INCIDENT RESPONSE PROCESS GUIDANCE & CHECKLIST
Cybersecurity incidents, including data breaches, ransomware attacks and other incidents as described below, are increasingly common and present significant risks to political campaigns. This guidance is intended to provide an overview of issues to consider before or when you suspect or have confirmed a cybersecurity incident.
The information provided in this document does not, and is not intended to, constitute legal advice. All information and content are for general informational purposes only. Please seek legal advice from your own attorney.
Skip to Each Section:
THE PRE-INCIDENT BASICS
GATHER YOUR INTERNAL AND EXTERNAL RESPONSE TEAM
IDENTIFY THE ISSUE AND START CONTAINMENT EFFORTS
CONSIDER NOTIFYING LAW ENFORCEMENT
ASSESS POTENTIAL BREACH NOTIFICATION OBLIGATIONS
ADDITIONAL CONSIDERATIONS
Download Documents:
STATE DATA BREACH NOTIFICATION LAWS SUMMARY - QUICK REFERENCE CHART
LAW ENFORCEMENT CONTACTS
FORENSIC FIRM CONTACT INFORMATION
THE PRE-INCIDENT BASICS
There are simple steps a campaign can take immediately to prepare for an efficient incident response effort and maintain operations when a cybersecurity incident strikes.
Have a plan for responding to a cybersecurity incident.
Identify which members of the campaign staff should be involved.
Know whether the campaign has cyber insurance or other resources to retain third parties.
Connect with your identified third parties, including your outside legal counsel and cybersecurity forensic firm.
Know how to get in touch with your team.
Create contact list with the mobile telephone numbers and personal email addresses of the candidate, key campaign staffers, and certain volunteers.
Include alternative means of contact information for core team members.
Collect contact information for key third parties:
Cyber insurance carrier or broker;
Outside legal counsel;
Store the contact information off campaign systems, preferably in hard copy.
Strengthen your data storage and recovery program.
Identify core data needed for the run-up to the election or for legal and compliance purposes.
Consider whether your backup procedures and locations are sufficient.
Back up your data if you have not done so already.
Ransomware Activity Targeting the Healthcare and Public Health Sector (the link is not exclusively related to the healthcare industry; please scroll to the end of the alert for additional links and resources regarding ransomware detection and mitigation)
CISA and Multi-State Information Sharing and Analysis Center Joint Ransomware Guide
GATHER YOUR INTERNAL AND EXTERNAL RESPONSE TEAM
Call your IT Support.
IT Support should immediately investigate the cause, scope, and impact of any suspected cybersecurity incident.
Ensure that IT Support preserves and does not destroy evidence or data while investigating.
Additional resources may be required depending on the initial results of the investigation.
Don’t have IT Support?
Identify and involve the person on your team responsible for or most knowledgeable about the campaign’s technology and data.
Call your legal counsel.
Perform this step immediately upon discovering a potential cybersecurity incident.
Ideally calling legal counsel and IT Support would be nearly simultaneous.
Call the campaign’s counsel – internal, elections or compliance counsel.
Determine whether to retain outside counsel with cybersecurity breach response expertise.
Legal counsel can identify and advise on potential notification obligations resulting from the cybersecurity incident.
Don’t have legal counsel?
Consider reaching out to outside counsel for guidance.
Activate your incident response team.
The incident response team will handle the campaign’s response efforts.
Don’t have an incident response team?
Include, at minimum, your IT Support and legal counsel.
Involve the campaign manager and other senior staffers, such as the finance director and the communications or PR director. At minimum, there must be one team member authorized to make immediate decisions for the campaign.
Include campaign staffers who know the most about the campaign’s:
Finance;
Collection and use of personal information; and
Communications strategy.
Consider at what point to involve the candidate, especially for significant incidents (e.g., a ransomware attack or a suspected theft of personal information),
Notify your cyber insurance carrier.
The campaign’s insurance carrier can help you retain third party vendors, such as outside legal counsel, a cybersecurity forensic firm, and a crisis management firm, and may offer “breach coaching” services.
Contact your insurance broker for clarity on qualifying insurance policies.
Cyber policies may be part of general liability or other policies.
Don’t have cyber insurance?
Visit the Cybersecurity Forensic Firm Resource page for a list of cybersecurity forensic firms.
Consider whether to retain a cybersecurity forensic firm.
The cybersecurity forensic firm will:
Investigate the cause and impact of the cybersecurity incident;
Analyze logs and other forensic evidence to determine whether personal information may have been accessed or acquired by the threat actor;
Confirm that the threat actor no longer has access to the campaign’s network; and
Assist with threat actor attribution.
Visit the Cybersecurity Forensic Firm Resource page for a list of cybersecurity forensic firms.
IDENTIFY THE ISSUE AND START CONTAINMENT EFFORTS
Cybersecurity incidents occur in different forms and are discovered in different ways. You may learn of a cybersecurity incident from a third party, you may identify some anomalies with the campaign email or network, or a staff member may report a problem that prompt further investigation. The steps you take to triage and contain the incident will depend on the type of incident you experience.
Consider whether to perform the following activities to stop or slow the spread of an incident:
Ransomware: If you find a ransom note anywhere on the network or receive one via email:
Shut down your network.
Instruct all campaign staffers to immediately turn off their computers.
Disconnect all external devices.
Business Email Compromise: If someone affiliated with the campaign clicked a link or opened an attachment in an email received from an unknown party, whether in the campaign’s domain or in their personal email account, OR if emails sent to or from your email account appear to be fraudulent:
Change your email password.
Change all passwords on all accounts that use that same password.
Hacking or Persistent Threats: If you identify abnormal activity within your network, including but not limited to, indicators that data is being removed or copied from the network:
Change passwords for all affected users.
Consider whether to shut down the network.
Third-Party Provider Incident: If your vendor experienced a cybersecurity incident:
Call the vendor for more information.
Shut down shared portals with the vendor until you learn more.
Lost or Stolen Devices: If a campaign team member’s device is lost or stolen:
Confirm whether the device is encrypted or backed up.
Consider whether to wipe the device remotely, where possible.
Law Enforcement: If you receive a call from law enforcement regarding a possible attack:
Ask law enforcement to share as much information as they can, including all known indicators of compromise (IOCs).
CONSIDER NOTIFYING LAW ENFORCEMENT
Cybersecurity incidents targeting political campaigns are issues of national concern and election security. The FBI urges the public and political campaigns to report all instances of potential election crimes to the FBI’s local offices, including cybersecurity incidents.
Any organization that experiences a cybersecurity incident should consider notifying law enforcement. If your campaign suffered a cybersecurity incident, such as hacking or ransomware, it is likely the bad actors are attempting similar to attacks on other campaigns. Knowledge of this activity can help law enforcement thwart other attacks and notify others of potential threats.
The decision to notify law enforcement should be made by legal counsel, the candidate, and possibly other key advisors. You can find law enforcement contact information here.
ASSESS POTENTIAL BREACH NOTIFICATION OBLIGATIONS
The campaign’s notification requirements will depend on the types of information at issue and where the affected individuals are located. To assess potential notification obligations, the campaign should ask:
What data may have been impacted?
Voter lists?
Donor lists?
Personal information belonging to the candidate, campaign staffers, or volunteers?
Internal campaign communications?
Other?
What types of personal information may have been involved or exposed?
Contact information (name, phone number, email address, mailing address)?
Financial information (credit card information, bank account numbers)?
Government identification information (Social Security numbers, driver’s license numbers)?
Other?
Where do the individuals whose data was impacted reside?
Are there multiple states where the impacted individuals may reside?
If yes, which ones?
In the United States or abroad?
The campaign may have a duty to notify any of the following third parties as a result of the incident and analysis of the relevant data:
Affected Individuals
Data breach laws apply based on the location of any affected individuals, not the jurisdiction where the campaign or candidate is established.
Each U.S. state has a breach notification law with its own definition of what constitutes a “breach” and “personal information.”
A breakdown of U.S. state breach notification laws can be found here.
Regulators
See the breakdown of U.S. state breach notification laws here.
Payment card brands (Visa, MasterCard, etc.)
If your campaign accepts credit card contributions and that card data or information is accessed or exposed to an unauthorized third party, the campaign may be required to immediately notify the credit card brands.
If your campaign accepts card donations via a third party service provider or platform and that third party service provider or platform experiences a potential or confirmed cybersecurity incident, the campaign may still have reporting requirements to the card brands.
Visa, MasterCard, AMEX, and Discover all require notification for potential or actual cybersecurity incidents under their respective card brand rules, although the triggers for notification vary depending on the specific card brand.
Please consult with your forensic vendor and your election, compliance, or data breach lawyer prior to notifying the card brands of any potential or actual cybersecurity incident.
More information for the card brand rules may be found here:
Links to relevant Visa documents:
What To Do If Compromised
Entity Obligation to Report Suspected or Confirmed Account Data Compromises
Links to relevant MasterCard documents:
MasterCard Account Data Compromise Event Best Practices
Links to relevant AMEX documents:
American Express Data Security Operating Policy for Merchants
Report an Issue
Links to relevant Discover documents:
· FAQs and Help Center - data breach
Other
Certain contracts with third parties may include breach notification provisions.
Review contracts with affected third parties for an understanding of these potential obligations.
ADDITIONAL CONSIDERATIONS
Establish attorney-client privilege over the campaign’s incident response investigation.
This privilege can only be established if you have legal counsel.
Legal counsel should direct the investigation for purposes of understanding the campaign’s legal obligations stemming from the cybersecurity incident.
Preserve evidence related to the cybersecurity incident.
Maintain a chain of custody for affected servers, computers, or other devices.
Require all evidence to be signed in and out by each person who takes possession of the evidence throughout the investigation.
Have an internal and external communications plan.
Know who from the campaign will be responsible for updating and informing the candidate, campaign and, where appropriate, the public of the cybersecurity incident and when those updates should happen.
Prepare a holding statement.
A holding statement is a public statement that addresses the incident at a high level, and will allow the campaign to respond quickly to media inquiries regarding a potential cybersecurity event.
Another resource, Cybersecurity Campaign Playbook.