skip to main content
10.1145/1866919.1866930acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Experiences in the logical specification of the HIPAA and GLBA privacy laws

Published: 04 October 2010 Publication History

Abstract

Despite the wide array of frameworks proposed for the formal specification and analysis of privacy laws, there has been comparatively little work on expressing large fragments of actual privacy laws in these frameworks. We attempt to bridge this gap by giving complete logical formalizations of the transmission-related portions of the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). To this end, we develop the PrivacyLFP logic, whose features include support for disclosure purposes, real-time constructs, and self-reference via fixed points. To illustrate these features and demonstrate PrivacyLFP's utility, we present formalizations of a collection of clauses from these laws. Due to their size, our full formalizations of HIPAA and GLBA appear in a companion technical report. We discuss ambiguities in the laws that our formalizations revealed and sketch preliminary ideas for computer-assisted enforcement of such privacy policies.

References

[1]
}}R. Alur and T. A. Henzinger. A really temporal logic. Journal of the ACM, 41(1):181--203, 1994.
[2]
}}M. Backes, B. Pfitzmann, and M. Schunter. A toolkit for managing enterprise privacy policies. In European Symposium on Research in Computer Security, LNCS 2808, pages 101--119, 2003.
[3]
}}A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. In Proceedings of the 27th IEEE Symposium on Security and Privacy, pages 184--198, 2006.
[4]
}}A. Barth, A. Datta, J. C. Mitchell, and S. Sundaram. Privacy and utility in business processes. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, pages 279--294, 2007.
[5]
}}D. Basin, F. Klaedtke, and S. Müller. Monitoring security policies with metric first-order temporal logic. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pages 23--34, 2010.
[6]
}}J. Bradfield and C. Stirling. Local model checking for infinite state spaces. Theoretical Computer Science, 96(1):157--174, 1992.
[7]
}}J. Bradfield and C. Stirling. The Handbook of Modal Logic, chapter Modal Mu-Calculi, pages 721--756. 2006.
[8]
}}T. Breaux and A. Antón. Analyzing regulatory rules for privacy and security requirements. IEEE Transactions on Software Engineering, 34(1):5--20, 2008.
[9]
}}L. F. Cranor. Web Privacy with P3P. O'Reilly and Associates, Inc., 2002.
[10]
}}Deloitte & Touche and the Ponemon Institute. Enterprise@Risk: 2007 Privacy and Data Protection Survey. White Paper, December 2007.
[11]
}}H. DeYoung, D. Garg, D. Kaynar, and A. Datta. Logical specification of the GLBA and HIPAA privacy laws. Technical Report CMU-CyLab-10-007, Carnegie Mellon University, 2010.
[12]
}}N. Dinesh, A. K. Joshi, I. Lee, and O. Sokolsky. Reasoning about conditions and exceptions to laws in regulatory conformance checking. In Proceedings of the Ninth International Conference on Deontic Logic in Computer Science, pages 110--124, 2008.
[13]
}}L.-Å. Fredlund, D. Gurov, T. Noll, M. Dam, T. Arts, and G. Chugunov. A verification tool for ERLANG. International Journal of Software Tools for Technology Transfer, 4(4):405--420, 2003.
[14]
}}M. Hilty, D. A. Basin, and A. Pretschner. On obligations. In Proceedings of the 10th European Symposium on Research in Computer Security, pages 98--117, 2005.
[15]
}}S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26(2):214--260, 2001.
[16]
}}P. E. Lam, J. C. Mitchell, and S. Sundaram. A formalization of HIPAA for a medical messaging system. In Proceedings of the 6th International Conference on Trust, Privacy, and Security in Digital Business, LNCS 5695, pages 73--85, 2009.
[17]
}}N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 114--130, 2002.
[18]
}}Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems: Safety. Springer-Verlag, 1995.
[19]
}}M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In Proceedings of the IEEE Workshop on Computer Security Foundations, pages 85--97, 2006.
[20]
}}H. Nissenbaum. Privacy as contextual integrity. Washington Law Review, 79(1):119--158, 2004.
[21]
}}OASIS XACML Committee. Extensible access control markup language (XACML) v2.0, 2004. Available at http://www.oasis-open.org/specs/#xacmlv2.0.
[22]
}}T. Räsch. Automata, Logics, and Infinite Games, chapter Introduction to Guarded Logics, pages 321--342. LNCS 2500. Springer-Verlag, 2002.
[23]
}}US Congress. Gramm-Leach-Bliley Act, Financial Privacy Rule. 15 USC §6801--§6809, November 1999. Available at http://www.law.cornell.edu/uscode/usc_sup_01_15_10_94_20_I.html.
[24]
}}US Congress. Health Insurance Portability and Accountability Act of 1996, Privacy Rule. 45 CFR 164, August 2002. Available at http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_07.html.
[25]
}}A. F. Westin. Privacy and Freedom. Atheneum, 1967.

Cited By

View all
  • (2024)Data-CASE: Grounding Data Regulations for Compliant Data Processing SystemsSSRN Electronic Journal10.2139/ssrn.4872162Online publication date: 2024
  • (2024)Ethical Framework for Harnessing the Power of AI in Healthcare and BeyondIEEE Access10.1109/ACCESS.2024.336991212(31014-31035)Online publication date: 2024
  • (2024)Model-Checking the Implementation of ConsentSoftware Engineering and Formal Methods10.1007/978-3-031-77382-2_15(253-271)Online publication date: 26-Nov-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WPES '10: Proceedings of the 9th annual ACM workshop on Privacy in the electronic society
October 2010
136 pages
ISBN:9781450300964
DOI:10.1145/1866919
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. fixed point logic
  2. glba
  3. hipaa
  4. privacy policy specification

Qualifiers

  • Research-article

Conference

CCS '10
Sponsor:

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)20
  • Downloads (Last 6 weeks)2
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Data-CASE: Grounding Data Regulations for Compliant Data Processing SystemsSSRN Electronic Journal10.2139/ssrn.4872162Online publication date: 2024
  • (2024)Ethical Framework for Harnessing the Power of AI in Healthcare and BeyondIEEE Access10.1109/ACCESS.2024.336991212(31014-31035)Online publication date: 2024
  • (2024)Model-Checking the Implementation of ConsentSoftware Engineering and Formal Methods10.1007/978-3-031-77382-2_15(253-271)Online publication date: 26-Nov-2024
  • (2023)QOMPLIANCE: Declarative Data-Centric Policy Compliance2023 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE)10.1109/CSDE59766.2023.10487688(01-08)Online publication date: 4-Dec-2023
  • (2021)A Calculus of Tracking: Theory and PracticeProceedings on Privacy Enhancing Technologies10.2478/popets-2021-00272021:2(259-281)Online publication date: 29-Jan-2021
  • (2021)Foundations for Robust Data Protection: Co-designing Law and Computer Science2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)10.1109/TPSISA52974.2021.00026(235-242)Online publication date: Dec-2021
  • (2021)Automating Audit with Policy Inference2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00001(1-16)Online publication date: Jun-2021
  • (2020)SoKProceedings of the 19th Workshop on Privacy in the Electronic Society10.1145/3411497.3420216(41-56)Online publication date: 9-Nov-2020
  • (2019)Formal specification and verification of user-centric privacy policies for ubiquitous systemsProceedings of the 23rd International Database Applications & Engineering Symposium10.1145/3331076.3331105(1-10)Online publication date: 10-Jun-2019
  • (2019)NAIProceedings of the Seventeenth International Conference on Artificial Intelligence and Law10.1145/3322640.3326721(262-263)Online publication date: 17-Jun-2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media