Rigid Rules vs. Flexible Standards

Laws prescribe requirements in two forms: legal rules and legal standards.

Legal rule

A legal rule stipulates the concrete actions or procedures that need to be followed or the technology that needs to be used for a software system to be deemed compliant with the law.

A good example of a legal rule is Canada’s Anti-Spam Legislation. This legislation lists specific contact information that must be included in any commercial electronic message as well as listing the valid ways for obtaining a person’s consent prior to sending them such messages.

Legal Standard

A legal standard describes, more abstractly, the goals and objectives of the law and requires that software producers take reasonable measures for achieving those goals.

A good example of a legal standard is Ontario’s Consumer Reporting Act. The Act requires that a reporting agency take reasonable measures to authenticate the people receiving reports. It asks that reporting agencies employ all reasonable procedures to ensure the accuracy of their data and correct errors in a reasonable amount of time.

Aligning Software Requirements

The advantage of legal rules is that they provide concrete guidelines on how the rules can be satisfied. Determining compliance is generally a clear and objective task. For each action specified by the law, the developer needs to implement a corresponding function or deploy the advised technology that implements the required action. The disadvantage is, if some new and improved technology comes along, the developer might have to continue using the older technology as required by the law (for example, regulatory requirements that specify that the software be tested using outdated testing strategies).