Canon USA got an early Christmas present today in the form of a class-action lawsuit (Finnigan et al v. Canon USA, Inc.) over the recent ransomware attack and data breach, which (according to Canon) affected current and former employees. Canon disclosed some details about the incident back in November:
We determined that there was unauthorized activity on our network between July 20, 2020 and August 6, 2020. During that time, there was unauthorized access to files on our file servers. We completed a careful review of the file servers on November 2, 2020 and determined that there were files that contained information about current and former employees from 2005 to 2020 and their beneficiaries and dependents. The information in the files included the individuals’ names and one or more of the following data elements: Social Security number, driver’s license number or government-issued identification number, financial account number provided to Canon for direct deposit, electronic signature, and date of birth.
The lawsuit alleges that the ransomware attack was foreseeable and that Canon acted negligently in its cybersecurity practices. It also alleges claims for violations of several state consumer protection and business practices laws in New York, Ohio, Florida, and Illinois.
Canon employs over 185,000 people worldwide, so this class action has the potential to be quite large.