ACTS Retirement Services, Inc. (ACTS), a non-profit corporation that manages retirement communities, suffered a data breach in April 2022, which led to unauthorized access to thousands of current and former employees’ personal information. Specifically, names, Social Security numbers, and financial information were effected. As a result of this incident, ACTS now faces a data breach class action suit in which the plaintiffs allege that ACTS failed to implement adequate security systems to protect employee information, which led to the access of their information by cyber criminals. The complaint alleges that the incident will lead to a heightened risk of identity theft and fraud for all affected individuals. Furthermore, the complaint alleges that the credit monitoring and identity theft protection services offered were insufficient to protect the proposed class members.

The lead plaintiff in the action claims that ACTS retains employees’ information for years and “even decades” after they stop working at the business.

This class action may act as a reminder to reassess the data your own company collects, how it is stored, maintained and protected, and to determine your business need and any legal requirements around retention of those data so that you can destroy or delete any data that you no longer need or are required to retain. To view the class action complaint, click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.