External Rules 
by John Bandler
External rules are legal requirements such as laws and regulations and come from outside an organization. Organizations need to know what external rules apply to them, how to comply with them, and how to ensure that compliance integrates with their mission and business needs.
External rules are one of my five components for policy work.
These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more.
External rules within the Three Platforms concept
External rules can be thought of as a platform within the Three Platforms to Connect for compliance framework, which visualizes how legal requirements, internal policy, and organization practice should align.
The three areas to consider for compliance analysis are:
- External rules: Laws, regulations, and other legal requirements
- Internal rules: Policies, procedures, and more
- Practice: or action -- what is actually done.
External rules within the Four Platforms
Then I introduced the Fourth Platform of Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.
External rules within the five components for policy work
As we evolve this concept, we can think of five main components to consider when doing policy creation or improvement, the four platforms plus the fifth component (a more ambiguous "cloud") of external guidance.
We can view all five components together in this diagram, where we now view everything from a top view perspective.
External rules
Much of this site discusses law and regulation, and my Introduction to Law outline gives a broad look at law. Some quick points are below.
External rules can include:
- Statutes (federal and from the states, criminal and civil)
- Regulations (federal and state, primarily civil)
- Contract requirements
- Negligence law (e.g., a duty of reasonable care)
Topics for external rules include:
- Criminal laws (what people can be arrested for and criminally punished for)
- Civil and regulatory requirements regarding
- Cybersecurity
- Data breach notification and reporting
- Privacy
- More, lots more (cyber and privacy is a niche but what I spend a lot of time on). See my introduction to law outline.
Examples of external rules include:
- New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
- A multitude of other state data breach notification, cybersecurity, and privacy requirements
- The FTC Act, which gives the Federal Trade Commission authority over unfair or deceptive trade practices which gives them some authority over privacy and cybersecurity
- The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), imposing privacy and cybersecurity requirements on the health sector
- The Gramm-Leach-Bliley Act (GLBA) imposing privacy and cybersecurity requirements on the financial sector
- Contracts with other businesses and your insurance provider.
Conclusion
Businesses need to understand external rules to comply with them, draft appropriate internal rules, and accomplish their mission.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.
Additional reading
- Five Components for Policy Work
- External Rules (this article)
- Internal Rules
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Policies and Procedures (and other governance documents)
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules Planning
- Internal Rules Building
- Rules
- External Guidance
- Business needs and mission
- Practice and action
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
This article is hosted at https://johnbandler.com/external-rules, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at https://johnbandler.medium.com/external-rules-5ad5ec58bb74 (though not kept as up to date).
Originally posted 8/26/2022, updated 1/03/2023.