# **Incident Reportability Decision**

In [None]:
from google.colab import drive
drive.mount('/content/drive')

**Domain Title & Project Overview**

Domain: Legal & Compliance

Task: Incident Reportability Decision

Objective:
Determine whether an incident must be reported to regulators and within what timeframe

---------------------------------------------------------------------------------------------

**Problem Statement & Domain Challenges**

Organizations frequently underreport or overreport incidents due to unclear thresholds, resulting in penalties or unnecessary disclosures.

Key challenges:

Interpreting regulatory thresholds

Identifying reporting deadlines

Creating defensible documentation

---------------------------------------------------------------------------------------------

**AI Models / Prompting Techniques Used**

Few-Shot Prompting

Chain-of-Thought (CoT)

Decision-Oriented Prompting

---------------------------------------------------------------------------------------------


**Features & Capabilities Implemented**

Incident severity assessment

Regulatory threshold comparison

Reporting obligation decision

Justification generation




---------------------------------------------------------------------------------------------

**Data Flow Architecture**

Incident description →
Few-shot comparison →
Threshold reasoning →
Report / No-report decision

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# **Task-Incident Report Document**

Template 1 – Instruction-Based Prompting

Use Case 1a – Text → Text

Use Case Description:
Analyze a textual incident report and determine reportability and reporting timeline using strict instructions.

----------------------------------------------------------------------------------------

**Prompt Template**

Incident Type: Data Breach

Data Affected: Personal Identifiable Information

Records: 12,000

Jurisdiction: EU

Incident Date: 2025-01-12


---------------------------------------------------------------------------------------

In [None]:
# Install OpenAI SDK

from openai import OpenAI

# Initialize client
client = OpenAI(
    api_key="sk-AztPIFWJK0itNf8c95Zjlg",
    base_url="https://apidev.navigatelabsai.com/"
)

response = client.chat.completions.create(
    model="gpt-4.1-nano",
    messages=[
        {
            "role": "system",
            "content": "You are a legal compliance AI expert."
        },
        {
            "role": "user",
            "content": """
Based on the incident description below, determine:
- Whether the incident is reportable (Yes/No)
- Applicable regulation
- Reporting timeframe
- Brief justification

Incident Description:
An employee accidentally emailed a spreadsheet containing customer names,
email addresses, and phone numbers to an external vendor.
"""
        }
    ]
)

print(response.choices[0].message.content)


- **Is the incident reportable?** Yes

- **Applicable regulation:** Generally, this type of incident falls under data breach or personal data protection regulations such as the General Data Protection Regulation (GDPR) if applicable in the jurisdiction, or relevant local privacy laws (e.g., CCPA in California, or other national data breach notification laws).

- **Reporting timeframe:** Typically within 72 hours of becoming aware of the breach under GDPR; similar laws may specify different timeframes (e.g., within 48 hours under some regulations). 

- **Brief justification:** The accidental disclosure of personal information (customer names, email addresses, and phone numbers) to an external third party constitutes a data breach involving personal data. Such incidents are generally considered reportable as they can pose risks to data subjects’ privacy rights, and regulatory frameworks mandate timely notification to authorities and affected individuals to mitigate potential harm.


Input: Employee accidentally emailed sensitive personal data externally.

Output: Reportable: Yes,

Regulation: GDPR Article 33,

Deadline: Within 72 hours, Justification: Personal data exposure affecting EU residents.


-----------------------------------------------------------------------------------------------------------


**Use Case 1b – Audio → Text**

Prompting technique used:

Zero shot prompting

Use Case Description:

Listen to audio logs or voice-reported incidents and classify reportability.

-------------------------------------------------------------------------------------

**Prompt Template (Zero-Shot)**

Based on the transcribed incident description below, determine:
- Whether the incident is reportable (Yes/No)
- Applicable regulation
- Reporting deadline
- Brief justification

Incident Description (from audio transcription):
{{transcribed_incident_text}}

---

In [None]:
# Install OpenAI SDK
!pip install openai --upgrade

from openai import OpenAI

# Initialize OpenAI client
client = OpenAI(
    api_key="sk-sL7iiJsgPUQAaJXHjDAzGg",
    base_url="https://apidev.navigatelabsai.com/"
)

# -----------------------------
# STEP 1: AUDIO → TEXT (Whisper)
# -----------------------------

audio_file_path = "/content/1767009307078587750r4foma18-voicemaker.in-speech.mp3"  # your audio file

with open(audio_file_path, "rb") as audio_file:
    transcription = client.audio.transcriptions.create(
        model="whisper-1",
        file=audio_file
    )

incident_text = transcription.text

print("=== Transcribed Incident ===")
print(incident_text)

# -----------------------------------------
# STEP 2: INCIDENT REPORTABILITY DECISION
# (ZERO-SHOT PROMPTING)
# -----------------------------------------

response = client.chat.completions.create(
    model="gpt-4.1-nano",
    messages=[
        {
            "role": "system",
            "content": "You are a legal compliance AI expert."
        },
        {
            "role": "user",
            "content": f"""
Based on the incident description below, determine:
- Whether the incident is reportable (Yes/No)
- Applicable regulation
- Reporting timeframe
- Brief justification

Incident Description:
{incident_text}
"""
        }
    ]
)

print("\n=== Compliance Decision ===")
print(response.choices[0].message.content)


=== Transcribed Incident ===
This is an incident report regarding a potential data security breach. On December 12, an employee reported that their company-issued laptop was stolen from their car while parked outside a hotel. The laptop contained customer records including NOM.

=== Compliance Decision ===
- **Is the incident reportable?** Yes

- **Applicable regulation:** The incident likely falls under data breach notification laws such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) if applicable, or other relevant data protection laws depending on jurisdiction. For example, in the U.S., if the incident involves personal information of residents of a state with breach notification laws (like California), it is reportable.

- **Reporting timeframe:** Typically within 45 days of discovery under U.S. state laws such as CCPA; GDPR mandates reporting within 72 hours of becoming aware of the breach.

- **Brief justification:** The stolen laptop

Input: Audio of employee reporting accidental leak of client emails.

Output: Reportable: Yes, Regulation: GDPR Article 33

Deadline: Within 72 hours

Justification: Client data exposed via email.


------------------------------------------------------------------------------------------------



**Use Case 1c – Image → Text**


Prompting technique used:

Role based prompting

Use Case Description:

 Extract information from a screenshot or image of an incident alert and classify reportability.

----------------------------------------------------------------------------------------

**Prompt Template**

You are acting as a Regulatory Compliance Officer.

Analyze the incident information visible in the provided image and determine:
- Whether the incident is reportable (Yes/No)
- Applicable regulation
- Reporting deadline
- Brief justification

In [None]:
import base64

# Define the path to the image file
image_file_path = "/content/Screenshot 2025-12-29 173904.png"

# Open the image file in binary read mode ('rb')
with open(image_file_path, "rb") as image_file:
    # Read the content of the image file
    image_content = image_file.read()

# Encode the image content to a base64 string and decode to UTF-8
base64_image = base64.b64encode(image_content).decode("utf-8")

print("Image loaded and encoded to base64. Stored in 'base64_image' variable.")

Image loaded and encoded to base64. Stored in 'base64_image' variable.


In [None]:
from openai import OpenAI

# Initialize client using the previously used API key and base URL from the notebook
client = OpenAI(
    api_key="sk-sL7iiJsgPUQAaJXHjDAzGg",
    base_url="https://apidev.navigatelabsai.com/"
)

response = client.chat.completions.create(
    model="gpt-4.1-nano",
    messages=[
        {
            "role": "system",
            "content": "You are a Regulatory Compliance Officer specializing in incident reporting."
        },
        {
            "role": "user",
            "content": [
                {
                    "type": "text",
                    "text": """
Analyze the incident shown in the image and determine:
- Whether the incident is reportable (Yes/No)
- Applicable regulation
- Reporting timeframe
- Brief justification
"""
                },
                {
                    "type": "image_url",
                    "image_url": {
                        "url": f"data:image/png;base64,{base64_image}"
                    }
                }
            ]
        }
    ]
)

print(response.choices[0].message.content)

- **Reportable Incident:** Yes  
- **Applicable Regulation:** General Data Protection Regulation (GDPR) (European Union)  
- **Reporting Timeframe:** Within 72 hours of becoming aware of the breach  
- **Brief Justification:** The incident involves unauthorized disclosure of personalized customer information (PII), which is a personal data breach under GDPR. It affects a significant number of individuals (approximately 1,200 customers), and the breach involves sensitive personal data. The data was sent without encryption, and the incident poses a risk to data subjects' rights and freedoms, necessitating prompt reporting.

Please ensure the incident is reported to the relevant supervisory authority within the required timeframe, and continue to monitor for any further developments.


------------------------------------------------------------------------------------------

## Summary & Reusability Notes

This project implements an AI-driven **Incident Reportability Decision** system within the **Legal & Compliance** domain using multiple input modalities while keeping the core task constant.

### Summary
- The same compliance task—determining whether an incident is reportable, under which regulation, and within what timeframe—is addressed across all templates.
- Three different modalities are supported:
  - **Text → Text** for written incident descriptions
  - **Image → Text** for scanned or screenshot-based incident reports
  - **Audio → Text** for voice-recorded incident disclosures
- Different prompting strategies are applied (zero-shot and role-based) to demonstrate flexibility without altering task logic.
- The system cleanly separates **input processing** (OCR or transcription) from **decision reasoning**, improving clarity and maintainability.

### Reusability Notes
- The prompt structure is modular and can be reused for any incident type by changing only the input content.
- New regulations or jurisdictions can be supported by updating the system instructions without rewriting code.
- Additional modalities (e.g., PDF documents or chat logs) can be integrated by inserting a preprocessing step before the decision prompt.
- The same architecture can be extended to other compliance workflows such as breach severity assessment, regulatory classification, or audit readiness checks.
- The notebook structure allows easy replication across projects, making it suitable for enterprise compliance automation and academic submissions.


--------------------------------------------------------------------------------------