AI safety incident crisis communication
When an AI system causes a safety or privacy incident, the response window is short and the communications are high-stakes: a clumsy customer notice, a premature press line, or a missed regulator deadline can compound the original harm. This tool generates structured draft communications for the audiences that matter — internal staff, customers, regulators, and press — tailored to the incident type, who is affected, and the severity, so you start from a sensible scaffold instead of a blank page under pressure.
How it works
You describe the incident: the type (harmful output, data exposure, an erroneous automated decision, a service outage, or a security breach), the affected parties (customers, staff, the public, a specific group), and the severity. For each audience you select, the tool assembles a draft with the right structure and tone — an internal notice that mobilises the team, a customer notification that states what happened and what to do, a regulator disclosure that hits the expected elements, and a holding press statement. Bracketed placeholders mark the incident-specific facts you must supply, and the drafts deliberately avoid speculation and over-commitment.
What each communication type needs to do
Internal staff notice The internal notice serves a different purpose from the external ones: it needs to mobilise the response, not reassure. It should state what happened, what facts are confirmed versus still being investigated, who is leading the response, what each team must do right now, and what staff must not do (do not speculate externally, do not delete logs, do not communicate about the incident outside approved channels). Getting staff aligned early prevents contradictory statements from different teams reaching customers or press.
Customer notification This is the communication most customers will see. The standard that works is: what happened, what information or service was affected, what you have done in response, what the customer should do (if anything), and how to get more information. Do not speculate. Do not use minimising language (“minor incident”). Do not make commitments you have not yet verified (“no data was misused”). State what you know and that you will update — and then actually update.
Regulator disclosure Regulator notices have expected elements that vary by regime. For privacy incidents under GDPR, this typically means: the nature of the personal data breach, the categories and approximate number of affected individuals and records, the likely consequences, the measures taken or proposed, and a contact point. The 72-hour clock under GDPR starts from when you become aware, not when you finish investigating — early notice with a follow-up is better than a late complete one. The generated template flags all of these and marks what you need to fill in.
Press statement / holding statement The first press statement should be a short holding statement that confirms you are aware of an issue and investigating, gives a contact for media enquiries, and commits to an update by a specific time. Do not speculate, do not be defensive, do not say “we take privacy seriously” as a substitute for substance. A holding statement buys time for facts; a substantive statement follows once the facts are confirmed.
Common mistakes in AI incident communication
- Speculating about root cause before the investigation is complete. Wait for facts; wrong early statements are hard to walk back.
- Contradicting messages across audiences. The customer notice, regulator disclosure, and press statement need to align — discrepancies get noticed.
- Missing the regulatory deadline. The 72-hour GDPR clock and similar requirements in other jurisdictions start running from awareness, not resolution. Check the clock early.
- Over-committing in the initial notice. Saying “only X records were affected” before the investigation is finished invites correction and implies negligence if the real number is higher.
Tips and notes
- Verify before you assert. Say what you know; do not commit to facts you have not confirmed. “We are investigating” beats a wrong claim.
- Mind the regulator clock. Some privacy regimes require notice within 72 hours — confirm your deadline at the very start.
- One source of truth. Align internal, customer, regulator, and press messaging so they do not contradict each other.
- Always route through legal and comms. These drafts are a head start, not a substitute for review before release.