External Rules Bandlers Five Components for Policy Work 2022 (4) External rules

by John Bandler

External rules are legal requirements such as laws and regulations and come from outside an organization. Organizations need to know what external rules apply to them, how to comply with them, and how to ensure that compliance integrates with their mission and business needs.

External rules are one of my five components for policy work.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more.

External rules within the Three Platforms, Four Platforms, and Five Components conceptsBandlers Three Platforms to Connect (3) External Rules

External rules can be thought of as a platform within the Three Platforms to Connect for compliance framework, which visualizes how legal requirements, internal policy, and organization practice should align.

The three areas to consider for compliance analysis are:

  • External rules: Laws, regulations, and other legal requirements
  • Internal rules: Policies, procedures, and more
  • Practice: or action -- what is actually done.

Bandlers Four Platforms to Connect (inline)

Then I introduced the Fourth Platform:

  • Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.

Then we needed a fifth component to consider when doing policy creation or improvement:

Bandlers Five Components for Policy Work 2022 (4) External rules

  • External guidance: A more ambiguous "cloud" of best practices we can chose to adopt, adapt, or disregard.

We can view all five components together in this diagram, where we now view everything from a top view perspective.

External rules

Much of this site discusses law and regulation, and my Introduction to Law outline gives a broad look at law. Some quick points are below.

External rules can include legal requirements from:

  • Statutes (federal and from the states, criminal and civil)
  • Regulations (federal and state, primarily civil)
  • Contractual requirements
  • Negligence law (e.g., a duty of reasonable care)

Topics for external rules include:

  • Criminal laws (what people can be arrested for and criminally punished for)
  • Civil and regulatory requirements regarding
    • Cybersecurity
    • Data breach notification and reporting
    • Privacy
    • More, lots more (cyber and privacy is a niche but what I spend a lot of time on). See my introduction to law outline.

Examples of external rules include:

  • New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
  • A multitude of other state data breach notification, cybersecurity, and privacy requirements
  • The FTC Act, which gives the Federal Trade Commission authority over unfair or deceptive trade practices which gives them some authority over privacy and cybersecurity
  • The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), imposing privacy and cybersecurity requirements on the health sector
  • The Gramm-Leach-Bliley Act (GLBA) imposing privacy and cybersecurity requirements on the financial sector
  • Contracts with other businesses and your insurance provider.


Businesses need to understand external rules to comply with them, draft appropriate internal rules, and accomplish their mission.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/external-rules, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at https://johnbandler.medium.com/external-rules-5ad5ec58bb74 (though not kept as up to date).

Originally posted 8/26/2022, updated 12/16/2023.