Bandler’s Three Platforms to Connect

  • Do good and help individuals and society, provide a necessary service or product
  • Earn revenue and business (which pays employee salaries, rewards business owners and shareholders, etc.)
  • Obtain donations or grants
  • Survive, thrive, and grow.

The three platforms to connect

The three areas to consider are:

Bandlers Three Platforms to Connect (2) simple
  • Laws and regulations (external rules)
  • Policies, procedures, and other internal rules
  • Practice, action, or what is actually done.

External rules (laws and regulations)

Bandlers Three Platforms to Connect (3) External Rules
  • New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
  • The FTC Act, which gives the Federal Trade Commission authority over unfair or deceptive trade practices which gives them some authority over privacy and cybersecurity
  • The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Many more!
  • New York’s Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (“Rule 500”)
  • Regulations issued by HHS under HIPAA and HITECH
  • Many more here too.
  • Negligence law (be reasonable and diligent, not sloppy or deficient)
  • Contract law (including about cybersecurity and other promises with respect to clients, vendors, and insurers)
  • Litigation rules, including discovery, disclosure, and e-discovery (which can include a duty to preserve and produce documents and data).

Internal rules (policies, procedures, etc.)

Bandlers Three Platforms to Connect (4) Internal Rules
  • Policies (general rules)
  • Standards (more detailed rules)
  • Procedures (highly detailed steps to accomplish a task)
  • Guidelines (guidance, but not a rule)
  • Other documents whatever their name, such as charters, plans, handbooks, manuals, etc.
  • Cybersecurity
  • Incident response
  • Privacy
  • Conflicts of interest
  • Employee rights and responsibilities in the workplace
  • Anti-discrimination.

Practice (action, what is actually done)

Bandlers Three Platforms to Connect (5) Practice

Align the three platforms and watch the gap

Now that we know about the three important areas, and think of them as platforms, we can build a metaphor that helps us. The government built most of the external rules platform through statute, regulation, and court decisions, so we need to interpret it as best we can. We build the other two platforms ourselves, and want to align them, and reduce and watch the gaps. I put it all together with this diagram.

Bandlers Three Platforms to Connect (1) Detailed

Red flags to avoid

Organizations can fall into traps that are ultimately bad for the organization and eventually will impair its mission.

  • “We can ignore this law/regulation because we probably won’t get caught, and even if we do get caught, the penalties won’t be too bad.”
  • “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”
  • “We have good policies on paper, but we don’t really follow them.”
  • “I know the policy says that, but that’s not really the way we do it here.”
  • “Person X is our security/privacy officer on paper, but in reality does not have time for it.”
  • “We have comprehensive cybersecurity and privacy programs but they are all verbal and unwritten.”
  • “I need to create this policy/program in a single day”

Wait, aren’t your three platforms missing something?

These three platforms represent a compliance line, and aligning them helps ensure compliance with laws and regulations.


My Three Platforms to Connect concept provides a helpful way for organizations to visualize compliance and management, which also helps with good overall governance and efficiency. Employees that know what is expected of them can focus on their mission. Organizations that are well run and build compliance and security into their operations can focus on their mission. Mission and business needs make up my Fourth Platform which I discuss in another article.

Additional reading and resources

This article is also hosted at my website at where I also include links for additional reading, and it may be more current and with improved formatting.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Bandler

John Bandler


Cybersecurity, cybercrime prevention, privacy, law, more. Attorney, consultant, author, speaker, teacher. Find me at