> ## Documentation Index > Fetch the complete documentation index at: https://aiplaybooklac.com/llms.txt > Use this file to discover all available pages before exploring further. # Incident response # AI Incident Response for LAC Small Business > **Created by Adrian Dunkley** | [maestrosai.com](https://maestrosai.com) | [ceo@maestrosai.com](mailto:ceo@maestrosai.com) | Fair Use *** AI systems fail. A chatbot gives a wrong price. An agent books the wrong date. A translation insults a customer. A model leaks a name it shouldn't have. In a small business you don't have a crisis team, but you do need a plan. This page is that plan. Keep it short, keep it posted where your staff can see it, and rehearse it once a quarter. *** ## The five-step protocol Every AI incident gets handled the same way. 1. **Contain**: Stop the process. Turn off the agent. Pause the automation. If customers are actively affected, route to a human. 2. **Assess**: What happened? Who is affected? Is any personal data exposed? Is any money at risk? 3. **Notify**: The affected customer first, then (if required) your regulator. Use the templates below. 4. **Fix**: Patch the root cause. Not the symptom. Write a one-paragraph post-mortem. 5. **Record**: File the incident in your register. Include date, impact, cause, fix, and owner. Do 1 and 2 within the first hour. Do 3 within 24 hours. Do 4 and 5 within a week. *** ## Severity levels Not every AI mistake is an incident. Use this classification. | Level | Example | Response | | -------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | **Low (informal)** | Typo in an AI-generated caption | Fix and move on. No formal incident log. | | **Medium (internal)** | Agent sends a wrong quote to one customer | Apologise to the customer; log internally. | | **High (formal incident)** | Agent exposes personal data, sends money to the wrong account, or produces output that harms reputation | Full protocol. Document. Notify if legally required. | | **Critical (regulatory)** | Data breach affecting 100+ people, financial loss > local regulatory threshold, or harm to a vulnerable person | Full protocol. Regulator notification within legal window (72 hours under LGPD; similar under Chile 21.719 and Jamaica DPA). Engage a lawyer. | *** ## Customer notification templates Short, truthful, no hedging. Send in the customer's preferred language. ### English > "Hi \[name], on \[date] our AI-assisted system sent you \[describe: wrong quote / wrong date / incorrect information]. The correct information is \[...]. We have fixed the underlying issue. \[If applicable: No personal data was exposed.] We are sorry for the inconvenience. If you have any questions, please reply to this message or call \[phone]. A human will handle your case from here." ### Español > "Hola \[nombre], el \[fecha] nuestro sistema asistido por IA te envió \[describir: una cotización incorrecta / una fecha equivocada / información errónea]. La información correcta es \[...]. Ya corregimos el problema. \[Si aplica: ningún dato personal fue expuesto.] Lamentamos la molestia. Si tienes dudas, responde este mensaje o llama al \[teléfono]. A partir de ahora te atenderá una persona." ### Português > "Olá \[nome], no dia \[data] nosso sistema com apoio de IA enviou \[descrever: cotação errada / data errada / informação incorreta]. A informação correta é \[...]. Já corrigimos o problema. \[Se aplicável: nenhum dado pessoal foi exposto.] Pedimos desculpas pelo inconveniente. Se tiver dúvidas, responda esta mensagem ou ligue para \[telefone]. A partir de agora uma pessoa vai cuidar do seu caso." ### Français > "Bonjour \[nom], le \[date] notre système assisté par IA vous a envoyé \[décrire : devis erroné / mauvaise date / information incorrecte]. L'information correcte est \[...]. Le problème a été corrigé. \[Le cas échéant : aucune donnée personnelle n'a été exposée.] Nous sommes désolés pour la gêne occasionnée. Pour toute question, répondez à ce message ou appelez le \[téléphone]. Une personne prendra désormais en charge votre dossier." ### Kreyòl > "Bonjou \[non], nan \[dat] sistèm nou an ki gen sipò IA te voye ba ou \[dekri: move pri / move dat / enfòmasyon ki pa kòrèk]. Bon enfòmasyon an se \[...]. Nou deja korije pwoblèm nan. \[Si sa aplikab: okenn done pèsonèl pa t ekspoze.] Nou dezole pou dezagreman an. Si w gen kesyon, reponn mesaj sa oswa rele \[telefòn]. Se yon moun k ap okipe w kounye a." *** ## Regulator notification by country Where notification is legally required, here's who to contact. Timing matters. Most LAC regimes now expect notification within 72 hours of becoming aware of a reportable breach. | Country | Authority | Reporting window | How | | ------------------------ | -------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------------- | | Brazil | ANPD | Within a "reasonable" time; LGPD does not fix hours but guidance says 48-72h | [gov.br/anpd](https://www.gov.br/anpd) | | Mexico | INAI / successor agency | Without undue delay | Through the agency's portal | | Argentina | AAIP | 48-72h recommended | [argentina.gob.ar/aaip](https://www.argentina.gob.ar/aaip) | | Chile | Agencia de PDP (from Dec 2026) | 72h | Per Ley 21.719 | | Colombia | SIC | 15 business days | [sic.gov.co](https://www.sic.gov.co) | | Peru | ANPDP | 72h under Ley 29733 | [gob.pe/anpdp](https://www.gob.pe/anpdp) | | Uruguay | URCDP | 72h | [urcdp.gub.uy](https://www.urcdp.gub.uy) | | Ecuador | Superintendencia de PDP | 72h | Via Superintendencia portal | | Costa Rica | PRODHAB | 5 business days | [prodhab.go.cr](https://www.prodhab.go.cr) | | Panama | ANTAI | Per Ley 81/2019 | Via ANTAI | | Jamaica | Office of the Information Commissioner | 72h | [oic.gov.jm](https://oic.gov.jm) | | Trinidad & Tobago | Office of the Information Commissioner | Per DPA 2011 | [oic.gov.tt](https://www.oic.gov.tt) | | Barbados | Data Protection Commissioner | Without undue delay | [dataprotection.bb](https://www.dataprotection.bb) | | Cayman Islands | Ombudsman | 5 days | [ombudsman.ky](https://ombudsman.ky) | | Bermuda | Privacy Commissioner | Per PIPA | [privacy.bm](https://www.privacy.bm) | | Dominican Republic | Comisionado de Protección de Datos | Per Ley 172-13 | Via Comisionado | | Puerto Rico | US federal + local regulators | Per US federal rules and local law | | | French overseas (MQ, GP) | CNIL | 72h under GDPR | [cnil.fr](https://www.cnil.fr) | *This list is informational. Confirm current contacts with local counsel before relying on it.* *** ## The incident register (template) Keep a simple spreadsheet. These columns are enough. | Column | Example | | ------------------- | --------------------------------------------------------- | | Date | 2026-03-14 | | Incident ID | INC-2026-007 | | System | WhatsApp booking agent | | Severity | High | | Affected people | 1 customer | | Data exposed? | No | | Money at risk? | No | | Root cause | Currency conversion hardcoded USD rate, COP rate moved 3% | | Fix | Pulled FX from OpenExchange API; added daily check | | Notified customer? | Yes, 2026-03-14 18:20 | | Notified regulator? | No (not required) | | Owner | Maria Torres | | Closed | 2026-03-17 | Review the register monthly. Patterns show up. Three incidents from the same tool mean the tool needs replacement, not another patch. *** ## Root-cause patterns to watch for Over time, most LAC SMB AI incidents fall into one of these buckets. If yours do too, target the bucket, not the one-off. | Pattern | Typical fix | | ---------------------------------- | ------------------------------------------------- | | Currency or tax hardcoded | Pull live rates; add a daily sanity check | | Language detection wrong | Detect from first message, lock for session | | Out-of-date price or inventory | Tool call against live source, not cached text | | Wrong date format (DD/MM vs MM/DD) | Normalize to ISO 8601 (YYYY-MM-DD) internally | | Over-promising SLAs | Add a "don't commit without human" guardrail | | Leaking personal data in logs | Mask PII at the log sink | | Agent loops | Max-steps cap + timeout | | Wrong branch of business | Add explicit branch in system prompt or tool list | *** ## Escalation tree Post this near the person who operates the AI. ``` 1. Customer-facing error, no data leak, no money lost → Apologise, fix for that customer, log internally. 2. Customer-facing error, money or time at stake → Pause the automation. Assign a human. Notify the customer in writing. Follow up within 24h. Log as High severity. 3. Personal-data exposure, any size → Pause immediately. Call the named DPO or owner. Assess scope within 2h. Decide on regulator notification. Notify affected individuals within the legally required window. 4. Financial loss > local threshold, or any harm to a vulnerable person → Pause. Call the owner. Call counsel. Follow Critical protocol. ``` *** ## Related reading * [governance/README.md](README.md): the legal map this protocol lives in. * [responsible-ai.md](responsible-ai.md): the preventive side. * [agents/design.md](../agents/design.md): how to design agents that fail gracefully. * [risks/README.md](../risks/README.md): broader risk landscape. *** *Created by Adrian Dunkley | MaestrosAI | maestrosai.com | [ceo@maestrosai.com](mailto:ceo@maestrosai.com)* *Fair Use, Educational Resource | April 2026* *Disclaimer: Informational only. Confirm specific notification windows and authorities with local counsel.* *SEO: AI incident response LAC | respuesta a incidentes IA | LGPD breach 72h | AI breach notification Caribbean | data breach Jamaica DPA | plano de resposta IA*