chevron-down Created with Sketch Beta.

Litigation Journal

Summer 2021: Crisis

Legal Crisis Management in a Time of Crisis

James J Dragna and Randall Mark Levine



  • A true crisis is transformational.
  • It reveals and exploits the hidden weaknesses that persist under the surface of any organization.
  • Organizations that meet the challenge to change in response to a crisis can emerge on the other side stronger, more responsive, and more resilient.
  • To increase the likelihood of that happening, outside counsel should start preparing for the unexpected.


Legal Crisis Management in a Time of Crisis
teppakorn tongboonto via Getty Images

Jump to:

The global coronavirus pandemic has changed the way we work, recreate, and socialize. Dealing with the pandemic has put stress on organizational structures, employees, and management, and has made everyone question what the future looks like for their businesses. The pandemic is in very real terms a worldwide crisis, and the varied responses to it by governments and businesses are all exercises in extreme crisis management. Some organizations are succeeding, some are not, and all will be changed by the experience.

While the pandemic will pass, the risk to organizations of future crises will not. We can neither predict nor prevent crises born of accidents or scandals, but we can mitigate their impact by understanding how crisis scenarios play out, by learning from the mistakes and successes of others, and by planning ahead. In short, while crises cannot always be prevented, a crisis can be managed.

What Is a Crisis?

As an initial question, what do we mean by “crisis”? A crisis for a business or organization is any disruptive, unexpected event that threatens to harm the organization, its stakeholders, the environment, or the public. Most often the term “crisis” evokes environmental disasters, like a leak, an oil spill, a fire, or an explosion. But other crises can be similarly devastating. Think a compromise of customers’ confidential data, a C-suite scandal, a high-profile discrimination lawsuit, or the recall of a defective product. Any of these situations could have lasting effects on an organization. They can tarnish the organization’s reputation, limit operations, erode finances, or harm employees. All businesses and organizations—both private companies and government bodies—are susceptible to these kinds of crises.

Even worse, there is no rule that only one crisis can happen at a time. In fact, the opposite more often is true—crisis scenarios tend to cascade and build on each other. So, for example, a major weather event like a hurricane (the first crisis) can cause an industrial failure like a leak or a chemical fire at an industrial facility (the second crisis), which in turn can lead to legal peril, liability, and acute financial distress for the operator of the facility (the third crisis).

While the variations are limitless, all crisis scenarios are recognizable by their common threads. Most importantly, there is the initial impact or damage caused by the event, which is followed by a period of intense public visibility, scrutiny, and unwanted media attention. These days, social media drive public perception of a crisis and tend to amplify criticism.

There will be multiple investigations by state, local, and federal government agencies, and overlapping civil, criminal, shareholder, and insurance actions. Finally, there will be the inevitable political responses, often taking the form of legislative hearings, rushed amendments to administrative regulations, and even new legislation.

All the while, there are obligations to be met and businesses to be run. With experience in managing crises from the vantage point of outside counsel, we can point other lawyers and in-house attorneys to the typical demands of crises and how best to respond.

For starters, plan ahead and plan to be surprised. The first hours and days of a crisis are crucial. The pressure is high, facts are scarce, and the urge to do anything and everything to stem the tide is impossible to avoid. That is when mistakes are most often made—careless statements by management and employees, promises that can’t be fulfilled, ineffective technical responses, and factual errors. These mistakes can seem immaterial in the fog of calamity, but not so when presented later to a government investigator, an administrative hearing board, or a jury.

These risks can be mitigated by having a written crisis management plan in place before disaster strikes. For the plan to be effective, it requires backing by management, regular updates, and thorough employee training on key provisions.

Common plan provisions include, for example, the creation of a central emergency response team empowered to react immediately to different types of crises as they arise. Crisis management plans also typically provide for a control group and organizational structure to oversee the organization’s response over time. The plan should also have protocols in place for the collection of information and the management, preservation, and control of documents. Training is essential. Without it, a crisis management plan is just words on a page and of little use when needed most.

Crisis Training

What should that training look like? Conveying that there will be challenges for which there can be no preparation or experience is essential. The phrase “You can’t make this stuff up” is a common refrain during a disaster. Or, as Mike Tyson so aptly put it: “Everybody has a plan until they get punched in the mouth.” So it is important to be prepared to adapt and be nimble when your plan collides with the ever-changing facts of a real-world crisis.

That is not to say that crisis management planning is a waste of time. President Eisenhower summed it up this way: “In preparing for battle I have always found that plans are useless, but planning is indispensable. . . . [T]he very definition of ‘emergency’ is that it is unexpected, therefore it is not going to happen the way you are planning.” All in all, a business should undertake a comprehensive analysis of potential risks it faces and have plans in place to respond if a risk materializes. It is much easier to edit a plan on the fly than it is to create one from scratch while in the midst of an emergency.

The crisis management plan should include detailed steps for an immediate response to address a crisis. Among the most important components is ensuring that the right people can be put in the right place at the right time to expertly manage the response operations.

For example, an effective oil spill response plan must have current, correct vendor contact information and information about service contracts that have been put in place in advance for emergency response service providers. The service providers must be either local or able to get to the location of the crisis quickly. Even more important, the emergency response contractor must actually know in advance that it is “on call” in the event of an emergency so it has the necessary capacity held in reserve. When done correctly, a calm, professional, and expert response to a crisis scenario can cement a company’s technical credibility, both with the public at large and with government regulators on the scene.

Similarly, the plan must be relevant to the business’s operations and reflect current information. This issue became relevant in the litigation following the 2010 Deepwater Horizon oil spill and was reported widely in the media at the time. According to news reports, the owner and operator of the Macondo well had filed a 2009 emergency response plan for a Gulf of Mexico oil spill that listed as “sensitive biological concerns” marine mammals like walruses, sea otters, sea lions, and seals, none of which live in the Gulf of Mexico. News accounts also indicated that the emergency response plan designated a certain professor as the wildlife expert charged with assisting in the event of a major Gulf oil spill, even though the professor had died years earlier. While a massive and effective oil spill response ultimately occurred, reports of these deficiencies undermined the operator’s credibility with government regulators and in the subsequent litigation.

Managing Information

Controlling the flow of information is critically important. Regulatory agencies and legislative committees tend to follow a standard game plan after a crisis. Almost immediately, subpoenas and information requests will pour in from federal agencies such as the Occupational Safety and Health Administration, the Environmental Protection Agency, the Department of Justice, the National Transportation Safety Board, and the Chemical Safety Board. Local and state regulatory agencies and congressional and state legislative committees may pile on. Most seek the same information and all seek it immediately.

The overlapping subpoenas and information requests will command the production of massive volumes of documents and ask the organization to answer questions going to the very heart of the incident. All of the subpoenas and information requests will impose impossible deadlines and demand scientific perfection despite the fog of an ongoing crisis.

This dynamic also played out in the response to the Deepwater Horizon oil spill. While the owner/operator of the Macondo well was working to respond to the blowout, it received multiple information requests from Congress and from federal investigators demanding to know the owner/operator’s estimate of the flow rate of oil. The owner/operator responded with an estimate of about 5,000 barrels of oil per day. However, that rough estimate apparently had not been vetted with internal technical experts, who were working on flow rate estimates that were significantly higher. This disconnect later posed serious public relations and legal challenges for the owner/operator.

Somewhat similar allegations have been made by the Environmental Protection Agency against Volkswagen in connection with the 2015 “Emissionsgate” scandal. According to the agency, Volkswagen had informed it that discrepancies in vehicles’ emissions testing were the result of technical glitches, despite the fact that others inside the company knew that software had intentionally been installed to circumvent emissions testing standards.

Responding to these kinds of information requests and keeping track of the answers is a massive project. It is too resource-intensive for the organization to take on itself while still keeping its core business functions in operation—much less its important crisis response and mitigation efforts. Effective crisis management therefore involves turning over the process of receiving and responding to government information requests to the outside legal crisis manager as soon as possible. Working in close cooperation, outside counsel, in-house attorneys, and the organization’s substantive subject matter experts can best manage the flow of information about a crisis to the outside world.

Outside counsel managing the overall crisis particularly has to ensure consistency across all information responses and take responsibility for document collection, processing, and production. Most importantly, the crisis manager must ensure that all responses to information requests are accurate according to the best available information at the time. While responses to information requests should be timely, it is far more important to be right than to be fast.

In the wake of a crisis, company managers may want to go above and beyond legally required response and mitigation expenditures, in the hope that extraordinary measures will improve the company’s standing with the public and the press. Such measures sometimes include offering services free of charge or reimbursement of expenses for people injured by the crisis. Mitigation efforts can be effective and sometimes essential, but, at most, mitigation can soften the impact of a crisis—not resolve it.

A good example of a successful mitigation program is Home Depot’s response in 2014 to a large data security incident, which involved a reported 56 million customer emails and credit card numbers. Within a few hours of confirming the incident internally, Home Depot made a public announcement apologizing to its customers in a brief, direct statement, and firmly committed that customers would not be liable for any fraudulent charges. The company also offered free identity protection services, including credit monitoring for any customer who used a credit or debit card at Home Depot during the relevant time frame. To handle intake after making its commitments, Home Depot established a call center capable of handling 50,000 calls per day. Home Depot’s robust programs were widely praised at the time, have become a model for responding to similar data security incidents, and helped Home Depot to resolve the ensuing enforcement and litigation proceedings relatively quickly.

As helpful as they may be, mitigation programs are expensive and should be undertaken thoughtfully and without the expectation of benefit to the company, either in terms of reputation or liability down the road. While there are very good reasons to invest in robust, early mitigation programs, returns are not guaranteed.

The Deepwater Horizon case shows how even the best-intentioned mitigation programs can yield mixed results. In the immediate aftermath of the spill, the owner/operator of the Macondo well voluntarily offered claimants no-strings-attached and little-or-no-proof-required reimbursements for certain expenses. When the number of claimants turned out to vastly exceed expectations, the owner/operator found it had little ability to impose reasonable limits on its prior commitments.

Then, in the ensuing litigation, the owner/operator argued that its voluntarily incurred mitigation expenses should be credited against the court’s assessment of the amount of civil penalties imposed for the spill under the federal Clean Water Act. In response, the U.S. Department of Justice argued that the owner/operator was not entitled to credit for things that it was required to do under the law, such as its cleanup operations, and that it could not claim credit for voluntary payments, including those to claimants outside the judicial process. The court sided with the government.

Of course, the fact that the Macondo owner/operator garnered little or no credit for its early mitigation efforts is not a reason to forgo mitigation programs if faced with a crisis. It is a reason to have conservative expectations.

The Crisis Life Cycle

The hard truth is that crises have no quick and easy route to the exit. All major crisis scenarios follow a similar life cycle, each of which must be managed.

The first stage is the immediate response effort to bring the crisis under control. This may involve working with responsible local, state, and federal government agencies to stop the leak, kill the well, put out the fire, and take whatever other action is needed.

Second is efforts to mitigate and remediate the harmful impacts of the crisis. Mitigation and remediation efforts often begin even before the immediate exigency has passed, and they may extend long after the larger crisis is over.

Third is the commencement of internal and external root cause investigations into what went wrong and why. The investigation stage also often begins while the crisis is still underway and likely will continue well into the following stages.

Fourth, a crisis inevitably leads to multiple overlapping legal proceedings: civil litigation in state or federal court (or both), criminal prosecutions at the state or federal level (or both), securities litigation, insurance coverage litigation, agency and legislative hearings, and administrative penalty proceedings, just to name a few. A unified legal strategy must be developed at the outset to address all related proceedings. Implementing the strategy requires consistent message discipline across all proceedings.

Finally, only after advancing through each stage is it possible to eliminate, try, or settle discrete pieces of the many interrelated proceedings. This process should not be rushed; settlements must be considered and negotiated methodically so as not to disadvantage other proceedings, until all related matters eventually are resolved.

Litigation after a crisis is nothing like ordinary commercial litigation, and settlements will prove elusive until much later than anyone would hope. The regulatory agencies that drive the litigation have statutory mandates to fulfill, and they will have little appetite for resolution until their investigations are complete. Private plaintiffs take their cues from the government agencies and will wait for investigative reports to be released before initiating negotiations in earnest. There is no choice but to dig in and develop a trial-ready defense. Knowing this from the outset will help managers to make prudent decisions about resource allocation and about how to communicate expectations to shareholders and others.

Finally, careful legal strategy following a crisis takes on heightened importance because the overlapping investigations and lawsuits and administrative proceedings are all interconnected. Every tactical decision in every related proceeding must be made with an eye toward moving the organization toward an ultimate resolution that governs all related cases. This can be accomplished only if all legal proceedings following a crisis are centrally managed by a single legal crisis management firm with the ability to see the connections between the various proceedings.

Centralized legal strategy can be used both to protect against the negative ripple effects that can pass from one proceeding to another and to capitalize on the ways interconnected proceedings feed into one another to the organization’s advantage. Favorable rulings on legal questions in small, related cases can influence outcomes in big cases with greater potential exposure. Admissions in administrative proceedings may be binding in parallel civil litigation. Witnesses who are called to testify before legislative committees later will be cross-examined on their testimony in depositions by private plaintiffs’ lawyers. All these consequences must be considered, which is only possible when there is an unimpeded flow of information from each proceeding to the centralized legal crisis management.

Centralized strategic decision-making is especially critical because early unfavorable outcomes on legal issues—such as jurisdictional objections or discovery squabbles—may haunt the organization throughout the post-crisis litigation and beyond. Consider a scenario in which an American corporation experiences an industrial accident and the corporation’s foreign parent is named as a defendant despite having no operations in this country. Should the foreign parent move to dismiss on personal jurisdictional grounds? That strategic question must be very carefully considered because crisis litigation follows different rules and even small decisions can have broad consequences.

In response to the personal jurisdiction motion, the plaintiffs would ask the court to “pierce the corporate veil” between the parent and the subsidiary. An adverse outcome on that question early in the case could have downstream consequences for later decisions involving liability and enforcement of judgments. Nor will an adverse decision necessarily remain limited to the proceeding in which the decision occurs.

Whatever the ultimate strategic decision, it must be made in light of all of the potential consequences for all of the related proceedings that occur simultaneously after a crisis.

Not every major accident or scandal is a crisis. What defines the true crisis moment, and what distinguishes the genuine crisis from an ordinary system failure, is the transformational nature of the event. A crisis demands system-wide change. Even when arising without fault, a crisis reveals and exploits the hidden weaknesses that persist under the surface of any organization.

Organizations that undergo a crisis and meet the challenge to change in response can emerge on the other side stronger, more responsive, and more resilient. To increase the likelihood of that happening, they should act beforehand to engage an experienced crisis manager and develop a crisis management plan. And outside counsel should start preparing for the unexpected.