External Rules

External Rules

by John Bandler

External rules are legal requirements such as laws and regulations and come from outside an organization. Organizations need to know what external rules apply to them, how to comply with them, and how to ensure that compliance integrates with their mission and business needs.

External rules are one of my Five Components for Policy Work and Management. This means that organizations need to consider the laws and other legal requirements they are bound by when building policies and when making decisions.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more.

External rules within the Three Platforms, Four Platforms, and Five Components concepts

External rules can be thought of as a platform within the Three Platforms to Connect for compliance framework, which visualizes how legal requirements, internal policy, and organization practice should align.

The three areas to consider for compliance analysis are:

• External rules: Laws, regulations, and other legal requirements
• Internal rules: Policies, procedures, and more
• Practice: or action -- what is actually done.

Then I introduced the Fourth Platform:

• Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.

Then we needed a fifth component to consider when doing policy creation or improvement:

• External guidance: A more ambiguous "cloud" of best practices we can chose to adopt, adapt, or disregard.

We can view all five components together in this diagram, where we now view everything from a top view perspective.

External rules

Much of my website discusses law and regulation, and I wrote a book on cyberlaw, and am writing another book on introduction to law. Good lawyers help good organizations understand the laws and comply with them, while continuing to achieve their mission.

Here's some quick points on laws (external rules) for organizations to consider.

External rules can include legal requirements from:

• Statutes (federal and from the states, criminal and civil)
• Regulations (federal and state, primarily civil)
• Contractual requirements
• Negligence law (e.g., a duty of reasonable care)

Topics for external rules include:

• Criminal laws (what people can be arrested for and criminally punished for)
• Civil and regulatory requirements regarding
  • Cybersecurity
  • Data breach notification and reporting
  • Privacy
  • More, lots more

Cybersecurity and privacy is a niche topic area but what I spend a lot of time on, and what organizations have challenges dealing with.

Examples of external rules relating to cyber include:

• New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
• New York's Department of Financial Services (DFS) Rule 500, Cybersecurity Requirements for Financial Services Companies
• A multitude of other state data breach notification, cybersecurity, and privacy requirements
• The FTC Act, which gives the Federal Trade Commission authority over unfair or deceptive trade practices which gives them some authority over privacy and cybersecurity
• The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), imposing privacy and cybersecurity requirements on the health sector
• The Gramm-Leach-Bliley Act (GLBA) imposing privacy and cybersecurity requirements on the financial sector
• Contracts with other businesses and your insurance provider.

Conclusion

Businesses need to understand external rules to comply with them, draft appropriate internal rules, and accomplish their mission.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

• Policies and Procedures Book
• Policies and Procedures Book Resources
• Five Components for Policy Work
  • Mission and Business Needs
  • External Rules (this page)
  • Internal Rules
  • External Guidance
  • Practice and action
• More articles on External Rules
  • Rules
  • Law
  • Cyberlaw
  • Cyberlaw book
    • Includes chapters on cybersecurity laws, data breach notification laws, privacy laws, and more, and brief coverage of my Five Components for Policy Work and Management
  • Cybersecurity Laws and Regulations Part 1 (general legal overview)
  • Privacy
  • Contract Law - An Introduction
  • Cyber insurance
  • Negligence Law
  • Introduction to Law (Outline)

This article is hosted at https://johnbandler.com/external-rules, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at https://johnbandler.medium.com/external-rules-5ad5ec58bb74 (though not kept as up to date).

Originally posted 8/26/2022, updated 5/20/2026.