Reports that Appleby’s office in the Isle of Man may have been hacked in the Paradise Papers scandal, in addition to the firm’s office in Bermuda, will no doubt have sent shivers down the spines of various law firms, family offices and wealth managers based in the Channel Islands. Offshore centres like Bermuda, the Cayman Islands and BVA may all be fair game when it comes to the drive for transparency of the tax affairs of multinationals and the mega-rich, but the risk of data-attack closer to home is somewhat scarier.
For any firms concerned they may be vulnerable to data-breach, it is essential not only to work with your IT advisors to ensure encryption of sensitive documents and bolster your defences, as well as to educate all staff on appropriate email and internet use, prepare IT wise but also to have a communications crisis plan in place in case the worst happens.
Bell Yard’s top communications tips for being ready for dreaded data-breach situations include:
1. Have a multi-disciplinary team of experts ready to mobilise in the event of a hack. PRs, lawyers, compliance and IT professionals will need to work in concert if a problem arises. The role of the PR expert is designed to avoid the firm hiding behind overly legalistic answers and to craft statements that will best resonate with the firm’s key audiences.
2. Be factual at the outset when confirming any attack and what is being done about it (e.g. are the police/NCA investigating?). Ensure all media and public calls are dealt with by a tight-knit team. It is best to avoid commenting on individual clients’ affairs or being drawn into speculation on the perpetrator.
3. Communicate with clients as swiftly as possible, directly and not just through the media. Website FAQs may not be the best way to go for HNW customers. Consider instead personal calls from the lead partner. It will be necessary to warn clients their financial data may end up in journalists’ hands and possibly you may need to recommend they use defamation and privacy lawyers too.
4. Don’t overplay the victim card: clients and the media will have little sympathy that IT systems weren’t sufficiently robust to keep hackers out, especially at a time when the public mood on tax transparency regards HNW financial data booty as in the public interest.
5. Have a generic statement ready about the legitimacy and strength of your business to which you can add the context of the hack.
6. Early, proactive engagement with your firm’s regulatory and professional bodies (such as the FCA, SRA and ICO) is imperative, and their breach guidelines followed. It may be appropriate to publicly demonstrate such engagement by way of demonstrating swift action and efforts to control the fall-out.
7. Keep updating your public responses, and ensure messages are consistent between recipients, as the situation evolves.
How a firm handles a crisis and re-establishes control will likely determine how quickly your reputation recovers. A defensive no-comment stance is unrealistic, even in a climate where you feel you can only be criticised. There is a tricky tightrope to walk between the right level of humility and robustness to emerge as unscathed as possible and to protect clients’ best interests. The key will be focusing on what your clients expect from you, by way of retaining their support. Clearly the risk of follow-on litigation could be present, so aim to move forward with clients on board.
Bell Yard has worked on various breach situations both in a front-line capacity and by guiding behind the scenes. We also have experience of working with clients in the Channel Islands.