Book a Clarity Call

Ransomware Communications Plan for Justice Organizations (First 72 Hours + Templates)

The intake queue is already too long. A court deadline is already too close. Then someone says the words that

An image of a computer setup for ransomware communications plan for justice organizations

The intake queue is already too long. A court deadline is already too close. Then someone says the words that make your stomach drop: files are locked, systems are down, a ransom note appeared.

For legal aid, court self-help, navigator programs, and justice-support nonprofits, Ransomware Communications Plan for Justice Organizations, a critical component of a broader Incident Response Plan, is not PR polish. It’s client safety, continuity of services, and trust with partners and funders. Effective communication also prevents long-term Reputational Damage. It’s the difference between a controlled response and a rumor-driven mess.

This post gives a board-ready communications plan essential for Crisis Management in the first 72 hours, plus short templates you can copy, paste, and customize fast.

Executive leaders in a legal aid office conference room collaboratively review printed ransomware response plans, one pointing to a timeline while others take notes amid closed laptops. The scene conveys calm focus and resilience in soft natural light from overcast windows.
Leaders align on a first-72-hours plan during an incident briefing, created with AI.

Key takeaways

  • The first 72 hours need Communication Protocols with one source of truth, not a dozen side chats.
  • Assign decision rights early for Internal Communications and External Communications: who drafts, who approves, who speaks.
  • Share only confirmed facts, don’t guess timelines or attack details.
  • Use alternate channels (phone tree, SMS, hotline) if email is compromised.
  • Keep messages focused on safety, service continuity, and next update time.

A practical 72-hour ransomware communications plan (who speaks, what to say, and what to avoid)

Ransomware turns normal operations into a fog-of-war. In 2025, attacks against legal-sector organizations stayed high, with law firms seeing record volumes in some quarterly reporting and major breaches like the UK Legal Aid Agency incident making headlines. You can’t control the attacker, but you can control how your organization communicates. This plan supports your overall Business Continuity Plan and Disaster Recovery Plan. Your north star is simple: move fast, stay factual, protect confidentiality.

Define key stakeholders before you write anything

Even small justice organizations have multiple stakeholders, and each needs a different level of detail.

  • Staff and contractors: immediate actions, safe channels, what not to do.
  • Board and executive team: confirmed facts, impact, decisions needed, risk framing.
  • Partners and referral networks: service disruption, workarounds, secure handoffs.
  • Funders: impact, response steps, transparency, what support may be needed.
  • Clients and community: how to get help safely, what services are available.
  • Media (if applicable): a minimal holding statement, one spokesperson.

Use alternate communication channels if email is down

Assume email may be unsafe until your incident team clears it. Plan for:

  • Phone tree (updated quarterly)
  • SMS broadcast (managed list)
  • Secure chat for leadership (pre-approved tool)
  • Recorded hotline message for staff and partners
  • A simple status page or pre-arranged update method

A strong cybersecurity posture includes these redundant tools. If you recognize your systems are already fragile, start with Technology challenges facing legal nonprofits and treat communications as part of continuity, not an add-on.

Set roles and decision rights before you send the first message

Your minimum roles:

  • Incident Lead (often IT lead or incident response coordinator): confirms facts, tracks timeline.
  • Comms Lead (often COO, ED, or development/ops leader): drafts all messages, runs updates.
  • Legal/Privacy Review (internal counsel or outside counsel): checks wording for confidentiality, breach notice obligations, and coordination with cyber insurance providers and law enforcement.
  • Executive Approver (ED/CEO): final sign-off, sets cadence.
  • Partner Liaison: manages high-stakes partners (courts, shelters, referral hubs).

Simple approval flow: Comms Lead drafts, Legal/Privacy reviews, Executive approves. Keep it to one loop.

Coordinate with your incident response vendor so messages match what forensics can support. Staff should not contact attackers or negotiate. That creates risk, confuses the record, and can interfere with response efforts.

Message basics: what to say, what not to say, and how to keep trust

Do:

  • Say what you know, what you’re doing to protect sensitive data, and when the next update is.
  • Name service impacts in plain language.
  • Repeat safe behavior steps (don’t plug in unknown devices, don’t forward suspicious emails or phishing emails).
  • Use calm, human language. No blame.

Don’t:

  • Don’t share attacker notes, malware names, or technical details, including vulnerabilities in Active Directory or lack of multifactor authentication and network segmentation, as they reveal too much to threat actors and risk exposing sensitive data.
  • Don’t promise restoration times you can’t defend.
  • Don’t imply “no data was accessed” until forensics confirms it.
  • Don’t ask staff to “use personal email for now” as a default.

At a high level, your legal and reporting decisions should align with counsel. Practical legal context on incident duties and reporting can be found in resources like the ACC Cybersecurity Toolkit for in-house lawyers (PDF).

First 72 hours message templates for staff, partners, and funders (copy, paste, customize)

A nonprofit leader in a quiet office corner drafts a message template on a laptop, surrounded by notes on client safety and partner coordination following a ransomware incident, in a photo-realistic documentary style.
Drafting clear messages early reduces rumors and protects client safety with ransomware communications plan for justice organizations, created with AI.

Each template below stays short on purpose to support Operational Continuity. Add: single point of contact, update cadence, and a safe channel for urgent client matters.

0 to 24 hours: stabilize, stop rumors, and protect client safety (templates)

Template 1 (0 to 2 hours): Staff alert

Subject: Immediate systems outage, follow these steps
We’re responding to a cybersecurity incident that is disrupting some systems. Effective now, stop using: [SYSTEMS]. Do not log in, do not reset passwords, and do not forward screenshots of alerts.
Use [SAFE CHANNEL] for updates. If you get a “help desk” call or text, hang up and report it to [CONTACT].
For urgent client safety issues, use [URGENT PHONE] only. Next update by: [TIME].

Template 2 (0 to 2 hours): Leadership and board brief

We detected a ransomware-related incident at [TIME]. Confirmed impacts so far: [IMPACT]. We have contained access to affected systems, initiated Forensic Analysis, and engaged [IR VENDOR/IT] and counsel.
Our priorities are client safety, continuity of service, and preserving evidence.
Decisions needed in the next 6 hours: [DECISIONS]. Next briefing at: [TIME]. Single point of contact: [NAME, PHONE].

Template 3 (2 to 6 hours): Partner notice

We’re experiencing a cybersecurity incident that is affecting [SERVICES/SYSTEMS]. For now, please do not email case files to our usual addresses.
Use [SECURE METHOD] for urgent handoffs. For time-sensitive court or benefits deadlines, call [PARTNER LINE].
We’ll send an operational update by [TIME] with workarounds and expected cadence.

Template 4 (6 to 24 hours): Quick funder heads-up

We want you to hear this from us early. We’re responding to a ransomware-related incident that has disrupted [SYSTEMS/SERVICES]. We’ve engaged technical response support and counsel, and we’re prioritizing client safety and service continuity.
We’ll share confirmed impacts and our stabilization plan by [TIME]. For now, our main contact is [NAME, PHONE]. We’ll keep updates factual and regular.

Fill-in checklist: time discovered, affected services, alternate intake channel, urgent phone, spokesperson. These templates are part of the larger Incident Response Plan and Disaster Recovery Plan.

24 to 72 hours: service continuity updates, funder confidence, and external messaging (templates)

Staff in a modern community workspace huddle around a phone tree list and whiteboard, calmly discussing alternate communication channels during a ransomware outage, evoking a sense of focus, resilience, and practicality.
Teams plan alternate communication paths when normal channels may be unsafe, created with AI.

Template 5 (24 to 48 hours): All-staff daily update

Daily update as of [TIME]. Confirmed status: [WHAT’S DOWN], restored: [WHAT’S BACK]. Today’s workarounds: [WORKAROUNDS].
Please keep client communications to [APPROVED CHANNELS]. Don’t use personal email or personal cloud storage for files.
If you’re overwhelmed or stuck, tell [MANAGER/HR CONTACT]. Next update by [TIME]. Questions go to [CONTACT].

Template 6 (24 to 48 hours): Partner update with revised operating plan

Update as of [TIME]. We can currently support: [SERVICES]. We cannot support: [LIMITS].
For referrals, use: [ALT INTAKE]. For document exchange, use: [SECURE METHOD].
Court deadlines: call [NAME/PHONE] so we can coordinate triage. Next partner update by [TIME].

Template 7 (48 to 72 hours): Board-ready funder update

As of [TIME], this incident has affected [PROGRAM IMPACT]. We have taken containment steps, engaged response support, and are executing recovery in phases that include verifying Data Integrity and restoring from Offline Backups: [PHASES].
We will share confirmed findings as they are validated. If notification becomes required, it will be coordinated with counsel and done promptly.
Support that may help in the next 2 weeks: [EMERGENCY TECH SPEND, TEMP STAFF, HOTLINE COSTS]. Next update by [TIME].

Template 8 (48 to 72 hours): Public holding statement (if needed)

We’re responding to a cybersecurity incident that has disrupted some services. We’re working with specialists to restore operations and to protect the people we serve.
If you need help, please use [ALT INTAKE] or call [PHONE]. Updates will be posted at [STATUS METHOD] as we confirm information.

Client notice note: if there’s a chance client data is involved, don’t freelance the wording on Communication Channels. Coordinate with counsel and your incident response team before contacting clients directly.

FAQs leaders ask during a ransomware incident (clear answers you can use with staff and funders)

Should we pay the ransom?
That’s a leadership and legal decision, informed by forensics, counsel, and often a professional Ransomware Negotiator. Don’t discuss it broadly or in writing.

Are we in a data breach?
Maybe, maybe not. Ransomware often includes data theft. Say “we’re investigating” until validated.

Can staff use personal email to keep work moving?
No as a default. It increases risk and can create discoverability problems. Use approved channels only.

How do we talk to clients safely right now?
Use the simplest approved channel as part of broader Mitigation Strategies, keep details minimal, and focus on next steps and safety.

What do we tell courts and referral partners?
Share operational impacts, workarounds, and a single contact. Avoid technical details and speculation.

How often do we update funders?
Set a cadence (daily or every 48 hours early on) that covers key metrics like Recovery Time Objective (RTO) and Recovery Point Objective (RPO), which funders might ask about. Short updates beat long, late ones.

Who is allowed to speak publicly?
One spokesperson from the Crisis Communication Team. Everyone else routes inquiries to that person.

Conclusion

In a ransomware event, silence doesn’t create calm. Structure does. A one-page communications plan, stored offline, keeps your team from improvising under stress and keeps client safety at the center.

Your next step is practical: write the roles, channels, and update cadence now, then run a short tabletop exercise using the templates above. After the first 72 hours, the organization should conduct a Root Cause Analysis to prevent future incidents. If you want help tightening decision rights, building an incident-ready communications workflow, or pressure-testing what you’d tell funders and partners, book a technology strategy call with CTO Input. The question to bring: which single chokepoint, if fixed, would protect the most trust this quarter? Established Communication Channels safeguard that trust.

Search Leadership Insights

Type a keyword or question to scan our library of CEO-level articles and guides so you can movefaster on your next technology or security decision.

Request Personalized Insights

Share with us the decision, risk, or growth challenge you are facing, and we will use it to shape upcoming articles and, where possible, point you to existing resources that speak directly to your situation.