knowledge from domain
knowledge Pass through the appropriate sections of the
statute to identify the vocabulary, taxonomy, and typology needed to instantiate the ontology--this is an iterative process
![Page 14: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/14.jpg)
Our Work in Progress:
Develop a Statute Specific Ontology for the Gramm-Leach-Bliley Act Using the Van Kralingen Legal Ontology (1995)
![Page 15: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/15.jpg)
Van Kralingen Ontology (1995)
A frame-based ontology Norms Acts Concepts
![Page 16: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/16.jpg)
Norms are the rules or standards with which an entity must comply. Generally, a norm is expressed by a statement that something “ought to,” “ought not to,” “may,” or may not be done.
![Page 17: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/17.jpg)
Norm frame
Identifier Norm type Source Range of applicability Conditions of applicability Persons subject to the norm Modality (ought, ought not, may, may not…) Act identifier
![Page 18: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/18.jpg)
Acts are events or processes that cause changes in the state of the world. An event causes an immediate change. A process has duration, over which change occurs.
![Page 19: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/19.jpg)
Act Frame Identifier Type Source of the description Agents involved in the act Means (objects used) Manner in which the act was performed Timing Location Circumstances Cause (reason to perform act) Aim Intent Final state that derives from the act
![Page 20: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/20.jpg)
Concepts are used to determine the meaning of a notion. Concepts may be definitions or “deeming provisions.”
(A deeming provision is a legal fiction, that is, a statement that under certain circumstances something that is not true will be deemed to be true. )
![Page 21: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/21.jpg)
Concepts
Concept name Concept type Priority or weight assigned to it Source of the concept description Range of applicability Conditions of applicability List of instances of the concept
![Page 22: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/22.jpg)
Identifying Statute Specific Vocabulary (Bench-Capon and Coenen, 1992)
Words denoting – actions– agents – objects
Words indicating – time– place– source – legal modality
Words assigning properties to other entities Words expressing relations Words marking textual constructions Words marking arithmetic operations
![Page 23: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/23.jpg)
A Partial Example of the Instantiation of the Ontology
![Page 24: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/24.jpg)
Gramm-Leach-Bliley Act15 USC, Subchapter I, Sec. 6801-6810
Disclosure of Nonpublic Personal Informationsource: http://www.ftc.gov/privacy/glbact/glbsub1.htm
“(d) Limitations on the sharing of account number information for marketing purposes
A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.”
![Page 25: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/25.jpg)
Concepts (definitions) Financial institution (Agent) Third party (Agent)
(Affiliated, Nonaffiliated,Consumer reporting agency,…) Financial account (Object)
(credit card, deposit account, transaction account) Account Identifier (Object)
(account number, access code, access number,…) Marketing (Cause)
(telemarketing, direct mail marketing, email marketing,…)
![Page 26: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/26.jpg)
Act
Act Identifier: Share account number information for marketing purposes
Agents: Financial institutions subject to GLBA
Act: Agent discloses account identifier to third party
Cause: Marketing
![Page 27: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/27.jpg)
Norm
Subject: Financial Institutions subject to GLBA
Conditions: Third party is non-affiliated and not a consumer credit agency
Legal Modality: Shall not Act: Share account number information for
marketing purposes
![Page 28: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/28.jpg)
Control Knowledge
The need to select an action to resolve a conflict is called the control problem (Hayes-Roth, 1988)
Strategies for selecting the action to resolve a conflict is called solving the control problem
Knowledge used to solve the control problem is called control knowledge
![Page 29: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/29.jpg)
GLBA Control Problem
The GLBA control problem arises because there are rules and exceptions to them.
Solved by the legal principle:
Lex Specialis Derogat Legi Generali
(the conclusion of the exception should be preferred over the conclusion of the general rule)
![Page 30: The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d235503460f949f9d07/html5/thumbnails/30.jpg)
Future Research
Comparison of statute specific ontologies for other privacy statutes and policies
Implementation issues--including resolution of control problems
Tagging of data elements Explore the “black box” concept Temporal reasoning Exploring the efficacy of using ontologies to help
draft policy statements