A disastrous or emergency event can happen to anyone at any time and can come unexpectedly. If it does, you and your firm may need to adapt quickly to the situation to ensure the survival of the firm. Solicitors have a professional, ethical, and regulatory obligation to implement reasonable measures to safeguard property and money they hold for clients or third parties, prepare for business interruption, and keep clients informed about how to contact them (see chapter 9 of the Solicitor’s Guide to Professional Conduct).

How your firm reacts and adapts to a disastrous or emergency event can mean the difference between resuming work with some business continuity, without leaving your clients stranded, or – in the worst-case scenario – closing your firm. Being unprepared for emergencies can also leave your firm’s staff, clients, and data vulnerable and at risk, including breaches of confidentiality, non-compliance with GDPR, or professional negligence.

1) Carry out an inventory

You should always know exactly what your firm has on hand, so that anyone following your plan knows what needs to be recovered or replaced. You should consider including the following in your inventory:

• •  Software – make a list of any software your firm uses. How many licenses do you have? Record how access is managed and ensure that passwords or credentials are stored securely in an encrypted system.
  • Hardware – how many computers, servers, or other pieces of physical hardware does your firm have – and where are they located?
  • Client files – should a disaster occur, have a list of all client files (digital and physical) so that they can be recovered.
  • Locations – note the locations of everything. Include cloud and physical storage solutions, encrypted backups, and remote access protocols, ensuring compliance with confidentiality and GDPR.

2) Do a risk assessment

Include everything in your inventory for a risk assessment. Identify the impact of each risk and ways to mitigate risks. This should include cyber-risks, data loss, fraud exposure, reputational damage, and regulatory breaches in addition to physical risks such as fire or flood. Consider seeking the advice of your insurance broker to identify if there are any additional insurance products available in the context of your own firm.

3) Identify and group critical services, systems, and data 

For example, if client data is located on a single server, or has no back up, this could be considered critical. Items easily replaced or securely backed up may be considered lower risk, but ensure ongoing compliance with confidentiality obligations (see chapter 4 of the Solicitor’s Guide to Professional Conduct).

4) Identify supporting tools 

Do you ensure to back up your data? How often? Where is it located (consider whether all your backups are in a separate secure location)? Document your current backup and IT arrangements and highlight any gaps that could expose client information or firm continuity. Use automation where appropriate to reduce human error and contract only with reputable GDPR-compliant providers. Consider outsourcing critical functions such as data-hosting IT recovery, provided contracts address GDPR compliance, confidentiality, liability, and professional indemnity risks.

5) Assign responsible individuals

Nominate specific individuals to take responsibility for plans and procedures in the event of a disastrous or emergency event. Should an emergency occur, your response team and other people should know in advance what their assigned roles and specific responsibilities are. For example, who would be responsible for client communication? Identify any service providers to be contacted. Ensure that the plan is securely stored and accessible to designated individuals. Ensure nominated successors or substitutes have been informed, agree to act, and are adequately briefed (and possibly trained) in compliance with disaster-planning requirements.

6) Determine how to handle sensitive information

Document clear procedures for protecting and recovering essential records (such as employment, financial, and client files) while maintaining confidentiality, privilege, and GDPR compliance.

7) Communications plan

Prepare a written communications plan for use in emergencies. This should specify the approved means of communication (for example, phone, email, secure messaging, video-conferencing); how and when will essential personnel, service providers, and clients be contacted; and who will be responsible? Ensure communications are transparent, accurate, and in line with your professional duty of honesty.

8) Test and review the plan

Periodically test and regularly review your disaster plan to ensure all staff know their roles and that it reflects changes such as staff turnover, hybrid working arrangements, or office moves. Carry out walkthroughs or simulations (for example, cyber-attack, sudden illness, natural disaster) to identify weaknesses, document lessons learned, and provide refresher training.

9) Finance

Try to maintain a buffer to cover unexpected expenses that may occur. This might not always be possible, and will vary from firm to firm. Review the details of your professional indemnity insurance (PII) coverage annually and ensure that the details of insurers are accessible in an emergency. Consider whether additional business interruption insurance or cyber-insurance would be appropriate.

10) Do not panic – ask for help

Emergency situations can be very stressful. An already stressful situation can be made much worse when you don’t keep your cool. Reach out to colleagues, mentors, the Consult a Colleague helpline, or Law Society resources for assistance. Colleagues often have valuable experience in managing crises and can help minimise disruption. You may also access confidential support through the Law Society’s Psychological Services Hub or LegalMind.