Is there guidance for proper action in instance of potential or actual unauthorized access to business customer information? GLBA requires a documented response program including customer notification for consumer information. Where would one find guidance for non-consumer information?

Is it reasonable to think good business practice may indicate reliance on the consumer guidance in the absence of other; particularly given the common business practice of requiring personal confidential information of the principle’s of a business?
Opinions are mine and potentially mine alone.