How do companies who market to SMBs, and are themselves SMBs, deal with legal issues? One of the frequent complaints I get from my clients, is that legal compliance is expensive. A host who charges $9.99 per month for a shared account has a hard time justifying some of the expenses associated with iron clad legal compliance. Indeed, for many companies, a request for certification that they are PCI compliant is rejected simply because the company doesn’t have the resources to create a document that states that they are compliant, but doesn’t expose them to liability. One way of dealing with this issue is by providing information to your customers and letting them make their own decision: “do-it-yourself” compliance. This is one of the ways that Central Desktop keeps its compliance expenses down. Central Desktop is an online collaboration vendor targeting the SMB market. Like many companies, Central Desktop receives compliance requests on a pretty regular basis. The company’s CEO, Isaac Garcia, said that these come in to Central Desktop about four or five times per month. They usually take the form of requests for the company’s disaster recovery plan and security procedures. Hosts and other internet infrastructure providers regularly receive similar requests.
One of the ways that Central Desktop responds to these requests is to publish a white paper describing its security procedures. In addition to providing reassurance to customers, Central Desktop’s white paper serves to point out the differences between Central Desktop and its competitors.
Companies walk a fine line when they use white papers in this way. On one hand, they are an effective technique to push compliance back to customers: customers now have the information to determine whether you are compliant or not, and can make that determination themselves. This avoids your having to go through the time and expense of demonstrating compliance, or, more likely having to make contractual representations and warranties. However, it’s possible that your customers will interpret these documents as representations, or worse, as warranties. After a security breach, I can certainly imagine a “nasty gram” from a lawyer quoting statements about security procedures from your white paper, and alleging that his client relied on the statements, and threatening to take action based on your breach of them.
While I’m a big fan of pushing compliance down to customers, how do you draft these documents so that’s the result? The key in my mind is drafting white papers as white papers – rather than as marketing documents, or as documents designed side step issues you don’t want to contractually obligate yourself to do. Doing this means you should think of white papers as primary research documents: they should set out facts, but not make conclusions about them. The conclusions need to be made by the readers. In addition, while marketing can have a hand in drafting them, they should not simply be marketing pieces. Typical marketing documents aren’t as effective at encouraging do-it-yourself compliance, and, in many cases, are easily misconstrued.
