Dawn-Raid Playbook
Corporate / Compliance • Rapid-response guide
00 • Immediate Action (first 5 minutes)
Follow this sequence calmly. Do not obstruct. Do not volunteer extra information. Keep a respectful, factual tone.
01 • Scope, Rights & Rules
- Ask for ID cards, agency, legal basis, and scope (time period, business units, data categories).
- Request a copy of the warrant/letter. Note any limitations (places, devices, keywords, individuals).
- Politely request time for counsel to arrive. Do not obstruct if they start.
- Cooperate professionally. Do not consent beyond the documented scope.
- Never waive legal privilege or confidentiality inadvertently; segregate privileged material.
- Request forensic copies rather than live system downtime where feasible. Offer IT liaison.
- Log every device imaged or taken (asset tag, user, serial, condition).
- Ensure chain-of-custody forms are completed and signed.
- Employees should have the right to counsel presence (check local law & policy).
- Provide Upjohn warning (counsel represents the company, not the individual) where appropriate.
- No private devices unless within lawful scope and policy.
- All press handled solely by the designated spokesperson.
- Prepare a holding line: “We are cooperating fully with the authorities.”
- Monitor social channels; instruct staff not to post.
02 • On-Site Roles
| Role | Owner | Primary Duties | Back-up |
|---|---|---|---|
| Incident Lead | [Name] | Owns timeline, decisions, escalations; liaises with officials. | [Name] |
| Legal Lead | [Name] | Reviews scope, privilege screening, interview coordination. | [Name] |
| IT Forensics | [Name] | Device inventory, imaging support, access logs, holds. | [Name] |
| Reception Marshal | [Name] | Check IDs, seat officials, distribute badges, escort policy. | [Name] |
| Floor Walker(s) | [Name] | Escort teams, mirror searches, log every action/items taken. | [Name] |
| Comms Lead | [Name] | Internal banners, staff brief, external holding statement. | [Name] |
03 • Do / Don’t (at a glance)
Do
- Be courteous; keep everyone in designated rooms.
- Photocopy/scan authorization and IDs; timestamp everything.
- Mirror searches (one staff shadows each official).
- Apply legal hold across systems and backups.
- Keep privileged docs segregated & clearly marked.
Don’t
- Don’t delete, move, or “tidy up” anything.
- Don’t volunteer extra info or speculate.
- Don’t block access within lawful scope.
- Don’t allow unsupervised roaming.
04 • Evidence Log & Chain-of-Custody
Use this table to log every document/device reviewed, copied, or taken.
| # | Time | Item | Asset/Serial | Owner/User | Action | Official | Notes |
|---|
05 • Incident Intake
06 • Timelines
First 24 hours
- Confirm legal basis; capture copies; start evidence log.
- Issue/verify legal hold; snapshot critical systems.
- Counsel triage meeting; define narrative & comms line.
- Secure privileged repositories; map data subjects.
First 7–14 days
- Internal investigation plan (scope, custodians, keywords).
- Forensic imaging & review protocol; preservation letters to vendors.
- Regulatory engagement plan & deadlines calendar.
- Remediation opportunities; employee training refresh.