Skip to main content

AI Incident Response for LAC Small Business

Created by Adrian Dunkley | maestrosai.com | ceo@maestrosai.com | Fair Use
AI systems fail. A chatbot gives a wrong price. An agent books the wrong date. A translation insults a customer. A model leaks a name it shouldn’t have. In a small business you don’t have a crisis team, but you do need a plan. This page is that plan. Keep it short, keep it posted where your staff can see it, and rehearse it once a quarter.

The five-step protocol

Every AI incident gets handled the same way.
  1. Contain: Stop the process. Turn off the agent. Pause the automation. If customers are actively affected, route to a human.
  2. Assess: What happened? Who is affected? Is any personal data exposed? Is any money at risk?
  3. Notify: The affected customer first, then (if required) your regulator. Use the templates below.
  4. Fix: Patch the root cause. Not the symptom. Write a one-paragraph post-mortem.
  5. Record: File the incident in your register. Include date, impact, cause, fix, and owner.
Do 1 and 2 within the first hour. Do 3 within 24 hours. Do 4 and 5 within a week.

Severity levels

Not every AI mistake is an incident. Use this classification.
LevelExampleResponse
Low (informal)Typo in an AI-generated captionFix and move on. No formal incident log.
Medium (internal)Agent sends a wrong quote to one customerApologise to the customer; log internally.
High (formal incident)Agent exposes personal data, sends money to the wrong account, or produces output that harms reputationFull protocol. Document. Notify if legally required.
Critical (regulatory)Data breach affecting 100+ people, financial loss > local regulatory threshold, or harm to a vulnerable personFull protocol. Regulator notification within legal window (72 hours under LGPD; similar under Chile 21.719 and Jamaica DPA). Engage a lawyer.

Customer notification templates

Short, truthful, no hedging. Send in the customer’s preferred language.

English

“Hi [name], on [date] our AI-assisted system sent you [describe: wrong quote / wrong date / incorrect information]. The correct information is […]. We have fixed the underlying issue. [If applicable: No personal data was exposed.] We are sorry for the inconvenience. If you have any questions, please reply to this message or call [phone]. A human will handle your case from here.”

Español

“Hola [nombre], el [fecha] nuestro sistema asistido por IA te envió [describir: una cotización incorrecta / una fecha equivocada / información errónea]. La información correcta es […]. Ya corregimos el problema. [Si aplica: ningún dato personal fue expuesto.] Lamentamos la molestia. Si tienes dudas, responde este mensaje o llama al [teléfono]. A partir de ahora te atenderá una persona.”

Português

“Olá [nome], no dia [data] nosso sistema com apoio de IA enviou [descrever: cotação errada / data errada / informação incorreta]. A informação correta é […]. Já corrigimos o problema. [Se aplicável: nenhum dado pessoal foi exposto.] Pedimos desculpas pelo inconveniente. Se tiver dúvidas, responda esta mensagem ou ligue para [telefone]. A partir de agora uma pessoa vai cuidar do seu caso.”

Français

“Bonjour [nom], le [date] notre système assisté par IA vous a envoyé [décrire : devis erroné / mauvaise date / information incorrecte]. L’information correcte est […]. Le problème a été corrigé. [Le cas échéant : aucune donnée personnelle n’a été exposée.] Nous sommes désolés pour la gêne occasionnée. Pour toute question, répondez à ce message ou appelez le [téléphone]. Une personne prendra désormais en charge votre dossier.”

Kreyòl

“Bonjou [non], nan [dat] sistèm nou an ki gen sipò IA te voye ba ou [dekri: move pri / move dat / enfòmasyon ki pa kòrèk]. Bon enfòmasyon an se […]. Nou deja korije pwoblèm nan. [Si sa aplikab: okenn done pèsonèl pa t ekspoze.] Nou dezole pou dezagreman an. Si w gen kesyon, reponn mesaj sa oswa rele [telefòn]. Se yon moun k ap okipe w kounye a.”

Regulator notification by country

Where notification is legally required, here’s who to contact. Timing matters. Most LAC regimes now expect notification within 72 hours of becoming aware of a reportable breach.
CountryAuthorityReporting windowHow
BrazilANPDWithin a “reasonable” time; LGPD does not fix hours but guidance says 48-72hgov.br/anpd
MexicoINAI / successor agencyWithout undue delayThrough the agency’s portal
ArgentinaAAIP48-72h recommendedargentina.gob.ar/aaip
ChileAgencia de PDP (from Dec 2026)72hPer Ley 21.719
ColombiaSIC15 business dayssic.gov.co
PeruANPDP72h under Ley 29733gob.pe/anpdp
UruguayURCDP72hurcdp.gub.uy
EcuadorSuperintendencia de PDP72hVia Superintendencia portal
Costa RicaPRODHAB5 business daysprodhab.go.cr
PanamaANTAIPer Ley 81/2019Via ANTAI
JamaicaOffice of the Information Commissioner72hoic.gov.jm
Trinidad & TobagoOffice of the Information CommissionerPer DPA 2011oic.gov.tt
BarbadosData Protection CommissionerWithout undue delaydataprotection.bb
Cayman IslandsOmbudsman5 daysombudsman.ky
BermudaPrivacy CommissionerPer PIPAprivacy.bm
Dominican RepublicComisionado de Protección de DatosPer Ley 172-13Via Comisionado
Puerto RicoUS federal + local regulatorsPer US federal rules and local law
French overseas (MQ, GP)CNIL72h under GDPRcnil.fr
This list is informational. Confirm current contacts with local counsel before relying on it.

The incident register (template)

Keep a simple spreadsheet. These columns are enough.
ColumnExample
Date2026-03-14
Incident IDINC-2026-007
SystemWhatsApp booking agent
SeverityHigh
Affected people1 customer
Data exposed?No
Money at risk?No
Root causeCurrency conversion hardcoded USD rate, COP rate moved 3%
FixPulled FX from OpenExchange API; added daily check
Notified customer?Yes, 2026-03-14 18:20
Notified regulator?No (not required)
OwnerMaria Torres
Closed2026-03-17
Review the register monthly. Patterns show up. Three incidents from the same tool mean the tool needs replacement, not another patch.

Root-cause patterns to watch for

Over time, most LAC SMB AI incidents fall into one of these buckets. If yours do too, target the bucket, not the one-off.
PatternTypical fix
Currency or tax hardcodedPull live rates; add a daily sanity check
Language detection wrongDetect from first message, lock for session
Out-of-date price or inventoryTool call against live source, not cached text
Wrong date format (DD/MM vs MM/DD)Normalize to ISO 8601 (YYYY-MM-DD) internally
Over-promising SLAsAdd a “don’t commit without human” guardrail
Leaking personal data in logsMask PII at the log sink
Agent loopsMax-steps cap + timeout
Wrong branch of businessAdd explicit branch in system prompt or tool list

Escalation tree

Post this near the person who operates the AI. 
1. Customer-facing error, no data leak, no money lost
   → Apologise, fix for that customer, log internally.

2. Customer-facing error, money or time at stake
   → Pause the automation. Assign a human. Notify the customer in writing.
     Follow up within 24h. Log as High severity.

3. Personal-data exposure, any size
   → Pause immediately. Call the named DPO or owner.
     Assess scope within 2h. Decide on regulator notification.
     Notify affected individuals within the legally required window.

4. Financial loss > local threshold, or any harm to a vulnerable person
   → Pause. Call the owner. Call counsel. Follow Critical protocol.
Created by Adrian Dunkley | MaestrosAI | maestrosai.com | ceo@maestrosai.com Fair Use, Educational Resource | April 2026 Disclaimer: Informational only. Confirm specific notification windows and authorities with local counsel. SEO: AI incident response LAC | respuesta a incidentes IA | LGPD breach 72h | AI breach notification Caribbean | data breach Jamaica DPA | plano de resposta IA