In-house counsel has an essential role to play in ensuring companies' emergency response planning is conceived and executed well
The old saying that “failing to plan means planning to fail” is never more true than in corporate emergency response planning. Recent domestic and global events — such as the global COVID-19 pandemic, natural disasters, cyberattacks, infrastructure failures, and civil unrest — highlight the potential disruptive consequences of an emergency and the need for companies to be prepared well in advance of any emergency.
Given the legal and business continuity risks to their company, in-house counsel must have a central role in ensuring that their company (and, if necessary, the corporate law department) has an emergency or disaster recovery plan in place before an emergency arises. This plan must be flexible to cover any probable emergency that may arise.
Developing a company’s emergency response plan
In-house counsel typically serves on their company’s emergency response team and often have a significant role as a leader in creating their company’s emergency response plan, even though the law department may not be directly responsible for managing or owning the plan. In particular, in-house counsel is exceptionally situated to help prepare and provide feedback on the emergency response plan because of their knowledge, experience, and ability to identify red flags and analyze “what if” situations. For example, in-house counsel must apply their knowledge of applicable data privacy laws and determine the best course of action if there is a risk of a cyberattack that could compromise sensitive information stored by the company.
You can learn more on this topic at the upcoming panel, “Are You Prepared to Handle an Emergency?“, at the Association of Corporate Counsel’s 2021 Virtual Annual Meeting (10 a.m. to 11 a.m., EST on October 20, 2021).
A starting point in emergency response planning involves identifying the possible risks to the company. Planning must account for general risks and those risks specific to the company based on its geographical footprint, industry, and workforce. In addition to ensuring business continuity and minimizing risks, a company needs to consider critical questions, such as:
- Whether it should use a one-size-fits-all approach for all emergencies and company sites, or customize the plan to specific emergencies and sites?
- Who has access to the plan?
- When does the plan activate?
- Who will execute the plan in the event of an emergency?
- Who will the plan affect, both internally and externally?
- What critical functions, systems, and activities are central to the company?
- What external and internal resources exist for responding to an emergency?
- What actions should the company take as part of its post-emergency response?
- How should the company handle an emergency that may affect only part of the company?
As part of its planning, a company must also account for emergencies when all or part of its workforce already works remotely from different locations — a common occurrence resulting from the corporate response to the pandemic. Therefore, the emergency response plan must address information technology systems, security, and employee safety for a fully or partially remote workforce.
Once the company develops a plan, it should then inform the emergency response team. The company should also train key personnel and hold drills to test the plan.
Ensuring the law department’s preparedness
A company’s law department must have the ability to function during and in the aftermath of an emergency. Depending on the company, the law department may require its own emergency response plan. As a result, the law department should know the company’s emergency response plan and ensure consistency with the department’s own emergency response plan, if any.
The department should follow a similar approach to emergency response planning, consistent with the company’s overall planning. This includes assessing possible threats, determining overall preparedness, creating an emergency response team, drafting a written plan, conducting drills and training, and identifying post-emergency legal priorities (such as evaluating contractual obligations and notifying insurance carriers).
Among other impacts, an emergency may require the law department to take additional actions to preserve legal privileges, protect trade secrets, and maintain confidentiality of information. For example, the law department must continue to maintain the confidentiality of attorney-client privileged communications throughout any emergency.
Further, the risk of inadvertent disclosure and waiver rises when the law department or other company personnel work remotely. To help protect against the inadvertent waiver of the attorney-client privilege, the law department should adopt procedures and take appropriate proactive security measures if the emergency requires the law department or company personnel to function remotely.
Updating the emergency response plan
Finally, emergency response plans must be dynamic, rather than frozen in time. In-house counsel must work with their company to regularly review and update their existing emergency response plans. If an emergency occurs, a company should also consider conducting a post-emergency audit of the company’s actual response and address any deficiencies in the existing plans.
For example, a company should update its plan to reflect relevant organizational and other changes. This includes changes to key personnel, technology, the company’s office locations (or remote workforce), relevant laws (such as environmental standards), possible threats, and the organization’s culture.
While an emergency creates the potential for disrupting business operations and creating legal liability, a prepared company and its law department can minimize these risks. To ensure preparedness, in-house counsel must actively participate in the company’s emergency response planning and play a strong leadership role in its development, execution, and update.