Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division."— Presentation transcript:

1 The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division of Accounting Srinivas Kankanahalli, Ph.D. Lane Department of Computer Science & Electrical Engineering West Virginia University *Funded in part by Lockheed Martin’s Radiant Trust Center of Excellence Program

2 Outline of Presentation  Motivation  Research Plan and Background  Our Work in Progress  Future Research Directions

3 Motivation for the Research  The Public is Concerned About Privacy and Infringement of Civil Liberties  Managing Privacy Policy Compliance is a Difficult Problem  There is a Demand for Assurance of Compliance with Privacy Laws and Policies

4 Public Concern  A 2002 survey by the Center for Survey Research & Analysis at the U Conn for the First Amendment Center and American Journalism Review found: 81% reported that the right to privacy was "essential.” (Up from 78% in 1997.)  In 2001, 72% of voters in North Dakota voted to re- instate “opt-in” privacy protections for financial information  In a 2000 survey, the Pew Internet & American Life Project found that: 86% support opt-in privacy policies before companies use personal information. Source: http://www.epic.org/privacy/survey/

5 Managing Privacy Compliance is Difficult!  U.S. laws are a “patchwork” –US PATRIOT Act –Gramm-Leach-Bliley Act –HIPAA –ECA –Video Privacy Act!  Many organizations also are subject to international privacy laws, such as the EU’s Data Protection Act.

6 Demand for Assurance  Senator Lieberman, chair of the Senate Governmental Affairs Committee, requested a GAO audit of four government agencies’ compliance with privacy laws and directives.

7 Demand for Assurance, continued  A survey by Harris Interactive, February 19, 2002 found that –most consumers do not trust business to handle their personal information properly –84% responded that independent verification of company privacy policies should be a requirement. Source: http://www.epic.org/privacy/survey/

8 Continuous or On-Demand Assurance? It probably doesn’t matter. The same infrastructure is required for both.

9 Research Plan and Background

10 Organizational, architectural, and system design changes are needed to support continuous assurance  A method of marking up or tagging data elements that are subject to privacy policies  Mapping of natural language text-based statutes and policies into rules implemented in a computer system  Maybe a “black box” to document access and sharing of personal information and to record audit tests.

11 Mapping Policy to Rules It is common practice when developing KBS to first build an intermediate or conceptual model before building a symbolic level model. –Aids in verification and validation –Supports future maintenance –Aids in the reuse. Source: Visser, et al. 1997

12 Legal Ontology-Definitions  An ontology is an explicit conceptualization of a domain (Gruber, 1992)  A legal ontology is a conceptualization of laws or statutes, in general.  A statute-specific ontology is the instantiation of a legal ontology for a specific statute.

13 Research Approach  Identify the target statute  Pick an ontology  Separate control knowledge from domain knowledge  Pass through the appropriate sections of the statute to identify the vocabulary, taxonomy, and typology needed to instantiate the ontology--this is an iterative process

14 Our Work in Progress: Develop a Statute Specific Ontology for the Gramm-Leach-Bliley Act Using the Van Kralingen Legal Ontology (1995)

15 Van Kralingen Ontology (1995) A frame-based ontology  Norms  Acts  Concepts

16 Norms are the rules or standards with which an entity must comply. Generally, a norm is expressed by a statement that something “ought to,” “ought not to,” “may,” or may not be done.

17 Norm frame  Identifier  Norm type  Source  Range of applicability  Conditions of applicability  Persons subject to the norm  Modality (ought, ought not, may, may not…)  Act identifier

18 Acts are events or processes that cause changes in the state of the world. An event causes an immediate change. A process has duration, over which change occurs.

19 Act Frame  Identifier  Type  Source of the description  Agents involved in the act  Means (objects used)  Manner in which the act was performed  Timing  Location  Circumstances  Cause (reason to perform act)  Aim  Intent  Final state that derives from the act

20 Concepts are used to determine the meaning of a notion. Concepts may be definitions or “deeming provisions.” (A deeming provision is a legal fiction, that is, a statement that under certain circumstances something that is not true will be deemed to be true. )

21 Concepts  Concept name  Concept type  Priority or weight assigned to it  Source of the concept description  Range of applicability  Conditions of applicability  List of instances of the concept

22 Identifying Statute Specific Vocabulary (Bench-Capon and Coenen, 1992)  Words denoting –actions –agents –objects  Words indicating –time –place –source –legal modality  Words assigning properties to other entities  Words expressing relations  Words marking textual constructions  Words marking arithmetic operations

23 A Partial Example of the Instantiation of the Ontology

24 Gramm-Leach-Bliley Act 15 USC, Subchapter I, Sec. 6801-6810 Disclosure of Nonpublic Personal Information source: http://www.ftc.gov/privacy/glbact/glbsub1.htm “(d) Limitations on the sharing of account number information for marketing purposes A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.”

25 Concepts (definitions)  Financial institution (Agent)  Third party (Agent) (Affiliated, Nonaffiliated,Consumer reporting agency,…)  Financial account (Object) (credit card, deposit account, transaction account)  Account Identifier (Object) (account number, access code, access number,…)  Marketing (Cause) (telemarketing, direct mail marketing, email marketing,…)

26 Act  Act Identifier: Share account number information for marketing purposes  Agents: Financial institutions subject to GLBA  Act: Agent discloses account identifier to third party  Cause: Marketing

27 Norm  Subject: Financial Institutions subject to GLBA  Conditions: Third party is non-affiliated and not a consumer credit agency  Legal Modality: Shall not  Act: Share account number information for marketing purposes

28 Control Knowledge  The need to select an action to resolve a conflict is called the control problem (Hayes-Roth, 1988)  Strategies for selecting the action to resolve a conflict is called solving the control problem  Knowledge used to solve the control problem is called control knowledge

29 GLBA Control Problem The GLBA control problem arises because there are rules and exceptions to them. Solved by the legal principle: Lex Specialis Derogat Legi Generali (the conclusion of the exception should be preferred over the conclusion of the general rule)

30 Future Research  Comparison of statute specific ontologies for other privacy statutes and policies  Implementation issues--including resolution of control problems  Tagging of data elements  Explore the “black box” concept  Temporal reasoning  Exploring the efficacy of using ontologies to help draft policy statements

Download ppt "The Use of Legal Ontologies in the Development of a System for Continuous Assurance of Privacy Policy Compliance * Bonnie W. Morris, Ph.D. CPA Division."

Similar presentations

Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.

Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Who We Are IPS CONSULTANTS AND ASSOCIATES. started as a group of professionals in legal, administrative and fiscal areas with more than 15 years of experience.

Who We Are IPS CONSULTANTS AND ASSOCIATES. started as a group of professionals in legal, administrative and fiscal areas with more than 15 years of experience.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Code of Ethics for Professional Accountants

Code of Ethics for Professional Accountants
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
1 Practical Ethics: Following the MTA’s Code of Ethics in the Real World A Webinar Presentation March 13, 2007 – Charles Comer, CMT.

1 Practical Ethics: Following the MTA’s Code of Ethics in the Real World A Webinar Presentation March 13, 2007 – Charles Comer, CMT.
Privacy and the Right to Know Grayson Barber, Esq. Grayson Barber, LLC.

Privacy and the Right to Know Grayson Barber, Esq. Grayson Barber, LLC.
Discussion on SA-500 – AUDIT EVIDENCE

Discussion on SA-500 – AUDIT EVIDENCE
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
ACFID CODE OF CONDUCT Changes to the Code Effective Jan 2015.

ACFID CODE OF CONDUCT Changes to the Code Effective Jan 2015.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit

Similar presentations

Ads by Google