The lawyer in the post-crisis period: an essential player [3/3]

The lawyer in the post-crisis period

Today, we offer you the third and final article dedicated to the legal function in crisis management.

Two previous articles had specified the operational role of the lawyer within the crisis unit as well as the specificities of the legal qualification in digital matters.

This third opus is devoted to the essential role of lawyers in the crisis recovery phase, whether it is of cyber origin or not.

The various advisory actions on cross-cutting themes, in particular in terms of litigation procedures, information for managers, improvement of legal procedures or raising awareness among internal employees are all fields of action that place lawyers at the heart of the post-crisis period.

The lawyer is in charge of legal proceedings

In the post-crisis period, the lawyer must diligent and implement certain actions, particularly of a judicial nature. In some organizations, for example, it is responsible for ensuring that complaints are filed.

If necessary, the lawyer will contact the police, the gendarmerie or the public prosecutor. The purpose of filing a complaint is to take legal action to have an offence recognised, if there is an offence.

In addition, it is necessary to file a complaint in order to initiate certain actions for compensation (damage suffered, insurance, etc.). It is also necessary to file a complaint in order to combat cybercrime, which is encouraged by colossal gains and a form of impunity.

Regarding cyberattacks, once the complaint has been filed, the case could be referred to the Paris prosecutor’s office and in particular to its section specialized in cybercrime (J3), which has jurisdiction in four cases, particularly when the modus operandi is complex and technical.

In short, the lawyer appears here as a real knower who makes his knowledge of litigation available to all employees and the organization.

The lawyer enlightens the managers

At the end of the acute crisis phase, managers may be confronted with certain thorny subjects, in the face of which the lawyer will have an advisory role. It will provide managers with a legal analysis of the situation, to enable them to make informed decisions, within a known and mastered legal framework.

Let’s assume that a company data breach is taking place. The lawyer must then inform the manager of the possible commitment, on the criminal side, of the organization’s liability, the penalties incurred and the procedures to be respected. He will also be able to get advice on the strategy to adopt to manage this situation.

This support and this set of advice will also continue at the company level through feedback in which the lawyer has a full place.

The lawyer optimizes in-house legal procedures

Once the crisis has come to an end, the feedback (RETEX), an essential step in the exit from the crisis, will allow the lawyer to:

• To analyse the application and compliance with existing procedures,
• Identify any gaps in procedures or roles and address them, as appropriate.

This will involve, for example, verifying the reporting procedures in the event of a personal data breach under the GDPR (in his capacity as DPO – Personal Data Protection Officer or in collaboration with the DPO): Have the deadlines been respected? Has the report been properly documented? In the absence of GDPR procedures, the lawyer/DPO will be able to manage their establishment and drafting.

The RETEX is also an opportunity – if it has not been done – to list all the contractual commitments of the structure, in particular those that must be continued even in times of crisis. Think, for example, of contractual commitments that transform simple obligations of means into obligations of results. This is the case with the Service Legal Agreement (SLA).

This step of the RETEX must also ensure the organization’s compliance with the regulations in force, whether it is the regulations specific to its sector or the obligations incumbent on any organization (GDPR for example).

In particular, it may lead to the identification of a Personal Data Protection Officer – if this function had not yet been assigned -, to the drafting of a reflex sheet relating to a suspected personal data breach and/or to the creation of a crisis directory specific to the legal aspect (CNIL contacts, specialised lawyers, etc.).

To be effective, this compliance must necessarily be accompanied by the development of a real culture of compliance within the organization, led by the lawyer.

The lawyer raises employees’ awareness of the law

At the end of the crisis, the lawyer who implements new legal procedures will have to warn, enlighten and therefore raise awareness of the importance of these procedures. For example, the lawyer will have to explain why it is 1/ mandatory, for some companies, 2/ strongly recommended for others, to identify a Personal Data Protection Officer (DPO). It is important to note that this function can be outsourced.

This awareness will be achieved through the creation of a culture of compliance that stems directly from a dialogue between the lawyer, human resources and all internal employees.

Ultimately, this will allow, for example, the role of the DPO to be known not only to the lawyer but also to all employees.

In short, in crisis management, the legal function is a real strategic asset. Forgetting this could be greatly missed by your organization.

Are you a lawyer and want to train in crisis management? Are you a training manager and would like to discuss a specific need?