AI vendor incident disclosure letter to customers

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-ethics-ai-vendor-incident-disclosure-letter-creators

1. What should a customer-facing disclosure letter primarily focus on regarding the incident?

   1. Promising it will never happen again with guarantees
   2. Detailing all technical specifications of the security breach
   3. Explaining why the vendor failed and who is to blame
   4. Providing known facts about what happened, what data was involved, and what actions have been taken

2. In an AI-drafted disclosure letter, what does it mean to distinguish what is known versus what is under investigation?

   1. Hiding information that is under investigation to avoid confusion
   2. Combining facts with speculation to appear thorough
   3. Making assumptions about the cause based on early reports
   4. Clearly stating what has been confirmed versus what is still being examined

3. What is a key limitation of using AI to draft incident disclosure letters for AI vendors?

   1. AI cannot write in a professional tone
   2. AI cannot produce written content about security events
   3. AI cannot determine legal reportability requirements or speak officially for the vendor
   4. AI cannot access any information about the incident

4. Who should review an AI-drafted incident disclosure letter before it is sent to customers?

   1. Any available employee to save time
   2. No one—it can be sent immediately
   3. The AI system that generated the draft
   4. Legal counsel and the incident commander

5. What tone is recommended for an incident disclosure letter to customers?

   1. Defensive and technical to show competence
   2. Apologetic and overly emotional to gain sympathy
   3. Direct, non-defensive, and free of jargon
   4. Casual and reassuring to minimize concern

6. What does the [verify] marker indicate when used in an AI-generated disclosure draft?

   1. Information that is irrelevant to the incident
   2. Information that requires verification before inclusion in the final version
   3. The information is definitely true and can be published
   4. Information that should be deleted from the letter

7. What is 'third-party risk' in the context of AI vendor incidents?

   1. Risk that customers pose to each other
   2. Risk that arises from using external AI vendors and their services
   3. Risk from the vendor's competitors
   4. Risk to the vendor's employees from internal systems

8. What should a disclosure letter include about the data involved in an incident?

   1. A complete list of all data the company has ever collected
   2. The specific data types that were affected by the incident
   3. No data information, as that would alarm customers
   4. Only encrypted data to show security measures

9. Why can AI not determine whether an incident is reportable to regulators?

   1. AI is prohibited from mentioning government agencies
   2. AI systems are not sophisticated enough to write about regulations
   3. Legal reporting requirements depend on specific laws and contractual obligations that require human legal judgment
   4. Regulators do not accept AI-generated reports

10. What is the purpose of including contact channels in an incident disclosure letter?

    1. To direct customers to purchase additional products
    2. To meet marketing requirements
    3. To track which customers read the letter
    4. To allow affected customers to ask questions and receive support

11. What happens after an AI drafts an incident disclosure letter?

    1. The letter is deleted to prevent premature disclosure
    2. The letter is sent immediately to all affected customers
    3. The letter is posted publicly on social media
    4. The letter goes through legal and incident commander review before any sending decision

12. What does it mean for a disclosure letter to have a 'non-defensive' tone?

    1. Accepting responsibility and providing facts without making excuses or blaming others
    2. Refusing to communicate with customers about the incident
    3. Denying any wrongdoing or responsibility
    4. Making excuses for what happened and explaining why it wasn't your fault

13. Why must disclosure timing be reviewed by legal counsel?

    1. Counsel enjoys reviewing disclosure letters
    2. Because legal requirements and contractual obligations often dictate specific timing for disclosure
    3. To delay the disclosure as long as possible to avoid negative press
    4. Timing is irrelevant to disclosure effectiveness

14. What distinguishes a disclosure draft suitable for review from one ready to send?

    1. Nothing—AI drafts are always perfect and need no changes
    2. The length of the document determines readiness
    3. The font and formatting indicate whether it is ready
    4. A review draft has not yet received approval from legal counsel and incident commander

15. Why is it important to avoid speculation in an incident disclosure letter?

    1. Customers prefer reading speculative theories
    2. Misinformation can cause unnecessary panic, create legal liability, and damage trust
    3. Speculation makes the letter more interesting and engaging
    4. Speculation is required by disclosure regulations