For a data encryption incident involving borrower information, what is the correct action sequence for a PLM?

• A. Notify affected parties, contain the incident, recover data, and review security controls.
• B. Contain the incident, notify affected parties, recover data, and review security controls.
• C. Contain the incident and recover data, then notify affected parties.
• D. Contain the incident, recover data, and notify affected parties.

Answer: (B)

Effective incident response begins with containing the incident to stop further data exposure, then notifying affected parties to meet legal and policy obligations, followed by recovering data to restore operations, and finally reviewing security controls to strengthen defenses for the future. Containment first limits damage and preserves evidence, reducing further risk. Notifying affected borrowers promptly helps them take protective steps and satisfies regulatory requirements. Recovery of data and systems comes next to restore service and ensure data integrity. Ending with a post-incident review of security controls allows the organization to identify root causes and implement improvements, reducing the chance of recurrence. Skipping containment or notification first could let the breach worsen or violate laws; skipping post-incident review leaves vulnerabilities unaddressed. This sequence reflects a practical, compliant approach to handling data encryption incidents involving borrower information.