The scenario describes how the company had no adequate rules about access to customer information and how low-level employees had access to all of the company's customer data, including financial records. This indicates that the company did not implement proper access controls to limit who can access, use, or disclose customer information based on their roles and responsibilities. Access controls are one of the key elements of information security and privacy, as they help prevent unauthorized or inappropriate access to sensitive data.
Without access controls, the company's customer information was vulnerable to mishandling by employees or outsiders who could exploit the weak security measures. Therefore, the most likely cause of the breach was mishandling of information caused by lack of access controls. References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Information Management from a U.S. Perspective, Section 4.2: Information Security, p. 113-114
* IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.C: Describe the role of information security in privacy, Subobjective I.C.1: Identify the key elements of information security, p. 8

Under the GDPR, the complainant's request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort.

In the United States, there is no comprehensive federal law that regulates employee monitoring in the private sector. Instead, there are various federal and state laws that address specific aspects of monitoring, such as electronic communications, video surveillance, GPS tracking, and biometric data. Generally, these laws provide more protection for employees' privacy when they are using their own devices or personal accounts, or when they are outside of work hours or premises. However, when employees are using company-owned devices or accounts, or when they are performing work- related tasks, employers have broad authority to monitor their activities, as long as they have a legitimate business interest and do not violate any specific laws.
Employers are also advised to inform employees of their monitoring practices and obtain their consent, either explicitly or implicitly, to avoid potential legal disputes or employee backlash.

Mega Corp. is a U.S.-based business with employees in California, Virginia, and Colorado. Therefore, it must comply with the privacy laws of these three states in regard to its human resources data, unless it qualifies for an exemption under each law.
The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA) that was approved by voters in November 2020 and will take effect on January 1, 2023. The CPRA expands the rights and protections of California residents with respect to their personal information and creates a new category of sensitive personal information that includes certain employment-related data, such as Social Security numbers, driver's license numbers, passport numbers, financial account information, biometric information, and geolocation data. The CPRA also establishes a new enforcement agency, the California Privacy Protection Agency, to oversee and enforce the law.
The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive privacy law that was enacted in March 2021 and will take effect on January 1, 2023. The VCDPA grants Virginia residents several rights with respect to their personal data, such as the right to access, correct, delete, port, and opt out of certain processing activities. The VCDPA also imposes various obligations on businesses that control or process personal data of Virginia residents, such as conducting data protection assessments, entering into contracts with processors, and providing privacy notices.
The Colorado Privacy Act (CPA) is another comprehensive privacy law that was enacted in July 2021 and will take effect on July 1, 2023. The CPA grants Colorado residents similar rights as the VCDPA, with some variations, such as the right to appeal a business's response to a request and the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities. The CPA also imposes similar obligations as the VCDPA, with some differences, such as requiring opt-in consent for the processing of sensitive data and allowing businesses to join a universal opt-out mechanism.
All three laws apply to businesses that conduct business in or target consumers in the respective states and meet certain thresholds of revenue or data processing volume. However, all three laws also provide exemptions for certain types of data or entities that are subject to other federal or state laws, such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA).
One of the exemptions that may be relevant for Mega Corp. is the employee data exemption, which excludes personal data that is collected and used by an employer within the context of an employment relationship or for emergency contact or benefits administration purposes. However, this exemption is not permanent or uniform across the three laws. The CPRA's employee data exemption is set to expire on January 1, 2023, unless extended by the legislature. The VCDPA's employee data exemption is set to expire on January 1,
2023, unless repealed by the legislature. The CPA's employee data exemption does not have an expiration date, but it does not apply to the right to opt out of the sale of personal data or the right to appeal a business's response to a request.
Therefore, depending on the type and scope of the human resources data that Mega Corp. collects and processes, it may have to comply with the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act, unless it qualifies for another exemption under each law.
References:
* [IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 227-229.
* CIPP/US Practice Questions (Sample Questions), Question 32.