HackFirstAidMunicipal
Playbook

Vendor / SaaS supply-chain breach

Your platform vendor was breached and your data may be in scope.

All playbooks

The scenario

Your ERP, permitting, agenda-management, or 311 vendor publishes a security advisory or contacts you about an incident. You don't yet know whether your tenant or data is affected.

Who this is for: IT lead, CAO, department heads using the affected platform, counsel.

First steps

  1. 1. Get the vendor's incident report in writing
    First hour

    Ask for: scope of compromise, your tenant's status, data classes affected, attacker dwell time, indicators of compromise, and the vendor's notification timeline to your residents.

  2. 2. Check your contract for breach-notification clauses
    First day

    Most municipal SaaS contracts require vendor notification within 24–72 hours of discovery. Hold the vendor to the contract; do not let them off the hook in person and on the record only.

  3. 3. Rotate API keys, integration credentials, and SSO trust
    First day

    Anything your municipality issued the vendor for integration purposes — assume it is in scope until the vendor proves otherwise.

  4. 4. Decide who notifies residents — you or the vendor
    First week

    In most jurisdictions the data controller (the municipality) owns the notification obligation regardless of who lost the data. The vendor may help, but the legal duty is yours.

Continuity of service

  • Switch to manual or backup processes for the affected platform until the vendor confirms tenant integrity.
  • If the vendor offers a 'pause' or read-only mode, take it.

Communication

Residents (if data exposed)

Standard breach-notification letter per your jurisdiction. Name the vendor; explain what data, what you're doing, and what the resident should do.

Council

Status report. The cost of vendor breaches frequently lands in next-year's IT budget as additional security spend — flag this.

Regulator hand-off

  • US: state AG breach notification, CISA via CIRCIA if applicable.
  • Canada: provincial privacy commissioner, CCCS for coordination.

FAQ

Is the vendor liable for our notification costs?

Sometimes, contractually. Read the indemnification clause before signing any joint-statement language with the vendor. Counsel should advise before you waive any rights.

Other playbooks
Ransomware affecting core servicesTreasurer / finance department BECPublic-records system compromisePolice, fire, or court data exposureElection infrastructure incidentCouncil or mayor social-media account takeover