// FREE DEMO·Live sample dashboard for fictional Acme Exchange · See what subscribers receiveSubscribe to get your own →
← All playbooks
// CRISIS PLAYBOOK · 09
Scenario · Founder doxx / personal attack Activation · Hotline trigger description · NorthPoint crisis playbook 09: Founder doxx / personal attack. Pre-loaded comms templates and decision trees.

09 — Founder Doxxing or Personal Attack

Trigger: Personal information — home address, family details, financial records, private communications, romantic relationships, mental-health information — about a founder, executive, or other team member is exposed online or used as the basis of a public attack.

First 30 minutes

Doxxing is uniquely dual-natured: it’s a personal-safety event for an individual and a brand event for the company. The personal-safety dimension takes precedence; the brand response follows from it.

  1. Confirm the doxxing. What’s been exposed? Where? Who is the originator? What is verifiably accurate vs. fabricated?
  2. Open the hotline. “Doxxing event: subject [name], type [data exposed], physical safety: [at risk / unclear / not at risk].”
  3. Personal safety first. The affected individual may need: physical security review, family notification, school/childcare notification (if relevant), home security adjustment, possible relocation. Comms response is secondary to physical security.
  4. Notify counsel and law enforcement. Doxxing is illegal in most jurisdictions; depending on the exposed information and the context, criminal-complaint paths may be appropriate. Counsel decides.
  5. Initiate takedown requests on platforms. X, Reddit, Telegram, Discord all have abuse-reporting mechanisms for doxxing content. Use the formal channels — they’re effective and creating a record matters.
  6. Notify the platform’s enforcement teams via direct contact (if you have it). Most major platforms have escalation paths for bona-fide doxxing reports beyond the user-facing forms.
  7. Convene the war room. Tightly held: CEO, founder (the affected individual or their delegate if they’re not in a state to participate), counsel, head of comms, head of security if applicable.
  8. Decide on public posture. Three options: silence (most common, often correct), brief acknowledgement, full statement. Hardly ever the third.

Holding statement templates

When silence is the right posture

Most doxxing events warrant no public statement. The doxxing draws attention; engagement amplifies the attention. Where the company is concerned, business-as-usual is often the loudest counter-signal.

Internal-only message to the team:

Team —
      
      Many of you may have seen [PUBLIC POST / REPORTS] about [NAME]. We are aware of the
      situation and are taking the appropriate steps.
      
      Out of respect for [NAME]'s safety and privacy, we will not be commenting publicly. Please
      do not engage with the [POSTS / ACCOUNTS] involved.
      
      If you have questions or concerns, please reach out to [HR LEAD] directly.
      
      — [CEO]

When brief public acknowledgement is required

Used when the silence posture would itself become a story (typically: when the affected person is the public face of the company and absence would be conspicuous, or when the doxxing leads to a public physical-safety incident):

[TIMESTAMP — UTC]
      
      [COMPANY] is aware of [SPECIFIC PUBLIC INCIDENT — e.g., "online posts disclosing personal
      information about [NAME]"].
      
      We do not comment on personal matters affecting our team. The matter is being addressed
      through appropriate channels, including law enforcement where relevant.
      
      Company operations are unaffected. We will not provide further public updates on this
      matter.
      
      — [Company]

When the doxxing includes false content presented as fact

Different posture — the false content can become reputational risk to the company (allegations of impropriety, etc.). This is closer to 07 — Social Firestorm handling:

[TIMESTAMP — UTC]
      
      [POSTS / CONTENT] circulating regarding [NAME] include factually false claims that
      [NAME / COMPANY] [SPECIFIC FALSE ALLEGATION].
      
      For the record: [SPECIFIC, BRIEF, EVIDENCE-BASED CORRECTION].
      
      We are addressing the broader matter through appropriate channels, including legal
      recourse where applicable. We will not be commenting further publicly.
      
      — [Name, Role]

What all templates avoid: - Repeating any of the doxxed information. - Naming the originator (you don’t want to give them a target name to amplify). - Emotional language. Doxxing is emotional; public response cannot be. - Threats of legal action against unnamed parties (it reads as defensive). - Founder personal counter-statement before counsel review.

Stakeholder cascade

# Audience Channel Who Goal
1 Affected individual (primary) Direct CEO and HR lead Personal safety; consent on response posture
2 Family of affected individual Direct Affected individual or delegate Awareness, safety
3 Counsel + law enforcement Phone Comms lead with CEO Legal options & evidence preservation
4 Platform enforcement teams Direct contacts where available Comms lead Takedowns
5 Internal team Internal note (not all-hands meeting unless escalated) CEO Quiet awareness; no engagement
6 Major investors / board 1:1 if material CEO Awareness if event affects business operations
7 Public (only if statement chosen) X + blog Comms lead with counsel Bounded acknowledgement
8 Press Reactive only Comms lead “We do not comment on personal matters”

Do

  • Prioritize physical safety over communications. If physical safety needs aren’t met, the comms response doesn’t matter.
  • File takedown reports immediately and on every platform. Not because they always work but because the record matters.
  • Engage law enforcement. Even if no immediate action follows, a paper trail is created.
  • Maintain operational continuity visibly. Business-as-usual signaling is often the right posture for the company.
  • Support the affected individual personally. Mental-health support, time off, security review. The brand response is downstream of this.

Don’t

  • Don’t repeat the doxxed information — even to deny it. The denial amplifies the original.
  • Don’t engage the originator publicly. It feeds them.
  • Don’t issue a long emotional statement. It reads as either weakness or PR-ish, both of which are worse than a brief acknowledgement.
  • Don’t sue performatively. If you sue, sue to win quietly. Cease-and-desist letters that get screenshot-tweeted are amplification, not deterrent.
  • Don’t allow the founder to post personally during the acute phase. Counsel and comms review every message until the situation stabilizes.

Variants

Family member doxxing. Often more dangerous than the founder’s own doxxing. Same playbook with extra emphasis on physical-safety steps. Consider whether the affected family member needs separate counsel.

Doxxing with extortion / threats. Different category — engage law enforcement immediately, do not negotiate, do not respond to the originator. Counsel and security lead drive.

Old, recycled “doxxing”. Sometimes the “doxxing” is recycled information (publicly-available filings, old social-media posts). Treat as social firestorm rather than fresh doxxing event. Cross-reference 07 — Social Firestorm.

Internal-source doxxing. When the leak originates from an inside source (current or former employee), HR and counsel lead. Different posture than external doxxing.

Government / state-actor-attributed doxxing. Rare but increasingly real. Specialised legal and physical-security response; usually requires specialist counsel beyond standard cyber-counsel.

24-hour follow-up

  • Confirm physical safety arrangements remain in place.
  • Track takedown progress; escalate unresponsive platforms.
  • Document the chain — what was posted, where, when, by whom, when removed. Future legal proceedings or further incidents will reference this.
  • Consider whether the affected individual needs an extended absence from public-facing duties. Don’t pressure them back into visibility.
  • Review what made the doxxing possible — were security practices adequate? Are there hardenings to make?
  • Check in with the affected individual at day 7 and day 30. Doxxing has long psychological tails.

Cross-references: 05 — Key-Person Event, 07 — Social Firestorm. The personal dimension is what distinguishes this from other crisis types — treat it accordingly.