Posted On December 8, 2022 Consumer Privacy & Data Breaches
On December 6, 2022, Acuity Brands filed notice of a data breach with the Maine Attorney General after the company learned of a data security incident that exposed employee information to unauthorized access. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to employees’ names, Social Security numbers, driver’s license numbers and financial account information. After confirming that employee data was leaked, Acuity began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Acuity data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Acuity Brands.
The available information regarding the Acuity Brands breach comes from the company’s filing with the Attorney General of Maine, as well as notice posted on the company’s website. According to these sources, on December 7, 2021, Acuity detected irregularities with the company’s IT system. In response, Acuity took steps to secure its network and then began working with a third-party data security firm in hopes of learning more about the incident and what, if any, consumer or employee data was compromised as a result.
Acuity’s investigation confirmed that an unauthorized party accessed certain computer systems on December 7, 2021, which lasted until December 8, 2021. The investigation also revealed that the unauthorized party copied a subset of files from the company’s network. However, Acuity was able to determine that the breach only affected employee data and that no consumer data was leaked.
Upon discovering that sensitive employee data was made available to an unauthorized party, Acuity Brands began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, driver’s license number and financial account information.
On December 6, 2022, Acuity Brands sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. According to the Attorney General of Maine, the Acuity Brands data breach affected over 37,000 current and former employees.
Established in 2001 and based in Atlanta, Georgia, Acuity Brands is a company that specializes in lighting and building management solutions. Acuity’s business is broken down into two groups, the lighting division and the intelligent spaces division. Acuity is the largest lighting manufacturer in the United States. Acuity Brands is publicly traded on the New York Stock Exchange under the ticker symbol “AYI.” Acuity Brands employs more than 13,000 people and generates approximately $3 billion in annual revenue.
Yes, as a general rule, employers have an affirmative obligation to protect the employee information in their care, and, in certain circumstances, employers who negligently leak employee data can be held financially liable for a breach. However, the fact that a company experienced a data breach does not automatically mean that it will be financially responsible for victims’ damages because employers are only on the hook for breaches that were the result of the company’s negligence.
Data breach lawsuits are based on the legal theory of negligence. In this context, proving a case of negligence in an employee data breach requires employees to prove each of the following elements:
In most cases, the first element of the negligence analysis doesn’t present much of a hurdle for employees because it’s commonly understood that employers owe employees a duty to protect their information. However, determining that an employer’s negligence was the cause of or a contributing factor to a breach is more challenging.
In part, this is because data breaches are criminal acts carried out by third parties. Clearly, employers do not intend to leak employee information, and employers are not the ones who orchestrate these attacks. However, just because a criminal carried out the attack doesn’t mean that an employer can’t be held liable. This is because employers have a legal duty to protect employee data from foreseeable access by implementing an adequate data security system. And whether an employer has a data-security system isn’t necessarily the end of the inquiry because the sufficiency of an employer’s system can be called into question.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Acuity data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Acuity Brands (the actual notice sent to consumers can be found here):
Dear [Redacted],
We addressed a data security incident that involved some of your information. This letter explains the incident, the measures we have taken, and some steps you may consider taking in response.
On December 7, 2021, we identified a data security incident, immediately took steps to secure our systems, and worked with a third-party cybersecurity firm to conduct a thorough investigation. Our investigation determined that an unauthorized person obtained access to some of our systems on December 7 and December 8, 2021, and copied a subset of files out of our network during that time. During our investigation, we also discovered evidence of an unrelated incident of unauthorized access that occurred on October 6 and October 7, 2020, which also included copying certain files out of our network. We conducted a review of the files copied from our network in December 2021 and October 2020. Our review identified that they contained personal information.
This information may have included your name, Social Security number, driver’s license number, and financial account information. Additionally, the files may also have included limited health information related to other aspects of your employment with Acuity, such as injury information related to workers compensation claims or related to requests for leave under the Family and Medical Leave Act. The types of information in the files was not the same for all individuals.
We regret any inconvenience or concern this incident may cause you, and we are offering you a complimentary one-year membership in Experian’s IdentityWorksSM. This product helps detect possible misuse of your information and provides you with identity protection support focused on immediate identification and resolution of identity theft. IdentityWorks is free and enrolling in this program will not affect your credit score. For more information on IdentityWorks, including instructions on how to activate your complimentary one-year membership and steps you can take to protect your information, please see the pages that follow this letter.
We also encourage you to remain vigilant by reviewing your financial account statements and credit reports for any unauthorized activity. If you see charges or activity that you did not authorize, please contact the relevant financial institution or credit bureau reporting the activity immediately.
We have established a dedicated call center to help answer any questions you may have about the incident. The call center may be reached at (855) 504-3853, Monday through Friday from 9:00 a.m. until 6:30 p.m. EST, excluding some major U.S. holidays. We are also enhancing our existing security protocols and technical safeguards to further secure our environment and to help prevent a similar incident in the future.
