AI assistant — not human

72-hour containment playbook. Kill switch + SharePoint lockdown + root cause + remediation. 24x7 response.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Copilot exposing sensitive documents — 72-hour containment playbook: Hour 0 preserve evidence, Hour 1 Copilot license kill switch (tenant/group/site scope), Hour 2 SharePoint Restrict Access via SAM, Hour 4 eDiscovery Premium legal hold, Hour 8 Insider Risk case, Hours 8-24 root cause. Six root causes: SharePoint permission drift (87% of incidents), missing sensitivity labels, DLP gap, no Restrict Access, over-permissioned OneDrive, guest access. Prevention: sensitivity label taxonomy + auto-labeling + DLP baseline + SAM DAG reports + Restrict Access top-100 sites + Insider Risk tuning. Regulatory reporting triggers: HIPAA 500+ → 60 days, SEC MNPI, state privacy, DFARS 72-hour, GDPR 72-hour. EPC Group Emergency Response: $30K flat + $500/hr surge, 24x7 availability.
EPC Group 72-hour containment playbook: (0) Immediately preserve incident evidence — screenshot the Copilot response, capture user identity, timestamp, query text, and content Copilot surfaced. Do NOT delete anything. (1) Hour 1 — Copilot license kill switch: pause Copilot licensing for the affected user group via Admin Center or PowerShell (Set-MgUserLicense). (2) Hour 2 — SharePoint site lockdown: identify the source SharePoint site + apply Restrict Access mode via SharePoint Advanced Management (SAM). (3) Hour 4 — DLP scope check: enable Purview eDiscovery Premium legal hold on affected content pending investigation. (4) Hour 8 — Insider Risk case: open case for query pattern. (5) Hours 8-24 — Root cause: was permission drift, missing sensitivity label, DLP gap, or user permission over-grant?
Three kill-switch scopes: (1) Tenant-wide — disable Copilot in M365 Admin Center → Copilot → tenant settings. Fastest but blast-radius maximum. (2) User group — remove Copilot license via Admin Center or PowerShell for affected group. Preferred: limits damage while investigation proceeds. (3) SharePoint site — Restrict Access mode via SAM hides content from Copilot without changing permissions. Best for narrow-scope incidents where broader Copilot use should continue. Kill switch is temporary — 24-72 hours while root cause is remediated. Do NOT leave kill switch permanent — return to fully-governed Copilot ASAP.
Six root causes from EPC Group incident-response engagements: (1) SharePoint permission drift — "Everyone except external users" over-shares on a site containing sensitive content. Present in 87% of incidents. (2) Missing sensitivity labels — labeled content is protected; unlabeled content is treated as accessible. (3) DLP policy gap — DLP not covering the source content pattern. (4) Missing Purview Restrict Access — high-value SharePoint sites should be hidden from general Copilot query even with permissions in place. (5) Over-permissioned OneDrive folder — sensitive content in personal OneDrive shared broadly. (6) Guest user access — external users can query internal Copilot without proper restrictions.
Six-step recurrence prevention: (1) Deploy sensitivity label taxonomy (Highly Confidential + Confidential + Internal + Public). (2) Auto-labeling for known sensitive patterns (PHI, PII, credit card, MNPI). (3) DLP baseline across Exchange + SharePoint + OneDrive + Teams. (4) SharePoint Advanced Management deployment — DAG reports flag over-shared sites weekly. (5) Purview Restrict Access on top-100 highest-sensitivity sites. (6) Insider Risk Management policies tuned for Copilot query patterns. Timeline: 6-10 weeks to implement all six via EPC Group Data Governance Accelerator ($95K).
EPC Group Copilot Emergency Response ($30K flat + $500/hr surge) covers: (1) Hour-1 kill switch deployment. (2) 72-hour containment playbook execution. (3) Root cause investigation via Graph API + Purview + Insider Risk logs. (4) Executive briefing + written incident report. (5) Remediation deployment (top-3 gaps closed within 5-10 days). (6) Legal + compliance notification support (HIPAA breach, SEC disclosure, state privacy AG). (7) Handoff to Data Governance Accelerator for permanent remediation. 24×7 response availability with senior consultant surge team.
Depends on data exposed + jurisdiction. Reporting triggers: (1) HIPAA — PHI breach affecting 500+ individuals must be reported to HHS within 60 days; under 500 in annual log. (2) State privacy laws (CCPA, CPRA, various) — reporting thresholds vary by state. (3) SEC — MNPI or material cybersecurity incidents reportable under new SEC rules. (4) DoD DFARS 7012 — 72-hour incident reporting to DoD for defense contractors. (5) GDPR — 72-hour notification to data protection authority + affected individuals if high-risk. Consult with legal counsel + EPC Group compliance advisor before making reporting decisions.
EPC Group Copilot incident response portfolio: (1) Emergency Response ($30K flat + $500/hr surge) — 72-hour containment + root cause + remediation. (2) Insider Risk + Purview Investigation Support ($15K-$45K per incident) — deep-dive investigation for material incidents. (3) Post-Incident Governance Accelerator ($95K) — deploy Data Governance Accelerator scope permanently. (4) Compliance Notification Support (part of Emergency Response) — HIPAA, SEC, state AG, DoD notification drafting. (5) Ongoing Incident Response Retainer ($10K-$20K/month) — 24×7 on-call availability. Chief AI Architect Errin O'Connor personally leads incident response for material incidents.
$30K flat + $500/hr surge. Chief AI Architect leads material incidents. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day