External Rules
External rules are legal requirements such as laws and regulations and come from outside an organization. Organizations need to know what external rules apply to them, how to comply with them, and how to ensure that compliance integrates with their mission and business needs.
External rules are one of my five components for policy work.
These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance — properly managing information assets such as computer devices, data, networks, and more.
External rules within the Three Platforms concept
External rules can be thought of as a platform within the Three Platforms to Connect for compliance framework, which visualizes how legal requirements, internal policy, and organization practice should align.
The three areas to consider for compliance analysis are:
- External rules: Laws, regulations, and other legal requirements
- Internal rules: Policies, procedures, and more
- Practice: or action — what is actually done.
External rules within the Four Platforms
Then I introduced the Fourth Platform of Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.
External rules within the five components for policy work
As we evolve this concept, we can think of five main components to consider when doing policy creation or improvement, the four platforms plus the fifth component (a more ambiguous “cloud”) of external guidance.
We can view all five components together in this diagram, where we now view everything from a top view perspective.
External rules
Much of this site discusses law and regulation, and my Introduction to Law outline gives a broad look at law. Some quick points are below.
External rules can include:
- Statutes (federal and from the states, criminal and civil)
- Regulations (federal and state, primarily civil)
- Contract requirements
- Negligence law (e.g., a duty of reasonable care)
Topics for external rules include:
- Criminal laws (what people can be arrested for and criminally punished for)
- Civil and regulatory requirements regarding
- Cybersecurity
- Data breach notification and reporting
- Privacy
- More, lots more (cyber and privacy is a niche but what I spend a lot of time on). See my introduction to law outline.
Examples of external rules include:
- New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
- A multitude of other state data breach notification, cybersecurity, and privacy requirements
- The FTC Act, which gives the Federal Trade Commission authority over unfair or deceptive trade practices which gives them some authority over privacy and cybersecurity
- The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), imposing privacy and cybersecurity requirements on the health sector
- The Gramm-Leach-Bliley Act (GLBA) imposing privacy and cybersecurity requirements on the financial sector
- Contracts with other businesses and your insurance provider.
Conclusion
Businesses need to understand external rules to comply with them, draft appropriate internal rules, and accomplish their mission.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.
Additional reading
This article was originally published on my website at https://johnbandler.com/external-rules/ where I also include links for additional reading, and it may be more current and with improved formatting.
Copyright John Bandler all rights reserved.
Posted to Medium on 12/03/2022 based on my earlier article on my website. Last updated here on 12/03/2022.
