Posted by Jonathan Hemus from Insignia on behalf of Legal Futures Associate tmgroup [1]
Hemus: focus on retaining clients’ trust
With cyber-crime making the headlines more and more frequently, it is becoming increasingly important that law firms of all sizes understand how to handle such a situation professionally and keep their reputation intact.
Here are some steps any law firm can take to help ensure that a cyber-attack or data breach doesn’t cost them their client base.
The focus must be on fixing the problem and retaining your clients’ trust
The key to surviving a cyber-attack with your reputation intact is in what you do beforehand – in planning, thinking, training and rehearsal – as delivering a slow, haphazard, confused, overly legalistic or contradictory response will only exacerbate the situation.
Your plan needs to focus on two key areas: fixing the problem as quickly as possible, and retaining the trust of stakeholders and clients whose information may have been compromised.
Discuss what ‘worst-case scenario’ means to your firm
When creating your plan, a good starting point is to sit down with your senior team and conduct a cyber reputational risk analysis. In essence, decide what your worst-case scenario looks like.
Every law firm will have a different view of what this is. You need to understand what this scenario is to be able to recognise when it is happening – and, just as importantly, when it isn’t happening.
This will help everyone to understand the magnitude of a situation, should something arise, and respond accordingly.
Create a cyber incident response plan for these different situations
In a high-pressured situation, you don’t want to be making snap judgements, as this could lead to mistakes from which it could be difficult to recover.
Set aside time to work through some of your worst-case scenarios, and discuss what decisions will be needed and who will be responsible for making them.
You should also make a list of the different phone numbers you will need. This list should include nominated individuals who will ‘take the helm’ of the situation, as well as the people whose advice, support and technical services you will require to get your operation back up and running.
Having all of this information readily available will help ensure you are contacting the right people as quickly as possible, removing any unnecessary stress and delay.
Decide how and when you are going to communicate with those affected
Don’t make the mistake of thinking you can hide your breach from your clients; they have a right to know that their data has been compromised. It is also far better your clients hear the news directly from you, than to find out through a third party, rumour or through the media.
When communicating the news to your clients, it is best to adopt a personal approach. For example, if only a small number of clients have been affected, it is in your firm’s interests for a senior individual to phone them.
However, if hundreds of clients have been affected, you will need to adopt a speedier and more realistic approach, for example sending out an e-mail explaining what has happened and what they need to do next.
As part of your planning process, it can help to put together an e-mail template which can be quickly edited and sent out in the event of a cyber-attack. You should also write some guidelines on how quickly you will be prepared to talk to clients, looking at possible triggers, and the pros and cons of sending out various communications.
Have a back-up communication plan for if your systems are still compromised
You also need to think about how you would communicate if your systems were still compromised, for example if you can’t send out an e-mail or display a message on your website because your systems have been taken down.
In such a situation, could you relay the message via phone or Facebook?
Be prepared for the media to get in touch
Once you have communicated the news to your clients, you need to be prepared for the media to get in touch. Remember, e-mails can be forwarded!
It is wise to nominate two or three individuals in advance who are prepared to step forward, to avoid your one point of contact being on holiday when a situation occurs.
It is equally important that your nominees have media training, as they may have to answer questions when they only have access to limited information, but will still need to reassure everyone and communicate effectively.