HackFirstAidMunicipal
Playbook

Police, fire, or court data exposure

CJIS-regulated data or equivalent provincial law-enforcement records.

All playbooks

The scenario

An incident touches systems holding criminal-history, dispatch, or court records — CJIS-regulated in the US, or provincial police-services data in Canada.

Who this is for: Police chief, CJIS Systems Officer, court clerk, CAO, IT lead.

First steps

  1. 1. Notify the CJIS Systems Officer (US) within hours
    First hour

    CSO at your state agency coordinates with the FBI's CJIS Division. Reporting timelines under the CJIS Security Policy are strict and separate from civilian breach laws.

  2. 2. Notify provincial police-services oversight (Canada)
    First hour

    Provincial Ministry of the Solicitor General (or equivalent), provincial privacy commissioner, and the Police Services Board.

  3. 3. Engage law-enforcement-experienced counsel
    First day

    CJIS and provincial police data carry separate liability frameworks from general municipal data. Generalist counsel can miss obligations.

  4. 4. Coordinate with the court on case-data integrity
    First day

    If court scheduling or filings are affected, the chief judge or court administrator needs to know — this affects active proceedings.

Continuity of service

  • Dispatch usually runs on an isolated CAD system — confirm it is unaffected before reassuring 911 callers.
  • Police records to manual processes; provincial / state RMS support desk may help with read-only access.
  • Court filings: paper acceptance at the clerk's window; coordinate with the bar association.

Communication

Residents

Cautious. Saying 'police records' publicly creates more alarm than is warranted; describe the affected system and what residents do not need to do.

Council

Closed-session, jurisdictional briefing only. Police-services oversight is governed differently from general municipal oversight.

Regulator hand-off

  • US: CJIS Systems Officer, FBI CJIS, state AG, CISA.
  • Canada: provincial Ministry of the Solicitor General, provincial privacy commissioner, Police Services Board, RCMP if cross-jurisdictional.

FAQ

Does HIPAA apply if EMS records are involved?

Often yes — municipal EMS records frequently fall under HIPAA. The EMS director and HIPAA privacy officer should be part of the response from the first hour.

Other playbooks
Ransomware affecting core servicesTreasurer / finance department BECPublic-records system compromiseElection infrastructure incidentCouncil or mayor social-media account takeoverVendor / SaaS supply-chain breach