Skip to content

SOP-OPS-compliance-incident-handling-v1.0

1. Purpose

Define how compliance incidents — events where eco|monetize™ may have violated a regulatory obligation, contractual commitment, or internal governance rule — are identified, assessed, contained, and remediated.

Distinction from operational incidents (SOP-EXEC-escalation-incident-handling-v1.0): Operational incidents are workflow failures (missed check-in, handoff failure, SOP breach). Compliance incidents are events that may trigger regulatory, legal, or contractual liability. Many incidents start as operational and escalate to compliance; this SOP governs when that threshold is crossed.

All compliance incident handling is HIGH sensitivity — council review uses Ollama local only. No compliance content leaves the local environment.

2. Compliance Incident Triggers

Trigger Threshold
Data exposure Any customer, partner, or internal PII/credential exposed to unauthorized party
Breach notification obligation Data exposure that triggers GDPR Article 33, CCPA notification, or contractual breach notification
Regulatory inquiry Any contact from a regulatory body (FTC, state AG, data protection authority)
Contractual obligation missed Failure to deliver a contracted service level, data handling commitment, or SLA
Vendor compliance failure A vendor eco
Internal policy violation Credential stored in plaintext, data shared outside approved channels, SOP bypassed causing risk

3. Severity Classification

Compliance incidents use the same SEV1-3 scale as operational incidents (CLAUDE.md Section 6E), but triggers differ:

Severity Compliance trigger
SEV1 Customer data exposed, active breach, regulatory inquiry received, contractual breach with immediate liability
SEV2 Internal policy violation creating future risk, vendor breach affecting our data (no confirmed customer exposure), near-miss that could have been SEV1
SEV3 Process gap identified before an incident, minor documentation gap, compliance calendar item missed without impact

4. Response Procedure

SEV1 — Immediate

  1. Contain first. Revoke the credential, stop the data flow, isolate the system — before documenting. Minutes matter.
  2. File Incident Report per SOP-EXEC-escalation-incident-handling-v1.0 Section 4 — SEV1 path
  3. CEO notified immediately — Slack DM with: what happened, what's contained, what's at risk
  4. COO notified — takes legal coordination ownership
  5. legal.exec engaged — determines notification obligation (regulatory timeline varies: GDPR = 72 hours, CCPA = "expedient")
  6. Outside counsel contacted if customer data confirmed exposed (COO initiates)
  7. Notification preparation — legal.exec drafts breach notification if required; COO + CEO approve before sending
  8. Audit trail — every action timestamped in the incident file; do not alter the timeline after the fact

SEV2 — Within 4 hours

  1. File Incident Report per SOP-EXEC-escalation-incident-handling-v1.0
  2. security.ops takes ownership; COO notified
  3. Risk assessment — is this a near-miss that could become SEV1? If yes, escalate immediately
  4. Remediation plan filed to incident record within 24 hours
  5. SOP Delta filed for any SOP that contributed to or failed to prevent the incident

SEV3 — Next enforcement sweep

  1. File Incident Report — standard path
  2. Assign prevention owner (security.ops or the relevant agent)
  3. SOP update if the gap reveals a missing or outdated procedure

5. Notification Decision Tree

When a compliance incident involves potential customer data:

Was customer PII or customer-relevant data exposed?
├── NO → Internal incident; no external notification required; proceed with SEV remediation
└── YES → Was it exposed to an unauthorized party?
          ├── NO → Near-miss; SEV2; internal remediation; no notification
          └── YES → Apply breach notification obligations:
                    ├── GDPR: notify DPA within 72 hours; notify affected individuals if "high risk"
                    ├── CCPA: notify affected California residents "expeditiously"
                    ├── Contractual: check customer contract for notification SLA
                    └── All paths: CEO + legal.exec + outside counsel before notification is sent

No external notification without CEO + legal review. legal.exec drafts; CEO approves.

6. Post-Incident Review

Within 5 business days of closing a SEV1 or SEV2 compliance incident:

  1. Post-mortem filed at /Claude/operations/reports/compliance/postmortem-{slug}-{YYYY-MM-DD}.md
  2. Root cause identified — what failed? (credential management, access control, vendor gap, process gap)
  3. Prevention actions documented with owners and deadlines
  4. SOP updates filed if any procedure contributed to the incident
  5. CEO briefed — 1-paragraph summary of what happened, what changed, what risk remains

7. Compliance Calendar

security.ops maintains a compliance calendar at /Claude/operations/logs/compliance-calendar.md covering: - GDPR/CCPA annual review dates - Vendor SOC 2 certificate renewal tracking - Credential rotation due dates (cross-reference SOP-OPS-credential-management-v1.0) - Contract SLA review dates

chief.staff surfaces compliance calendar items in CEO Daily Summary when due within 30 days.

Change Log

Version Date Change
v1.0 2026-04-21 Initial draft — sop.manager.

Owner: security.ops Executive sponsor: coo Drafted by: sop.manager Status: Draft — pending COO review + approval Version: v1.0