Digital Emergency Response: 5 Critical Steps

Print this out and keep it handy for when things go wrong, and in case you’re locked out of your accounts. 

 
 This checklist applies to incidents like: 
 
 
 Doxxing attacks  - Your home address, phone number, or family information published online 
 
 
 Account compromises  - Someone gains access to your email, social media, or organizational accounts 
 
 
 Phishing attacks  - Malicious emails targeting you or your organization's staff 
 
 
 Harassment campaigns  - Coordinated online abuse, threats, or intimidation 
 
 
 Data breaches  - Donor information, campaign strategies, or sensitive documents exposed 
 
 
 Website attacks  - Your organization's website hacked, defaced, or taken offline 
 
 
 Ransomware – Your organization’s digital assets frozen by an attacker  
 
 
 Surveillance detection  - Discovering you're being monitored at events or through digital means 
 
 
 Impersonation  - Someone creating fake accounts or profiles pretending to be you/your org 
 
 
 Legal threats  - Receiving SLAPP suits, subpoenas, or aggressive legal demands 
 
 
 Physical security concerns  - Threats that cross from digital to real-world safety

 
 
 
 Step 1: KNOW WHO TO CALL 
 Make a list of important contacts. Set up a Signal group for your core team.  
 Incident Commander  (Name/Phone/Signal) 
 
 
 Overall response coordination 
 
 
 External communications authorization 
 
 
 Resource allocation decisions 
 
 
 Technical Lead  (Name/Phone/Signal) 
 
 
 System analysis and containment 
 
 
 Evidence collection 
 
 
 Recovery planning 
 
 
 Communications Lead  (Name/Phone/Signal) 
 
 
 Media relations and holding statements 
 
 
 Staff notifications 
 
 
 Stakeholder updates 
 
 
 Legal Contact  (Name/Phone/Available hours) 
 
 
 Law enforcement coordination 
 
 
 Legal compliance (breach notification requirements) 
 
 
 Evidence handling guidance 
 
 
 Executive Contact (Name/Phone/Signal) 
 Support Coordinator  (Name/Phone/Signal) 
 
 
 Staff wellbeing and mental health support 
 
 
 Community impact assessment 
 
 
 Coalition partner notifications 
 
 
 External Support Contacts : 
 
 
 Technical Support: (Company/Phone/Signal) 
 
 
 Mental Health Support: (Provider/Phone/Crisis line) 
 
 
 Coalition Partners: (Key allies/Phone/Signal)

   
 
 
 Step 2: STOP AND  DOCUMENT 
 What to do immediately: 
 
 
 STOP using  the affected account/device  
 
 
 Don't panic ! Take a breath and think clearly 
 
 
 Document everything  you remember: 
 
 What happened? When did you first notice? 
 What did you click/download/see? 
 Take screenshots with full URLs and timestamps (not crops) 
 Email headers saved, not just message content 
 Names of any witnesses 
 
 
 
 For doxxing/harassment incidents: 
 
 
 Screenshot all threats/harassment with full URLs and timestamps 
 
 
 Don't engage with attackers on social media or email 
 
 
 Document impact on work, sleep, mental health for potential legal action 
 
 
 Why this matters: Your first action is to preserve evidence. You do not want to inadvertently delete information that can help you recover from this attack.

 
 Step 3: ACTIVATE YOUR PHONE TREE 
 Call in this order (within 1 hour): 
 1.

 Incident Lead   
 2.

 Technical Lead   
 3.

 Communications Lead   
 4.

 Executive Contact   
 Template message: "We have a security incident involving [brief description]. I've documented what happened. Need immediate coordination - switching to Signal for secure comms." 
 Step 4: SECURE THE SCENE 
 Immediate containment actions: 
 
 
 Change passwords  for affected accounts from a clean device 
 
 
 Enable 2FA  on all accounts if not already active 
 
 
 Disconnect compromised devices from network (unplug ethernet/turn off WiFi) 
 
 
 Review recent account activity  for signs of unauthorized access 
 
 
 Check data broker sites  for your personal information 
 
 
 Alert personal contacts  about potential impersonation 
 
 
 For organizational incidents: 
 
 
 Identify affected systems - What accounts/systems are compromised? 
 
 
 Review admin access - Check all administrative accounts 
 
 
 Audit recent changes - What was modified in the last 30 days? 
 
 
 Check backup integrity - Are backups clean and recent? 
 
 
 What NOT to do: 
 
 
 Don't restart or shut down compromised systems 
 
 
 Don't delete suspicious files or emails 
 
 
 Don't communicate about the incident over potentially compromised channels

 
 
 
 Step 5: ENGAGE SYSTEMS AND PRACTICES 
 Assessment Questions: 
 
 
 Data impact: What data might be compromised? Donor info, strategies, personal data? 
 
 
 Scope: Are other organizations affected? 
 
 
 Legal obligations: Do we need to notify supporters/donors? 
 
 
 Notification requirements: What legal reporting requirements apply? 
 
 
 External Communications: 
 Do NOT contact external parties until you've answered: 
 
 
 Do we understand what happened? 
 
 
 Have we stopped the immediate problem? 
 
 
 Do we have legal advice if needed? 
 
 
 What is our key message?

 
 
 
 Media Inquiries: 
 
 
 Refer to designated spokesperson only 
 
 
 Use pre-approved holding statements 
 
 
 Don't speculate about cause or scope 
 
 
 Focus on what you're doing to address it 
 
 
 Emphasize commitment to security and transparency

 
 
 
 Escalation Matrix: 
 Immediate Escalation Required: 
 
 
 Any threat of physical violence 
 
 
 Suspected criminal activity (hacking, stalking, threats) 
 
 
 Social security numbers or payment card data compromised 
 
 
 Systems completely down/inaccessible 
 
 
 Coordinated attack affecting multiple organizations 
 
 
 Media already reporting on the incident

 
 
 
 Escalate Within 24 Hours: 
 
 
 Email systems compromised 
 
 
 Donor information potentially accessed 
 
 
 Website defaced or hijacked 
 
 
 Staff personal information exposed 
 
 
 Suspected state-sponsored or sophisticated attack