Law360 (July 27, 2020, 5:39 PM EDT) -- In this edition of Coronavirus Q&A, Elisa D'Amico and Desiree Moore, the leaders of the digital crisis planning and response team at K&L Gates LLP, talk about helping clients navigate the increased security risks that come with an all-remote workforce and how the pandemic has made disaster plans a priority.
This interview has been edited for length and clarity.
The line between work and home is blurred. How are companies addressing this and how are you advising companies to address it?
D'Amico: We have both a proactive and a reactive function. The proactive function is where we, before a crisis, ideally would counsel a company on the correct policies to put in place a crisis procedure, running through that program to make sure that it fits and it always fits, because crisis response is dynamic. It's never static from year to year.
It's making sure that the people on the ground know what to do and who to contact. Much like, at any business, you've got people trained in CPR, they need to know where the defib is, right? Those are the people you call in. And so who do you call in to defib the company when it needs to get done?
What we deal with mostly, though, is the reactive function because usually we get called after stuff hits the fan and not before. And so what we'll do is come in and triage. For a lot of companies that haven't been with us for those sort of proactive counseling, it's a lot of immediate damage control. And then we sort of cycle back to how do we prevent this in the future and how do we deal with it on a bigger scale. A lot of it started small, whether it's one employee that's problematic or a former employee or one particular issue, like Zoom bombing, that type of thing. That's an immediate crisis that we have to respond to. And then we'll step back and walk it back and say, 'OK, how do we prevent this from happening in the future?'
Moore: In the wake of COVID, we've seen a lot more crisis management versus proactive, simply because companies are in crisis mode. And this is a novel crisis. This is not something that most companies are prepared for, even where we have seen global pandemic plans. But I think when a crisis feels remote, the company isn't necessarily trained up on the plan, and a plan is only as good as the training that you have on it. Some of our larger clients have thought about this, but they've contemplated it in a way that I don't think caught up to the reality. So we have put out fires again and again in the wake of COVID.
We also see a lot more social media activity, and that's a large part of the work that we do as well. If somebody is posting false or defamatory or infringing content in an online platform and it impacts the company in some way, we are there to address that fire and put it out, and we just see it a lot more readily in the face of working from home. Employees are disgruntled or afraid, confused or highly opinionated as it concerns social matters. So those are the kinds of things we've seen and that we've seen companies react to in the aftermath, rather than planned for, in the wake of COVID.
D'Amico: Our firm put together a COVID task force pretty swiftly. And of course we're part of that crisis response. A lot of the crises just wind up touching the internet in some form. A lot of times what happens is there's a crisis and everyone's talking about it on social media, particularly now because people have, I don't know if it's more free time or just more time trying to get away hiding in the car or in the pantry. There's a lot more online activity. And then companies are dealing with bigger issues relating to COVID. Some of the platforms have changed their advertising rules with what companies are permitted to advertise about. Everything is really changing day to day. I don't think anything has been static for the past few months.
Can you give examples of crises you've had to deal with caused by the pandemic? What businesses have been hit with digital crises during this pandemic and what kinds of crises exactly?
Moore: I've done a lot of work for nursing homes specifically. We prepare holding statements that anticipate crises that might arise. And it's such a perfect example of the way that our legal work combines with crisis communications because in each of those communications, you have to take into account the regulations that apply to nursing homes. And these regulations are coming down daily and they're coming down at the federal level, at the state level, at the local level. We have to stay on top of those and communicate in a way that is useful to the audience — whether they are the patients or the nursing home employees — that also comports with regulatory requirements.
Clinical labs are also vulnerable for data breaches. We have a number of those pending. Anytime there's a distraction, we see an uptick in data breach[es], where there's a holiday or just sort of a typical distraction that the company may be diverting resources or energy or attention. Here, nothing more than a global pandemic and an economic downturn. So I think threat actors have recognized that clinical laboratories house and hold sensitive data, protectable health information that they can gain access to.
But another that comes to mind are C-suite and high-level departures from companies on the basis of potentially not having managed the company as expected, and shareholders are frustrated or the board is frustrated. So we handle those departures and a lot of them are high profile.
D'Amico: We represent a number of online intermediaries or marketplaces. The sale of pandemic-related materials, COVID-19 supplies, those sorts of sales have become an issue, where sellers are offering them at a very inflated price. Those platforms need to deal with lawsuits, class actions trying to hold them accountable for inflated sales, price gouging and that sort of thing. So dealing with that, working with the attorney general's offices for the types of issues that I just mentioned, with respect to prosecuting sellers.
One more would be classes going online and Zoom bombing, which has become a big deal. We're counseling universities and educational institutions on how to safely be online and avoid those types of issues.
If you have a confidential Zoom meeting, what do you advise companies to tell employees and others involved in this confidential meeting?
Moore: This is a widespread issue. It's hard to account for every nuance. If you're in your home, there's someone else who might overhear, right? Even if it's not nefarious or ill-intended, if information is sensitive, you must be in a place where no one else can hear. When those hearings were in person, that was easy to account for, but it's a lot harder when somebody is at a lake house shared with other guests. We've all had to, in real time, learn how to be safer and smarter about our digital interactions.
D'Amico: For one, I think you need to shut off your listening devices. People can be listening, but also devices. Obviously don't share an embedded link, keep the password to yourself, and we always recommend that there's someone managing that room. So using a waiting room. And this way if the meeting's being conducted and something happens, you don't have to have someone step away from the meeting to deal with the logistics of it. There's someone sitting there who can immediately remove that person, sort of like the bailiff in a courtroom hearing. We've had a lot of attorneys and clients who go to the car. And try to do the best you can to have other people out of the house. But I think the most important thing, for me, would be the password sharing and the listening devices more so than the humans.
Moore: The only thing I would add to that is that sometimes when it's contentious, and it's imperative that there isn't, for example, somebody coaching a witness in the room, we will ask or advise clients to ask that you stay in the room. So essentially pick up your computer or pick up your camera and show that you're the only person in the room. You wouldn't do that with colleagues you're talking to, but that's an effective and necessary thing to do in depositions, where you wouldn't want someone in the room giving answers to the witness or coaching the witness in some way.
D'Amico: Also being trained on the technology. If you have a meeting, where, for example, someone needs to share a document with the group, you better know how to use that feature of Zoom. Because otherwise, you might share a really confidential document that's on your desktop. I always get really worried when people take pictures and say, here's my work-from-home space. And you see all of the client materials or a screenshot that involves the computer. And you can see the tabs right there. Being mindful of what eyeballs are going to be there. For really important meetings, I've done test runs and test sharing of documents to make sure I'm sharing the right screen, so we recommend that for clients as well.
Obviously it's hard to plan for a once-every-100-years pandemic. But what are you telling companies now to plan for other unforeseen potential crises?
Moore: What we've seen is that in the wake of COVID, companies are much more inclined to now plan. Now everybody is acutely aware of this need to plan. And while you can't plan for the pandemic or the next iteration of a pandemic that we might have, you can plan for the related items. So in other words, a better work-from-home plan, a quicker transition plan, a plan that involves working from home from the outset. The planning that we're helping clients with has to do with how they will communicate to their employees about whether they will return to work at all or whether there's going to be some shift in the strategy in a more holistic way. So I think clients are inclined to plan for some of the items they've seen unfold that they weren't prepared to address in this round and planning for shareholder communications, for board communications. Things that might not have been top of mind before this are now really pronounced.
D'Amico: We're advising clients to take another look at insurance policies to the extent that they have not already and the commercial contracts that are used day to day, and also real estate contracts. You have to think of it as disaster planning that, whether it's digital or not, it's going to touch the internet in some way. It's similar to a hurricane or earthquake or some other disaster situation.
Moore: You have a crisis-planning narrative and then you pivot depending on what it looks like. We can't predict what might be coming down the line, but we can certainly create plans that account for whatever might be next. And I think if clients are strong on their policies and procedures and plans, they're well-positioned. None of us are immune, but at least we're well-positioned or we come from a healthier place.
--Editing by Kelly Duncan.
For a reprint of this article, please contact firstname.lastname@example.org.