HackFirstAidMunicipal
Playbook

Public-records system compromise

Vital records, property assessments, or business licenses exposed or altered.

All playbooks

The scenario

Your records system (vital records, property assessments, business licenses) shows signs of unauthorized access — altered entries, exported data, or a vendor security advisory naming your platform.

Who this is for: Town clerk, registrar, IT lead, CAO.

First steps

  1. 1. Identify which record classes are involved
    First hour

    Vital records (birth, death, marriage) have separate state/provincial registrars and stricter notification rules than property or business records.

  2. 2. Preserve audit logs before they roll off
    First hour

    Most municipal records systems retain access logs for 30–90 days. Export now to immutable storage.

  3. 3. Notify the vendor in writing and request their breach report
    First day

    If the platform is Tyler, Granicus, CivicPlus, Accela, or similar, the vendor's security team owes you a coordinated disclosure timeline.

  4. 4. Pause public-facing record lookups
    First day

    If altered records may have been served to residents (assessment values, certificates), pause the public portal until integrity is verified.

Continuity of service

  • Vital records: coordinate with the state/provincial vital statistics office for fallback issuance.
  • Property assessments: hold appeals deadlines; assessor's office issues a notice of pause.
  • Business licenses: accept manual renewals at the counter; do not let licenses lapse due to a system outage.

Communication

Affected residents

Individual written notice if a specific record was accessed; jurisdiction-mandated form letter for class-wide exposure.

Council

Status report at next meeting; closed session if individuals are identifiable in the breach detail.

Regulator hand-off

  • US: state vital-records registrar, state AG, CISA via CIRCIA if critical-infrastructure thresholds apply.
  • Canada: provincial vital statistics agency, provincial privacy commissioner, CCCS.

FAQ

Do we have to notify every resident whose record was in the system?

Usually no — notification obligations attach to records that were actually accessed or exfiltrated, not the full database. Your IR firm and counsel determine scope based on audit logs.

Other playbooks
Ransomware affecting core servicesTreasurer / finance department BECPolice, fire, or court data exposureElection infrastructure incidentCouncil or mayor social-media account takeoverVendor / SaaS supply-chain breach