1 / 30

Bonnie W. Morris, Ph.D. CPA Division of Accounting Srinivas Kankanahalli, Ph.D.

The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance *. Bonnie W. Morris, Ph.D. CPA Division of Accounting Srinivas Kankanahalli, Ph.D. Lane Department of Computer Science & Electrical Engineering West Virginia University

ama
Download Presentation

Bonnie W. Morris, Ph.D. CPA Division of Accounting Srinivas Kankanahalli, Ph.D.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance* Bonnie W. Morris, Ph.D. CPA Division of Accounting Srinivas Kankanahalli, Ph.D. Lane Department of Computer Science & Electrical Engineering West Virginia University *Funded in part by Lockheed Martin’s Radiant Trust Center of Excellence Program

  2. Outline of Presentation • Motivation • Research Plan and Background • Our Work in Progress • Future Research Directions

  3. Motivation for the Research • The Public is Concerned About Privacy and Infringement of Civil Liberties • Managing Privacy Policy Compliance is a Difficult Problem • There is a Demand for Assurance of Compliance with Privacy Laws and Policies

  4. Public Concern • A 2002 survey by the Center for Survey Research & Analysis at the U Conn for the First Amendment Center and American Journalism Review found: 81% reported that the right to privacy was "essential.” (Up from 78% in 1997.) • In 2001, 72% of voters in North Dakota voted to re-instate “opt-in” privacy protections for financial information • In a 2000 survey, the Pew Internet & American Life Project found that: 86% support opt-in privacy policies before companies use personal information. Source: http://www.epic.org/privacy/survey/

  5. Managing Privacy Compliance is Difficult! • U.S. laws are a “patchwork” • US PATRIOT Act • Gramm-Leach-Bliley Act • HIPAA • ECA • Video Privacy Act! • Many organizations also are subject to international privacy laws, such as the EU’s Data Protection Act.

  6. Demand for Assurance • Senator Lieberman, chair of the Senate Governmental Affairs Committee, requested a GAO audit of four government agencies’ compliance with privacy laws and directives.

  7. Demand for Assurance, continued • A survey by Harris Interactive, February 19, 2002 found that • most consumers do not trust business to handle their personal information properly • 84% responded that independent verification of company privacy policies should be a requirement. Source: http://www.epic.org/privacy/survey/

  8. Continuous or On-Demand Assurance? It probably doesn’t matter. The same infrastructure is required for both.

  9. Research Plan and Background

  10. Organizational, architectural, and system design changes are needed to support continuous assurance • A method of marking up or tagging data elements that are subject to privacy policies • Mapping of natural language text-based statutes and policies into rules implemented in a computer system • Maybe a “black box” to document access and sharing of personal information and to record audit tests.

  11. Mapping Policy to Rules It is common practice when developing KBS to first build an intermediate or conceptual model before building a symbolic level model. • Aids in verification and validation • Supports future maintenance • Aids in the reuse. Source: Visser, et al. 1997

  12. Legal Ontology-Definitions • An ontology is an explicit conceptualization of a domain (Gruber, 1992) • A legalontology is a conceptualization of laws or statutes, in general. • A statute-specific ontology is the instantiation of a legal ontology for a specific statute.

  13. Research Approach • Identify the target statute • Pick an ontology • Separate control knowledge from domain knowledge • Pass through the appropriate sections of the statute to identify the vocabulary, taxonomy, and typology needed to instantiate the ontology--this is an iterative process

  14. Our Work in Progress:Develop a Statute Specific Ontology for the Gramm-Leach-Bliley Act Using the Van Kralingen Legal Ontology (1995)

  15. Van Kralingen Ontology (1995) A frame-based ontology • Norms • Acts • Concepts

  16. Norms are the rules or standards with which an entity must comply. Generally, a norm is expressed by a statement that something “ought to,” “ought not to,” “may,” or may not be done.

  17. Norm frame • Identifier • Norm type • Source • Range of applicability • Conditions of applicability • Persons subject to the norm • Modality (ought, ought not, may, may not…) • Act identifier

  18. Acts are events or processes that cause changes in the state of the world. An event causes an immediate change. A process has duration, over which change occurs.

  19. Act Frame • Identifier • Type • Source of the description • Agents involved in the act • Means (objects used) • Manner in which the act was performed • Timing • Location • Circumstances • Cause (reason to perform act) • Aim • Intent • Final state that derives from the act

  20. Concepts are used to determine the meaning of a notion. Concepts may be definitions or “deeming provisions.” (A deeming provision is a legal fiction, that is, a statement that under certain circumstances something that is not true will be deemed to be true. )

  21. Concepts • Concept name • Concept type • Priority or weight assigned to it • Source of the concept description • Range of applicability • Conditions of applicability • List of instances of the concept

  22. Identifying Statute Specific Vocabulary (Bench-Capon and Coenen, 1992) • Words denoting • actions • agents • objects • Words indicating • time • place • source • legal modality • Words assigning properties to other entities • Words expressing relations • Words marking textual constructions • Words marking arithmetic operations

  23. A Partial Example of the Instantiation of the Ontology

  24. Gramm-Leach-Bliley Act15 USC, Subchapter I, Sec. 6801-6810Disclosure of Nonpublic Personal Informationsource: http://www.ftc.gov/privacy/glbact/glbsub1.htm “(d) Limitations on the sharing of account number information for marketing purposes A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.”

  25. Concepts (definitions) • Financial institution (Agent) • Third party (Agent) (Affiliated, Nonaffiliated,Consumer reporting agency,…) • Financial account (Object) (credit card, deposit account, transaction account) • Account Identifier (Object) (account number, access code, access number,…) • Marketing (Cause) (telemarketing, direct mail marketing, email marketing,…)

  26. Act • Act Identifier: Share account number information for marketing purposes • Agents: Financial institutions subject to GLBA • Act: Agent discloses account identifier to third party • Cause: Marketing

  27. Norm • Subject: Financial Institutions subject to GLBA • Conditions: Third party is non-affiliated and not a consumer credit agency • Legal Modality: Shall not • Act: Share account number information for marketing purposes

  28. Control Knowledge • The need to select an action to resolve a conflict is called the control problem (Hayes-Roth, 1988) • Strategies for selecting the action to resolve a conflict is called solving the control problem • Knowledge used to solve the control problem is called control knowledge

  29. GLBA Control Problem The GLBA control problem arises because there are rules and exceptions to them. Solved by the legal principle: Lex Specialis Derogat Legi Generali (the conclusion of the exception should be preferred over the conclusion of the general rule)

  30. Future Research • Comparison of statute specific ontologies for other privacy statutes and policies • Implementation issues--including resolution of control problems • Tagging of data elements • Explore the “black box” concept • Temporal reasoning • Exploring the efficacy of using ontologies to help draft policy statements

More Related