Basically you're asking about incident handling best practices, but essentially as applicable 'after' you've already handled the incident. As far as I know and based on the specific questions you've presented, there is no cookie cutter approach for what your organization needs to do post "lessons learned" phase. It's really a matter of either what you are legally responsible or simply just willing/wanting to do. If valuable intellectual property was involved then that potentially opens up a can of worms. Likewise there are certain "things" which require you, like it or not, to contact law enforcement. etc. I think everyone gets the point. Characterizing the type of incident (I.P attacks and theft, DoS, malware, email stuff like harassment or phishing, espionage, policy violations like unauthorized use, unlawful activities, insider threats from casual non-destructive to intentional destructive, etc), determining the extent damages and then contacting the appropriate parties are all things which should have been done during the containment phase. Here is a resource to help you with said classification; CSIRT case classification document
Now, it seems you've already gone through identification, containment, eradication and recovery and I'm assuming you have watched and/or are watching carefully for the attacker's return? So let's just go over what's generally considered best practice in phase 6 of standard "by the book" incident handling. Many organizations/people "don't have the time" or bother to really go through with this phase but lets face it, the attackers are improving all the time so you need to improve as well. It's time to move on and make new mistakes, but the whole point of this process is to avoid repeating the same old ones. What you should do now is document what happened and how operations capabilities can be improved so as to prevent it and similar incidents from happening again. One way to do that is by creating a follow up report. Ideally you want to start on this report right away, immediately after recovery. The SANS institute makes available some useful incident forms you can use in this process. It's generally good practice to encourage all affected parties to review your draft. Once the report has been reviewed, schedule a "lessons learned" meeting if you can. Ideally this meeting should occur within within a week or two of resuming production, while the events are still "fresh" in everyone's memory. In general the main purpose of the meeting is to get consensus on the executive summary of your incident report. IMO the key of the executive summary is illustrating the importance of having effective incident handling procedures in place.
Also, look into the "seven deadly sins" of incident handling. You might find it useful.