Zach Olsen, Infinite Global. (Courtesy photo)

This is the latest in a monthly series of The Marketing Department, where Legal Marketing Association members get candid about growing your practice and raising your profile. Check back in the months ahead for the latest developments in PR/communications, business development, client relations, technology and other areas.

There has been no shortage of attention paid to the staggering costs of data breaches to businesses. According to the Ponemon Institute, which analyzed data breach costs reported by 507 organizations across 16 geographies and 17 industries in 2019, the average cost of a breach in the United States rose to $8.19 million last year. This number far exceeds the worldwide average of $3.92 million, making the United States the absolute worst place on earth to suffer a data breach.

But if there is a silver lining, it's this: With systems and security constantly under attack, law firms and their clients have been forced to spend and innovate like never before to stay one step ahead of the threats they face in the 21st century.

We're talking not only about potential IT-related disasters, but the whole gamut of calamities that can inflict economic, legal and reputational damage to an organization caught off guard. For years lawyers have been preaching the need for their clients to be ready for a crisis and now finally they seem to be taking their own advice, shoring up their firm's defenses for whatever dark days might lie ahead.

It's a welcome development. As a crisis communications professional who works alongside lawyers providing counsel on crisis communications strategies—now with an increased focus on data breach response—I have been fortunate to witness this new awakening. It has made my job easier in many ways. 

Crisis Prep Is Better, but Not Where It Needs to Be

There have always been corporate crises, but the options backdating scandal of 2006 seemed to trigger a new appreciation for the havoc that crises can wreak and the need to be prepared for one. When it came to light that the prices of stock options were being manipulated to benefit their executive leadership teams, many corporations were not ready for the public scrutiny. Companies like Apple, Dell and Broadcom, which had enjoyed relatively favorable coverage from the news media, found themselves on the wrong end of a breaking news story. Their lack of preparation showed. 

Since that time, some things have changed for the better. While it didn't happen overnight, lawyers, insurers and risk managers have been increasingly working to anticipate rather than simply react to crises. Communications has rightly assumed a central role in that process.

Still, crisis preparation is not where it needs to be in many law firms. There is often a lack of clarity about what it really means to be "ready" for a crisis and what role communications should play. 

Why? Perhaps there is a psychological barrier preventing firm management committees from engaging in the required rigorous level of preparation it takes to truly be ready. After all, it's not much fun to imagine all the terrible things that can happen to an organization that you love. It can also be excruciating and exhausting to play out step-by-step scenarios of potential crises in order to know where the gaps in your preparation lie.

But this kind of painstaking work is more necessary than ever. It often takes decades, or even centuries, for a firm to earn a good reputation in an extremely competitive industry. That good name, and the faith and trust of its clients, is often only a badly handled crisis away from crumbling. And while it's certainly not possible for a firm to be 100% ready for every potential crisis, it is possible for an organization of any size to improve their preparations and eliminate or drastically reduce costly and unforced errors in their responses. 

Getting Real About Readiness

So, to be clear, here's what I believe readiness means: Performing a full-fledged risk assessment with the assistance of a team of professionals—legal, insurance, risk, communications, IT and HR, to name just a few—and building a usable incident response plan. This plan, when completed, can also be leveraged to perform a communications audit and build a customized communications plan that maps directly to the incident response plan. Having these conversations, and the plans that follow, will be of incredible help in a crisis, allowing your team to confidently execute the agreed-upon tactics without concern that something or someone is being missed.

Readiness also means playing out specific scenarios to simulate a crisis. These scenarios will prompt questions that can clarify the steps needed to be taken both ahead of time and in the moment. This is important because there likely won't be much time to react when a real crisis hits, and you can never know how a team will handle the stress of a crisis until you simulate one. 

In the event of an information security breach, for instance, some of the initial questions will likely be handled by the legal team with support from IT experts:

• What is the extent of the breach?
• How confident are we that information was accessed or exfiltrated?
• What are the legal reporting requirements?
• Should the insurance carrier be notified? 

But communications professionals will need to be ready from the get-go as well. They will have to answer a variety of questions, both tactical and logistical. For planning's sake, most of these questions are not limited to the case of a breach response; they're universally applicable to crisis communications: 

• Who are the internal and external audiences most affected by this event? 
• What can (and should) we say, if anything, based on the forensics report and likelihood of litigation?
• What is the most effective and efficient means (or combination of tactics) for communicating with each of our audiences—a town hall, press release, social media post, landing page, personal phone calls, notification letters?
• How are the various stakeholders accustomed to receiving information? 
• With what frequency and through which channels will communications staff receive updates on the situation so that a determination can be made to share those with key audiences?
• Is a spokesperson needed and if so, who is best suited based on the nature of the incident? 
• Are the proper tools in place to monitor news reports and social media commentary? 

If the crisis grows, the questions for your communications team may become more strategic than tactical:

• Who are our main media supporters and antagonists, and how can we leverage the former and neutralize the latter? 
• What, if any, historical context should we consider when communicating?
• How does our response compare to that of others who have had similar issues and handled them well?
• What can we do now to increase our chances of a speedy recovery from the reputational damage incurred?

Hardly anyone today needs to be convinced of the importance of crisis response preparation or the cost and reputational fallout from not responding effectively. The repeated headlines make the case. But it's still a long walk from being aware of a potential crisis to being truly ready for one. While it can be painful, the trek is worth it.

Zach Olsen is president of Infinite Global, where he leads the firm's San Francisco office and oversees the crisis response and reputation management group. His work includes helping organizations and individuals prepare for and respond to crises that threaten their reputations, brands and bottom lines. Clients turn to him for strategic counsel on internal and external communications campaigns, high-stakes litigation PR efforts and for his expertise assessing and responding to public-facing crises.

Read more:

In 2020, Resolve to Turn Over a Social Media Leaf

How I Learned To Stop Worrying and Love Metrics

Your Most Important Public Relations Habit: Getting Ahead of the News