Skip to main content

Digital Emergency Response: 5 Critical StepsNew Page

Print this out and keep it handy for when things go wrong, and in case you’re locked out of your accounts.  

This checklist applies to incidents like:

  • Doxxing attacks - Your home address, phone number, or family information published online

  • Account compromises - Someone gains access to your email, social media, or organizational accounts

  • Phishing attacks - Malicious emails targeting you or your organization's staff

  • Harassment campaigns - Coordinated online abuse, threats, or intimidation

  • Data breaches - Donor information, campaign strategies, or sensitive documents exposed

  • Website attacks - Your organization's website hacked, defaced, or taken offline

  • Ransomware – Your organization’s digital assets frozen by an attacker 

  • Surveillance detection - Discovering you're being monitored at events or through digital means

  • Impersonation - Someone creating fake accounts or profiles pretending to be you/your org

  • Legal threats - Receiving SLAPP suits, subpoenas, or aggressive legal demands

  • Physical security concerns - Threats that cross from digital to real-world safety    

Step 1: KNOW WHO TO CALL

Make a list of important contacts. Set up a Signal group for your core team. 

Incident Commander (Name/Phone/Signal)

  • Overall response coordination

  • External communications authorization

  • Resource allocation decisions

Technical Lead (Name/Phone/Signal)

  • System analysis and containment

  • Evidence collection

  • Recovery planning

Communications Lead (Name/Phone/Signal)

  • Media relations and holding statements

  • Staff notifications

  • Stakeholder updates

  • Law enforcement coordination

  • Legal compliance (breach notification requirements)

  • Evidence handling guidance

Executive Contact (Name/Phone/Signal)

Support Coordinator (Name/Phone/Signal)

  • Staff wellbeing and mental health support

  • Community impact assessment

  • Coalition partner notifications

External Support Contacts:

  • Technical Support: (Company/Phone/Signal)

  • Mental Health Support: (Provider/Phone/Crisis line)

  • Coalition Partners: (Key allies/Phone/Signal)              

Step 2: STOP AND  DOCUMENT

What to do immediately:

  • STOP using the affected account/device 

  • Don't panic! Take a breath and think clearly

    • Document everything you remember:

      • What happened? When did you first notice?
      • What did you click/download/see?
      • Take screenshots with full URLs and timestamps (not crops)
      • Email headers saved, not just message content
      • Names of any witnesses

    For doxxing/harassment incidents:

    • Screenshot all threats/harassment with full URLs and timestamps

    • Don't engage with attackers on social media or email

    • Document impact on work, sleep, mental health for potential legal action

    Why this matters: Your first action is to preserve evidence. You do not want to inadvertently delete information that can help you recover from this attack.  

    Step 3: ACTIVATE YOUR PHONE TREE

    Call in this order (within 1 hour):

    1.     Incident Lead 

    2.     Technical Lead 

    3.     Communications Lead 

    4.     Executive Contact 

    Template message: "We have a security incident involving [brief description]. I've documented what happened. Need immediate coordination - switching to Signal for secure comms."

     

    Step 4: SECURE THE SCENE

    Immediate containment actions:

    • Change passwords for affected accounts from a clean device

    • Enable 2FA on all accounts if not already active

    • Disconnect compromised devices from network (unplug ethernet/turn off WiFi)

    • Review recent account activity for signs of unauthorized access

    • Check data broker sites for your personal information

    • Alert personal contacts about potential impersonation

    For organizational incidents:

    • Identify affected systems - What accounts/systems are compromised?

    • Review admin access - Check all administrative accounts

    • Audit recent changes - What was modified in the last 30 days?

    • Check backup integrity - Are backups clean and recent?

    What NOT to do:

    • Don't restart or shut down compromised systems

    • Don't delete suspicious files or emails

    • Don't communicate about the incident over potentially compromised channels  

    Step 5: ENGAGE SYSTEMS AND PRACTICES

    Assessment Questions:

    • Data impact: What data might be compromised? Donor info, strategies, personal data?

    • Scope: Are other organizations affected?

    • Legal obligations: Do we need to notify supporters/donors?

    • Notification requirements: What legal reporting requirements apply?

    External Communications: Do NOT contact external parties until you've answered:

    • Do we understand what happened?

    • Have we stopped the immediate problem?

    • Do we have legal advice if needed?

    • What is our key message?

     

    Media Inquiries:

    • Refer to designated spokesperson only

    • Use pre-approved holding statements

    • Don't speculate about cause or scope

    • Focus on what you're doing to address it

    • Emphasize commitment to security and transparency  

    Escalation Matrix:

    Immediate Escalation Required:

    • Any threat of physical violence

    • Suspected criminal activity (hacking, stalking, threats)

    • Social security numbers or payment card data compromised

    • Systems completely down/inaccessible

    • Coordinated attack affecting multiple organizations

    • Media already reporting on the incident  

    Escalate Within 24 Hours:

    • Email systems compromised

    • Donor information potentially accessed

    • Website defaced or hijacked

    • Staff personal information exposed

    • Suspected state-sponsored or sophisticated attack

    • Back to top