Thoughts from Office 2.0: Do-it-yourself compliance

Tags:  legal issues  security  certification  disaster recovery  compliance 

How do companies who market to SMBs, and are themselves SMBs, deal with legal issues?  One of the frequent complaints I get from my clients, is that legal compliance is expensive.  A host who charges $9.99 per month for a shared account has a hard time justifying some of the expenses associated with iron clad legal compliance.  Indeed, for many companies, a request for certification that they are PCI compliant is rejected simply because the company doesn’t have the resources to create a document that states that they are compliant, but doesn’t expose them to liability. One way of dealing with this issue is by providing information to your customers and letting them make their own decision:  “do-it-yourself” compliance.  This is one of the ways that Central Desktop keeps its compliance expenses down.  Central Desktop is an online collaboration vendor targeting the SMB market.  Like many companies, Central Desktop receives compliance requests on a pretty regular basis.  The company’s CEO, Isaac Garcia, said that these come in to Central Desktop about four or five times per month.  They usually take the form of requests for the company’s disaster recovery plan and security procedures.  Hosts and other internet infrastructure providers regularly receive similar requests.

One of the ways that Central Desktop responds to these requests is to publish a white paper describing its security procedures.   In addition to providing reassurance to customers, Central Desktop’s white paper serves to point out the differences between Central Desktop and its competitors.

Companies walk a fine line when they use white papers in this way.  On one hand, they are an effective technique to push compliance back to customers:  customers now have the information to determine whether you are compliant or not, and can make that determination themselves.  This avoids your having to go through the time and expense of demonstrating compliance, or, more likely having to make contractual representations and warranties.  However, it’s possible that your customers will interpret these documents as representations, or worse, as warranties.  After a security breach, I can certainly imagine a “nasty gram” from a lawyer quoting statements about security procedures from your white paper, and alleging that his client relied on the statements, and threatening to take action based on your breach of them.

While I’m a big fan of pushing compliance down to customers, how do you draft these documents so that’s the result?  The key in my mind is drafting white papers as white papers – rather than as marketing documents, or as documents designed side step issues you don’t want to contractually obligate yourself to do.  Doing this means you should think of white papers as primary research documents:  they should set out facts, but not make conclusions about them.  The conclusions need to be made by the readers.  In addition, while marketing can have a hand in drafting them, they should not simply be marketing pieces.  Typical marketing documents aren’t as effective at encouraging do-it-yourself compliance, and, in many cases, are easily misconstrued.

David Snead is a lawyer whose practice is focused on internet infrastructure providers. In his eleven years in this practice, he has represented clients including multinationals, middle tier hosting companies, and two guys, a server, a T-1 and a huge MasterCard balance. A long-time WHIR contribut... (Read full bio)

Comment anonymously or log into your WHIR account

Logging in allows enhanced commenting features (such as external linking) in news, features, blogs and more.

User:

Pass:

(reset password)

Don't have an account yet? Register now!


 

Comment by Anonymous on Wednesday, September 12, 2007

Yes, PCI compliance is expensive for Web hosts. An on-site audit is typically $10,000+ per year. To be listed as PCI complaint by Visa and/or MasterCard costs even more money. And, of course, the improvements in equipment, software, and security procedures required to become compliant, and the regular upgrades required to stay compliant, make PCI compliance too costly for most Web hosts.

As PCI compliance continues to be enforced, it appears Web hosts will split into two tiers: non-e-commerce enabled and PCI complaint providers specifically catering to e-commerce requirements.

Comment by Anonymous on Monday, January 07, 2008

5pm (www.5pmweb.com) is another too for managing projects and collaborating teams through a web browser. It was just recently released and its advanced interface reflects that. Also check the Timeline view.

Comment by Anonymous on Saturday, April 05, 2008

Projjex.com is a great new site that does a fabulous job of collaboration. It's completely browser-based, really easy to use, and has a free version. Cool videos too - I love it!

Related Content

Most Popular

OLDER: Customers Need Technology Updates | NEWER: Are online contracts binding?