January 30, 2023
Acuity Brands Data Breach Leads to Class Action Lawsuit
Over 37,000 current and former employees reportedly affected by data security incident
Two data breaches that exposed confidential information of current and former Acuity Brands employees has led to multiple lawsuits claiming damages – including a nationwide class action lawsuit filing.
Acuity Brands has disclosed that the company identified two data security incidents that potentially exposed personal information of current and former employees who had enrolled in the company's health plan. The company states that it immediately took steps to secure its systems and engaged with a third-party cybersecurity firm to conduct a thorough investigation into the matter. There are no reports of customer information being impacted by the incidents.
According to the Acuity Brands disclosure, the investigation determined that an unauthorized person obtained access to some of Acuity’s systems on December 7 and December 8, 2021, and copied a subset of files out of its network during that time. During the investigation, Acuity also discovered evidence of an unrelated incident of unauthorized access that occurred on October 6 and October 7, 2020, which included an attempt to copy certain files out of its network. Acuity conducted a review of the files from both incidents.
In December 2022, we asked Acuity Brands about the matter. A company spokesperson shared the following:
“In December of 2021, Acuity Brands communicated to its associates, agents, customers, channel partners, and others that it identified a data security incident. We took immediate steps to secure our systems and worked with a third-party cybersecurity firm to conduct a thorough investigation. Our investigation revealed that that only associate information was involved, sensitive customer data was not impacted, and the incident did not have a material impact on Acuity Brands’ business.”
Personal data potentially exposed:
According to Acuity Brands’ disclosure memo, the files involved in two data security incidents may have disclosed the following information of employees and former employees. The types of information in the files were not the same for all affected individuals.
-
Name
-
Social Security number
-
Driver’s license number
-
Financial account information
-
Limited health information related to other aspects of an individual’s employment with Acuity, such as injury information related to workers compensation claims or related to requests for leave
Additionally, the December 2021 incident may have exposed enrollment and claims information related to the employees’ participation in Acuity’s health plan.
Communication timing:
The class action lawsuit alleges that after learning of the data breach, Acuity Brands waited nearly an entire year (from December 7, 2021, to December 5, 2022) to notify potentially affected individuals. This claim seems to be substantiated by a filing posted by the Maine Attorney General’s office, citing that 37,137 total persons were affected by the data breach. Furthermore, the Maine filing indicated that Acuity began mailing notification letters to potentially affected individuals on December 6, 2022. The Acuity Brands spokesperson today reconfirmed its December message to inside.lighting that the company indeed communicated the breach to Acuity Brands stakeholders in December 2021 as described in the spokesperson quote cited in Paragraph 5 above.
Acuity Brands’ letters were sent to involved individuals for whom Acuity has an address and also offered eligible individuals free credit monitoring services. According to a sample letter obtained by inside.lighting, the individuals were offered a free 12-month subscription to Experian IdentityWorks, an identity protection service.
See the Sample Letter sent by Acuity »
The lawsuits:
In December 2022, a former Acuity Brands employee, Melissa Stark filed a lawsuit in U.S. District Court for the Northern District of Georgia claiming damages stemming from the security breach. She claimed to be a victim of bank fraud impacting both her JP Morgan Chase account and her Hoosier Heartland State Bank account. Stark claims that she was employed by Acuity brands from May to December 2019.
The class action lawsuit was filed last week in the same federal court and cites two plaintiffs: Andrew Smith of Illinois – a 24-year Acuity brands employee and Mackenzie Fairfield, an Indiana resident who claims to have worked for Acuity Brands for eight months in 2018.
Both Smith and Fairfield claimed numerous damages surrounding the data breach and the potential negative impact of their personal information being exposed, but neither party cited any specific examples of actual identity theft or substantial monetary losses stemming from the data security incident as of the date of the filing.
The plaintiffs are alleging numerous counts against Acuity Brands including negligence and breach of implied contract. The class action plaintiffs and their attorneys are petitioning the court for numerous orders including an order that certifies the Class Action lawsuit and also for an award of damages, including actual, statutory, nominal, and consequential damages, as allowed by law.
Acuity Brands has not yet filed their responses to the complaints in either lawsuit and, per usual, the company declined to comment on pending litigation.
