Companies should already have in place a set of well defined, easy to follow, procedures for identifying, containing, and removing threats to the network.<p>If the network has been breached you may be required to notify users, depending on what kind of data is stored on the network (such as personally identifable information) and the laws your company operates under.<p>Most large companies keep response teams on hand for exactly this sort of issue, and medium/small companies should at least have a set of procedures and information security operatives who can figure out how the network was breached, what happened when the attackers were inside the network, and what (if anything) was removed, added or altered (i.e. exfiltration).<p>EDIT: I did not see the 2nd part of your question.<p>In the case of a reoccuring event, the attackers may have installed a backdoor somewhere on the network, stolen passwords or credentials, or may even be a disgruntled employee.<p>In this case it is the job of the information security department to find this breach, be it internal or external, and ensure that the breach cannot be repeated. Proof-of-concepts can help in ensuring that the backdoor or breach has been fixed.
Depends on how they break your system. If it's by a well known 0day I would think you should secure your systems and give public notice. If it's by a unknown method and you trace it through a piece of software i'm not too sure. Many vendors like Oracle have a horrible track record of patching vulnerabilities until they become public.<p>I believe California requires notice within 30 days if it affects any California users.
I believe that your best option is to contact your corresponding CERT.<p>They will provide you a little help managing the situation.<p>This is the US Cert: <a href="http://www.us-cert.gov/" rel="nofollow">http://www.us-cert.gov/</a><p>* Depending on the State (or Country) there might be a legislation within how to act when you have been hacked or you have a security breach.