How to Prepare to Defend Your Law Firm’s Reputation in the Event of a Cyber-Attack

With cyber-crime making the headlines more and more frequently, it is becoming increasingly important that law firms of all sizes understand how to handle such a situation professionally and keep their reputation intact.

Here are some steps any law firm can take to help ensure that a cyber-attack or data breach doesn’t cost them their client base.

The focus must be on fixing the problem and retaining your clients trust

The key to surviving a cyber-attack with your reputation intact is in what you do beforehand – in planning, thinking, training and rehearsal – as delivering a slow, haphazard, confused, overly legalistic or contradictory response will only exacerbate the situation.

Your plan needs to focus on 2 key areas:
1. Fixing the problem as quickly as possible
2. Retaining the trust of stakeholders and clients whose information may have been compromised

Discuss what “worst case scenario” means to your firm

When creating your plan, a good starting point is to sit down with your senior team and conduct a cyber reputational risk analysis, in essence decide what your “worst case scenario” looks like.

Every law firm will have a different view on what defines a “worst case scenario”. You need to understand what this scenario is to be able to recognise when it is happening – and (just as importantly) when it isn’t happening.

This will help everyone to understand the magnitude of a situation, should something arise, and respond accordingly.

Create a cyber incident response plan for these different situations

In a high pressured situation, you don’t want to be making snap judgements, as this could lead to mistakes which could be difficult to recover from.

Set aside time to work through some of your “worst case scenarios”, and discuss what decisions will need to be made and who will be responsible for making them.

You should also make a list of the different phone numbers you will need. This list should include nominated individuals who will “take the helm” of the situation, as well as the people whose advice, support and technical services you will require to get your operation back up and running.

Having all of this information readily available will help ensure you are contacting the right people as quickly as possible, removing any unnecessary stress and delay.

Decide how and when you are going to communicate with those affected

Don’t make the mistake of thinking you can hide your breach from your clients; they have a right to know that their data has been compromised. It is also far better your clients hear the news directly from your firm, then to find out through a third party, rumour or through the media.

When communicating the news to your clients, it is best to adopt a personal approach. For example, if only a small number of clients have been affected, it is in your firm’s interests for a senior individual to phone them.

However, if hundreds of clients have been affected, you will need to adopt a speedier and more realistic approach. For example, sending out an email explaining what has happened and what your clients need to do next.

As part of your planning process, it can help to put together an email template which can be quickly edited and sent out in the event of a cyber-attack. You should also write some guidelines on how quickly you will be prepared to talk to your clients, looking at possible triggers, and the pros and cons of sending out various communications.

Have a back-up communication plan for if your systems are still compromised

You also need to think about how you would communicate if your systems were still compromised.

For example, if you can’t send out an email or display a message on your website because your systems have been taken down.

In such a situation, could you relay the message via phone or Facebook?

Be prepared for the media to get in touch

Once you have communicated the news to your clients, you need to be prepared for the media to get in touch. Remember, emails can be forwarded!

It is wise to nominate 2-3 individuals in advance who are prepared to step forward; to avoid your one point of contact being on holiday if a situation occurs.

It is equally important that your nominees have media training, as they may have to answer questions when they only have access to limited information, but will still need to reassure everyone and communicate effectively.

Brief your colleagues before going public

Before you communicate any news to your clients, you need to make sure you have briefed your internal staff first. (You can put a template briefing document together as part of your planning.)

This will help to ensure that anyone in meetings or taking phone calls is knowledgeable of the developing situation, and is responding consistently in line with the organisation’s key messages.

Your clients won’t expect you to be invincible – but they will expect a professional response

No one is immune to the threat of a cyber-attack, and as time goes on it will become almost inevitable that every law firm will experience some kind of data breach.

While it is unreasonable for a stakeholder or client to expect an organisation to be invincible, they will expect your law firm to demonstrate a well-considered and speedy response to correct the situation.

With thanks to Jonathan Hemus from Insignia (, Crisis management, training, planning & consultancy

‘Trust me, I’m a lawyer’ – the risks of bogus law firms

The Fourth Anti-Money Laundering Directive has been implemented into UK law as of 26th June 2017 : Find out what this means for your law firm