Acuity Brands Hit with Class Action Over 2021 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Acuity Brands, Inc. faces a proposed class action over its alleged failure to prevent a December 2021 data breach that exposed personal information belonging to approximately 37,000 current and former employees.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 73-page lawsuit alleges hackers were reportedly able to penetrate Acuity’s servers over a year ago on December 7 and 8 because the industrial technology company failed to adopt cybersecurity measures adequate enough to safeguard the sensitive data it stored. Per the case, the unauthorized actor behind the incident copied unencrypted files that contained Acuity employees’ names, Social Security and driver’s license numbers, financial account numbers and information about their healthcare benefits.

The case explains that during Acuity’s investigation of the cyberattack, which it says it detected on December 7, 2021, it came to light that a separate data breach had occurred on October 6 and 7, 2020.

Nevertheless, Acuity left victims in the dark about the cyberattacks for nearly a year, the suit stresses. In its notice to impacted individuals, dated December 5, 2022, the company omitted several “critical facts” about the breach, including “the root cause of the Data Breach, the vulnerabilities exploited, why it took over nearly a full year to inform impacted individuals after Defendant determined their information was involved, why Defendant did not detect the October 2020 data breach on its network prior to investigating the December 2021 Data Breach, and the remedial measures undertaken to ensure such a breach does not occur again,” the complaint reads.

The filing argues that, as a consequence of Acuity’s negligence, individuals whose information has been compromised risk falling victim to identity theft and financial fraud for the remainder of their lives.

To make matters worse, Acuity was aware that data thieves regularly target companies that maintain consumers’ sensitive data, the case says. Indeed, reports of similar data breaches at high-profile companies have only increased in recent years, the suit relays.

Although cyberattacks pose a notorious risk to custodians of personal data, companies can take certain reasonable steps to prevent such incidents, the case states. For instance, the United States Government, the United States Cybersecurity & Infrastructure Security Agency and the Federal Trade Commission have all published standard measures companies can adopt to help prevent cyberattacks, the complaint relays.

The filing contends that Acuity overlooked these publicly available measures to the detriment of current and former employees, who will have to pay out-of-pocket for identity monitoring services after the 12 months of the complementary assistance provided by Acuity expires.

The lawsuit looks to represent anyone in the United States whose personally identifiable information was accessed and/or acquired by an unauthorized party as a result of the data breach reported by Acuity Brands, Inc. on or about December 5, 2022. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.