Cybersecurity Response and Business Continuity
Toronto Public Library
Innovation Synopsis
TPL became aware of a cybersecurity incident in October 2023. Staff initiated measures to mitigate impacts by shutting down the technical environment including all internal and external systems. Legal counsel with expertise in cybersecurity was engaged to advise on containment, forensics, and impact. Cybersecurity experts supported staff’s implementation of additional proactive measures to safeguard TPL’s systems.
The shutdown of TPL’s technical environment and the ensuing work resulted in the suspension of many core library services, including the website and catalog, holds, and Your Account services; public computing and printing; and access to some digital collections. During the outage, many of TPL’s online and in-branch services remained available and were well-used by the public throughout the recovery period. All 100 branches remained open with access to staff expertise, collections including staff assisted borrowing and returns, study space, programming, and Wi-Fi.
Challenge/Opportunity
TPL has implemented additional security controls, updated hardware/software, and introduced new processes to protect our technical environment. TPL has not replicated the former technical environment and has used this opportunity to accelerate TPL’s IT security program maturity.
An Incident Management governance structure was used to manage enterprise business/service continuity recovery with expedited decision-making. Senior Leadership, including privacy and communication managers, acted as the decision-makers, engaged with counsel, and developed priorities and communications.
The Library Operations Center reported daily to the senior team and led continuity and recovery, coordinated operations and internal communications, and liaised between business and service staff.
The Library Management Team distributed internal communications, directed engagement with staff and implemented business continuity and service recovery plans.
Key Elements of Innovation
Legal Counsel – immediate support from counsel with cybersecurity expertise to advise on all communications, obligations, and best practices related to privacy breaches, identity theft, and legal privilege.
Cybersecurity Specialists – immediate technical support from specialists who reported to legal counsel so TPL could receive critical advice regarding containment, forensic assessment, re-building, recovery of the technical environment, appropriate security assessment, and consulting for go-forward plans.
Business Continuity Plans – established proactive response using the Library’s Incident Management System. This proved essential with the launch of LOC, TPL’s emergency operations center, on day 1 of the incident, including a temporary website, physical and digital collections, and programs online and in the branch.
Staff communication, innovation and leadership ensured customers were able to continually access the maximum level of services possible in less than 18 hours of the incident
Achieved Outcomes
100 branches and two bookmobiles remained open with access to staff expertise, collections with manual checkout, study space, programming, Wi-Fi, and youth hubs. Branches continued to be spaces for vulnerable populations with access to warm spaces, washrooms and staff supports.
Over 1 million checkouts of physical materials during the recovery period.
More than 20,000 new library card memberships were processed during the recovery period.
Most of TPL’s digital collection remained available, including ebooks and audiobooks; the music library of classical, jazz and world music; newspapers and magazines through Press Reader; and streaming services such as Kanopy and Hoopla. Borrowing of ebooks and e-audiobooks surpassed 11 million in 2023, a result of increased usage of the digital collection during the recovery period.
Sharing of best practices and guidance to other libraries impacted by cyber incidents and at conferences for those preparing for an unfortunate eventuality.
Additional Materials:
Cybersecurity Incident Strategic Communications Overview