The Chief Privacy Officer, PGLD, should discontinue the practice of categorizing all business data breaches as low risk. In addition, for data breaches categorized as high risk, issue a notification letter to the business and place the data breach indicator on the business tax account.