Keeping Statewide Elected Officials Safe

Decide whether and which of the official’s loved ones will receive security, at what level, and under what circumstances. This may vary based on context (e.g., if threats are received). Discuss and determine in advance what changed circumstances may necessitate and prompt increased protection for loved ones.  

Establish protocols for information sharing between the official’s loved ones and the security professionals. Ensure that the official’s loved ones and security professionals know each other, and that they know what to share, when, and how to share it with each other. An official’s loved ones can be an important source of security information (e.g., they may receive a threat against the official or see a suspicious car parked outside the home). Likewise, security professionals may have information that affects the official’s loved ones (e.g., a threat against the home or an event that loved ones will attend).  

Determine a notification system for threats. The official and their chief deputy should be made aware immediately of any potential threats to the official, their staff, or loved ones, regardless of the perceived seriousness of the threat. Agree upon the communications platform to be used for this communication (e.g., text, calls, Slack, etc.).  

Assess and strengthen as needed the official’s home security. A security system that includes cameras with remote monitoring should be in place. Locks, both physical and digital, should be strong and rekeyed or reset if non-residents have a key. Block lines of sight into the home, and light the exterior of the home amply. Consider installing a panic button or silent alarm. To test these measures, security professionals should assess the official’s home for security vulnerabilities. 

Ensure local law enforcement has special alert triggers for the official’s addresses and phone number and for their loved ones’ addresses and phone numbers. If the official or the official’s loved ones calls 911, an automatic alert should be immediately triggered for emergency services that an elected official or the official’s loved one may be in trouble. Law enforcement should also be aware of the official’s home address in the event of calls for service (e.g., a neighbor reporting a break-in). 

Determine whether and when to have security professionals provide physical monitoring of the home. Under some conditions, such as an active threat to the official, periodic physical monitoring of the home maybe warranted by security professionals or in some cases by law enforcement.  

Download PDF here.

Maintain routine and regular communication with the head of the agency in charge of protection. The elected official and key staff should have periodic meetings and identify specific communication practices with the relevant agency head to communicate about evolving security needs, resources, and plans. The official and staff can learn what types of additional, emergency, or as-needed resources can be provided, the process for making and approving such requests. The agency head should also help ensure that the official receives regular threat assessments, and should advise on security resources for travel or events.  

Ensure that local law enforcement has relevant contact information. The staff and agency head should ensure that 911 stores the official’s office, home, and cell phone numbers and addresses such that a call for service from these numbers and addresses instantly alerts emergency services that an elected official needs help. Staff may also need to use this service.  

Review security practices regularly and consider a periodic outside audit. Changes in staff or office location, technology developments, the threat landscape, the proximity of an election, and other factors may all affect security needs, including the number of security professionals working to protect the official and the practices they use. Updating security practices regularly is key to address change and identify blind spots. A periodic third-party review can help. 

Make security personnel decisions that maximize the official’s comfort with and trust in the security professionals. The level of control over security personnel varies widely by office. The official may wish to designate personnel for different functions or locations, such as for home or travel. It is commonplace to change a security team’s practices and roster to address an official’s comfort. If vetting and picking the whole team is an option, make sure priorities (e.g., dealbreaker prior disciplinary issues) are known in the screening process and consider having the official participate in the selection process.  

Set clear confidentiality expectations and know what technology the security professionals use. Given the access that security professionals have, clear expectations of confidentiality are key. The general counsel for the office can help ensure that confidentiality expectations address any recording or transmitting devices that the security team uses. For any law enforcement agency that provides help, it is important to understand what technology they use and have a shared understanding of confidentiality needs and limitations.  

Communicate with the security team. Officials or their staff should regularly and freely communicate security needs and preferences. Good security teams try to accommodate hobbies, family life, and the official’s style of constituent engagement. Implement processes for officials, their loved ones, and staff to report security issues, like threats, to the security team. 

Download PDF here.

Designate points of contact between office staff and the relevant security professionals. They should communicate with each other regularly and implement systems to share concerns from members of their respective teams. These same individuals should also receive law enforcement briefings concerning threats and other security risks.  

Determine a notification system for threats. The official and their chief deputy should be made aware immediately of any potential threats to the official, their staff, or loved ones, regardless of the perceived seriousness of the threat. Agree on what specific communications platform will be used for these notifications (e.g., text, calls, Slack, etc.).  

Screen visitors in advance of their arrival to the office. At the least, basic internet searches based on an individual’s name, phone number, address, and email should be completed before new individuals meet with the elected official. Questions to elicit this information can be incorporated into an online form or a phone script.  

Obtain background checks of new hires. Law enforcement counterparts may be able to help.

Review and drill emergency procedures with the security team (e.g., active shooter drills, fire drills, bomb threats, etc.).  These procedures should be up to date for the current office location, layout, and staff. Make sure emergency roles are not assigned to former staff. Update all new employees as they onboard about these procedures.  

Set clear security policy and expectations, and train and run drills with office staff. Law enforcement or security professionals can train staff in how to enhance security, including what to look out for at events, how to screen individuals seeking appointments with the office, steps to properly document and alert others to threats, and what phishing emails look like. Similarly, policy and training in how to avoid security pitfalls, especially with social media, are key. Consider running drills to reinforce training.  

Assess and strengthen as needed the office’s physical security. Security professionals should assess the office for security vulnerabilities and offer suggestions. Physical barriers should separate the lobby from the staff, and ideally additional barriers should block access to the elected official’s office. Security cameras should be installed and should store video and be monitored regularly. Periodically audit the list of individuals who have access to the office, parking, and other sensitive areas. Consider installing a panic button or silent alarm.  

Determine whether and when to have security professionals provide physical monitoring of the office. Under some conditions, such as an active threat to the official, periodic physical monitoring of the office may be warranted by security professionals or by law enforcement. 

Download PDF here.

Consult state law and use available procedures to protect the official’s and staff’s PII in public records, as well as private accounts and registrations. A person’s DMV, property, voter registration, and other government records all contain PII.  Some states have procedures for protecting from public disclosure some or all categories of PII for judges and other public officials. Consulting with an attorney about available procedures in the state may be helpful. For private accounts and registrations, using a work address or a different name will help maintain privacy and security. Completely removing PII from public view may not be possible, but reducing the exposure is still valuable. 

Engage a service to remove online PII. Various services monitor and delete PII, such as email addresses and phone numbers, that has been shared by data brokers and is available online.  

Secure sensitive physical documents. Keep important personal documents, including those containing PII, locked in a safe. Shred unwanted but sensitive documents.    

Ensure the security of court documents. Court documents often contain PII and may be retrieved electronically. Consult an attorney to have PII redacted or placed under seal. 

Download PDF here.

Use two-factor identification. This provides an extra layer of account security for log-ins.  

Always require a password to access your phone, computer, and tablet.  

Passwords should be strong, unique to each account, and changed frequently. A strong password includes capital and lower-case letters, numbers, and symbols. It should never include personal information, such as your name. Passwords should be changed every 30 days, should never be used for more than one site, nor reused, nor shared with others (including staff). A password manager/ vault (with encrypted storage) may help you keep track of each password.  

Keep software updated, especially your operating system, security software, and browser.  Software providers regularly issue updates to patch security holes.   

Create a secondary email account to log in to websites for personal purposes.  A secondary email account, not used for personal correspondence but for logging in to websites, will reduce spam and exposure to cyber criminals. 

Don’t click on links or attachments in suspicious emails. They may include viruses. Unless you know the sender and the contents of the attachment or link, do not click on it.  

Don’t use unsecured or unknown wireless networks. Be wary of using free and/or public Wi-Fi. These networks are frequently exploited by cybercriminals. Use only known networks, and use your mobile device’s network, which tends to be more secure, for highly sensitive data, such as online banking. Consider using the data on your phone or carrying a hotspot with you.   

Enable remote tracking for wireless devices. This allows you to find a lost device.   

Enable wiping for wireless devices with only personal information on them and discuss procedures with counsel about devices with work information on them. In the event that a mobile device with only personal information on it is lost, ensure that deleting the contents remotely is possible. Consult with counsel about what to do in the event a work device is lost, as state laws and policies may impact the appropriate response. 

Download only trusted apps and keep them updated. Mobile applications often gather large amounts of personal data, including location data and contacts. Be sure you know what an application is collecting before downloading it. Keep apps up to date to patch security issues.  

Log out of accounts when you’re not using them. This is especially true on a public computer.  

Determine the appropriate use of social media, which presents unique security concerns.    

• Avoid posting about or tagging your real-time location in your private life and consult with security professionals before doing so in your official capacity.  
• Consider deleting private social media accounts. If you use social media, use privacy settings to control who can find your profile and see your posts.   
• Consult security professionals before posting images of your office or home. 
• Ensure that the official’s loved ones are instructed in social media hygiene.  

Exercise extra caution when making online purchases.  

• Buy only from sellers with a non-P.O. Box physical address and phone number.  
• Buy only from secure sites. Check a seller’s security/encryption software before buying. Sites that begin with “https” tend to be more secure, as are ones with a padlock icon in the browser location field. Avoid buying from sellers outside the United States when possible.  
• If you buy from someone directly, email them first to see if their email address is active.  
• Double-check the domain name to make sure you are buying from the correct site. Cyber criminals set up fake sites that mimic legitimate sites and have similar URL addresses. Read reviews of the seller on other sites, ideally trusted third-party sites.  

Download PDF here.

Scout the event site and surrounding areas and use intelligence collection to inform your plans. Try to select venues with which the security team is already familiar. Security professionals or a trained staffer should arrive at the event before the official arrives and report back on any unruly protests, security hazards, or obvious security gaps—paying special attention to locations where the official will be appearing, entering, and exiting, as these are the most vulnerable points of any event. Plan entry and exit points ahead of time and have backups options ready. 

Carefully consider when to announce an event. The longer an event is forecast, the more time bad actors have to plan. When it is necessary to announce an official’s presence at an event, consider not stating exact times when they will be present.  

Plan travel to and from the event. Entry and exit points should be determined in advance. In addition, identifying backup options for entry and exit is critical.     

Remain alert when you enter and exit events. These are moments of greatest vulnerability during a public event, so everyone on the team, including the official, their staff, and any security professionals, should stay off their phones and remain aware of their surroundings.    

Keep a 360-degree security profile on the official, especially when speaking. Ideally, the official has a complete view into the space and no one can approach the official from behind.  

Create buffer zones between the official and any crowds. A buffer gives the official, their staff, and any security professionals time to react. 

Be willing to cancel if required for safety reasons. No event is more important than safety. The security professionals and staff should be in touch with law enforcement about security concerns. Decide ahead of time what level of security concerns will trigger cancellation.  

Staff should act as an additional set of eyes and ears. Consider asking security professionals to train the staff on how to help with security monitoring at events. Set an expectation that all staff at the event will communicate with the relevant security professionals (e.g., security team, event security, law enforcement) to transmit important information (e.g., seeing an unattended bag or someone with a weapon). Staff should know who to communicate with ahead of each event and how to do so (e.g., text message, Slack, WhatsApp, etc.). 

Download PDF here.