Data Loss Response

When exfiltration is confirmed — not suspected, confirmed — the response follows a strict sequence: contain, assess, notify, remediate. Contain: shut down the exfiltration channel immediately. Assess: determine what data was exposed and to whom. Notify: inform affected parties per regulatory requirements. Remediate: fix the vulnerability and prevent recurrence.

1. Immediate Containment Disable the agent or the specific capability used for exfiltration. Revoke all credentials. Preserve system state for forensics. The first action is always containment — stop the data loss before assessing the damage.
2. Impact Assessment Using forensic logs — context window contents, model outputs, tool invocations — determine exactly what data was exposed. Not what could have been exposed — what was exposed. The distinction matters for notification obligations and regulatory reporting.
3. Regulatory Notification GDPR requires notification within 72 hours. US state laws vary. Industry regulations add additional requirements. The notification timeline starts at confirmation, not at remediation. Have notification templates pre-drafted and legal review pre-arranged so the 72-hour clock does not become a scramble.