23) Please use the following information to answer the below question.
SCENARIO
A high-end United States retail store that specializes in bespoke suits creates an opt-in program to provide personalized attention to its customers. On their first visit, customers are invited to log in to a kiosk in the retail store to enter their various shopping preferences, as well as personal information such as credit card numbers, banking information, birthdays, anniversary dates, etc. In an effort to make the customer experience even richer, the program also collects facial recognition data, so that when a customer enters the store, an alert staff member can call the customer by name and speak knowledgeably about his or her preferences, perhaps even directing the customer to a particular item. All the customer preference data, including facial recognition data, is encrypted and stored on a computer system within the store. This computer system is also secured physically in a locked room.
Because the intent of this effort was benign, i.e., to enhance the overall customer experience, the owners of the retail store do not recognize that this collection of data has the potential to become a data privacy issue. No policies or procedures have been developed to address how this data is used or whether it can be resold. The owners simply assume that if a customer does not want to participate, they won't enter data into the kiosk.
An employee at the store, Mary Popper, has full access to the data because she is the most computer-knowledgeable employee. Mary has a friend who works for a wealth management firm in another U.S. state. Wishing to do her friend a business favour, she copies an unencrypted set of the customer names, preferences, and the facial recognition data onto a hard drive and sends it to her friend for him to use in marketing his wealth management services to preselected suitable customers. He intends to use the customer data in a way similar to the suit designers, to provide highly personalized service. Since she is not selling the data to him, Mary does not think there is anything wrong with what she has done.
The owners of the wealth management company buy another list of customers and information legitimately from an outside vendor. This data included financial information, as well as names, addresses, and number and brand of automobiles owned. The wealth management company collates the list with the list from the retailer, though the owners of the wealth management company are unaware the retailer's list was given informally, and now the wealth management firm has a very valuable list that contains a deep level of personal information about potential customers and their buying preferences.
The man who works at the wealth management firm puts the combined list up on an unencrypted public website so that Mary can copy it back and enhance the clothing store's original data set. While it is exposed, the wealth management company becomes the victim of an online attack and the combined collection of customer data is stolen. The owners of the wealth management company only find this out when several of their customers report that their vehicles have been stolen. Further investigation of the crimes by the police links the data breach to home invasion burglaries. The criminals were using the stolen facial recognition data to identify potential victims, then using address data to find their primary residences. The owners of the suit designers have no knowledge any of this has happened until several months later, when the employee who traded their data to the wealth management firm quits and informs them of the data breach.
Question:
After the breach is made known, which task should the suit retailers accomplish first?