@inproceedings{massey_smith_otto_anton_2011, title={Assessing the accuracy of legal implementation readiness decisions}, DOI={10.1109/re.2011.6051661}, abstractNote={Software engineers regularly build systems that are required to comply with laws and regulations. To this end, software engineers must determine which requirements have met or exceeded their legal obligations and which requirements have not. Requirements that have met or exceeded their legal obligations are legally implementation ready, whereas requirements that have not met or exceeded their legal obligations need further refinement. Research is needed to better understand how to support software engineers in making these determinations. In this paper, we describe a case study in which we asked graduate-level software engineering students to assess whether a set of software requirements for an electronic health record system met or exceeded their corresponding legal obligations as expressed in regulations created pursuant to the U.S. Health Insurance Portability and Accountability Act (HIPAA). We compare the assessment made by graduate students with an assessment made by HIPAA compliance subject matter experts. Additionally, we contrast these results with those generated by a legal requirements triage algorithm. Our findings suggest that the average graduate-level software engineering student is ill-prepared to write legally compliant software with any confidence and that domain experts are an absolute necessity. Our findings also indicate the potential utility of legal requirements metrics in aiding software engineers as they make legal compliance decisions.}, booktitle={2011 19th ieee international requirements engineering conference (re)}, author={Massey, A. K. and Smith, B. and Otto, P. N. and Anton, A. I.}, year={2011}, pages={207–216} }
 @article{massey_otto_hayward_anton_2010, title={Evaluating existing security and privacy requirements for legal compliance}, volume={15}, ISSN={["1432-010X"]}, DOI={10.1007/s00766-009-0089-5}, number={1}, journal={REQUIREMENTS ENGINEERING}, author={Massey, Aaron K. and Otto, Paul N. and Hayward, Lauren J. and Anton, Annie I.}, year={2010}, month={Mar}, pages={119–137} }
 @article{otto_2009, title={Reasonableness meets requirements: regulating security and privacy in software}, volume={59}, number={2}, journal={Duke Law Journal}, author={Otto, P. N.}, year={2009}, pages={309–342} }
 @article{otto_anton_baumer_2007, title={The ChoicePoint dilemma - How data brokers should handle the privacy of personal information}, volume={5}, ISSN={["1558-4046"]}, DOI={10.1109/MSP.2007.126}, abstractNote={Before 2005, data broker ChoicePoint suffered fraudulent access to its databases that exposed thousands of customers' personal information. We examine Choice-Point's data breach, explore what went wrong from the perspective of consumers, executives, policy, and IT systems, and offer recommendations for the future.}, number={5}, journal={IEEE SECURITY & PRIVACY}, author={Otto, Paul N. and Anton, Annie I. and Baumer, David L.}, year={2007}, pages={15–23} }