Reputation Management: Protecting law firm data and reputation: A guide to cybercrime mitigation, Part III

By Gina F. Rubel

This is the third in a series on the basics that law firm leaders must know about cybercrime.

A comprehensive, well-developed incident response plan (IRP) developed with risk assessments that identify potential threats and catalog and prioritize an organization’s assets is critical to a firm’s cyber defense system.

IRPs address the firm’s specific needs, vulnerabilities, and operational environment, and are not one-size-fits-all. IRPs should align with the firm’s key clients and stakeholders, the industries the firm serves as well as local and federal regulatory guidelines. It is essential to define thresholds for escalating incidents to ensure swift and appropriate action when breaches occur.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published the basics of an effective IRP. Key advice includes meeting your CISA regional team, local FBI representatives, and police, before a cyber incident occurs. Print out their contact information and keep it with a hard copy of your IRP in a secure location. Research conducted by IBM shows that 37% of organizations that did not involve law enforcement in a ransomware attack led to higher costs and experienced a 33-day longer breach lifecycle.

During an incident, your internal email, chat, and document storage services may be down or inaccessible. Your IRP should include a data recovery process, ensuring that critical systems and data can be restored quickly and securely after an attack.

Your IRP should also define clear roles and responsibilities within the firm. A typical incident response team (IRT) includes members from IT, legal, HR, communications, outside counsel, and senior management.

Creating an IRP and identifying an incident response team are not enough. Regular drills and tabletop exercises with your response team and other stakeholders are essential to ensure that the response plan is workable and that response team members understand their roles in a real-world scenario. Practicing under realistic conditions ensures the IRT can execute the plan efficiently, minimizing confusion during an actual incident. This preparedness helps mitigate potential damage, reduce downtime, and manage reputational damage. According to the IBM research cited above, organizations with robust IRPs and testing saved $1.49 million compared to those which did not.

Communicating during a cyber incident

Once an attack is detected, firms must immediately activate their IRP. The response team needs to gather facts, assess the extent of the breach, and contain the incident to prevent further damage. Initial internal communication should alert relevant departments and halt any operations that may exacerbate the breach, such as shutting down affected systems.

Immediate response

Effective communication is crucial during the initial hours and days following a cybersecurity breach. All communication should be directed through the previously designated incident commander, per the IRP. Whether you manage crisis communications in-house or work with an outside agency, a well-structured communication strategy is vital to ensure smooth internal and external communication during a crisis. Accurate and timely communication with external entities, including insurance providers, IT partners, third-party service providers, clients, and law enforcement, is essential to resolving the matter with professionalism and without penalties. While the SEC on July 26, 2024, adopted new rules requiring public companies to disclose cybersecurity incidents, most analysts agree private firms should also follow the same guidance.

Internal communication

Keeping employees informed and engaged through official communication channels, like email or internal messaging platforms, is essential during a cyber incident. It is important to provide clear instructions to avoid misinformation. Employees can help mitigate the damage by following specific security protocols and reporting suspicious activity. Frequent updates from firm leadership can help maintain morale and reduce anxiety among staff, ensuring that everyone understands their roles in the response and recovery process.

External communication

Managing external communication involves even greater planning. Maintaining solid relationships with insurance providers, outside counsel, the media, and clients will help to control public perception. But this is not to say that firms should necessarily alert the media immediately. Your plan will dictate your communication tactics. However, positive relationships go a long way toward mitigating further damage.

According to your plan and your insurance provider, clients and others affected by the breach will need to be notified as soon as possible with clear, transparent information about what happened, how it impacts them, and what steps the law firm is taking to resolve the issue. Efforts should focus on transparency, addressing concerns openly while avoiding technical jargon that could confuse or alienate those affected. Coordination with the firm’s internal general counsel and outside counsel is essential to ensure any internal or external communication follows firm messaging guidelines and complies with insurance, professional responsibility, and regulatory requirements, minimizing potential liability.

Transparency

Balancing transparency with protecting sensitive information is fundamental to successful crisis communications. Law firms should aim to disclose what they know promptly and truthfully, without revealing information that could aid attackers in further compromising security or negatively impacting clients and others. Clear, consistent messaging reassures stakeholders while maintaining trust.

Rebuilding and maintaining reputation after a cyber incident

Post-incident review

After a security incident, rebuilding your firm’s reputation begins with a thorough post-incident review. By analyzing the breach and determining what went wrong, law firms can identify vulnerabilities and understand how attackers accessed sensitive data. In addition to assessing the IRP’s effectiveness, by acknowledging areas for improvement and taking responsibility, the firm demonstrates to stakeholders and clients that it is taking a proactive approach, setting the stage for rebuilding trust.

Strengthening security posture

To prevent future incidents, it is essential to implement lessons learned from the breach. Among the steps to strengthen a firm’s security posture are conducting regular security audits and vulnerability assessments to help ensure that new defenses are holding up against evolving threats. Training staff on cybersecurity best practices and reinforcing policies like password management, phishing awareness, and response protocols also play a critical role in fortifying the organization’s defenses.

Reassuring clients and stakeholders

Demonstrating a strong commitment to cybersecurity and transparency is key to restoring stakeholder confidence. Clients and stakeholders need reassurance that the organization is taking appropriate measures to protect their data. Openly communicating about the enhanced security steps helps rebuild damaged relationships. Prompt and candid responses to any follow-up inquiries are also crucial.

Ongoing communication strategy

Maintaining a transparent, ongoing communication strategy is essential for reinforcing trust in the long term. Keeping clients, employees, and the public informed about security improvements and initiatives shows continuous commitment. This can be achieved through regular updates via newsletters, press releases, or company blogs that detail new security measures, certifications, and advancements, demonstrating an organization’s proactive stance in safeguarding data and mitigating future risks.

 

Gina Rubel is the CEO and general counsel of Furia Rubel Communications. She educates professionals on devising and implementing strategic communications plans to manage their reputation, develop and attract top talent, and drive business success. She is the host of On Record PR. Gina can be reached on LinkedIn at https://www.linkedin.com/in/ginafuriarubel/.