Mmm... the legal situation has been mentioned in a couple of threads.

The law varies widely according to the country you are in, and state-by-state in the US. However, one thing that you need to make sure is that you and your company are in the clear legally..

..for example, if confidential data was breached then you may be required to take further steps in law. Failure to do so may land you and your company in trouble. You need to keep in close contact with your legal advisor on this.

You also have to consider the balance between securing your systems against collecting evidence. If you want to determine the exact scope of the instrusion then you may well need to leave the door open to them. Again, take legal advice.

It does sound like your overall approach is good though - you need to look at the issue from a "whole business" perspective which is what you are doing.