Disney ID cards risk identity theft, violate employee privacy, suit says

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://newsandinsight.thomsonreuters.com/California/News/2011/05_-_May/Disney_ID_cards_risk_identity_theft,_violate_employee_privacy,_suit_says/

May 17 (Westlaw Journals) - Employee identification cards required by
Walt Disney Co. compromise workers’ identity and privacy because they
contain a bar code imbedded with employees’ Social Security numbers, a
California state court lawsuit says.

Barcode scanners, now available on many mobile phones, can read and
interpret the data on the identification cards, putting workers at
risk for identity theft if the cards are lost or stolen, the
plaintiffs say.

Kristi Richards and Jorge Iniestra, employees at two Disney hotels in
California, filed suit in the Los Angeles County Superior Court on
behalf of more than 20,000 current and former Disney employees (plus
future employees in California) issued identification cards containing
their Social Security numbers since February 2007.

The complaint is identical to the one the plaintiffs filed in federal
court in February.

According to the suit, employees use the ID cards for everything,
including clocking in and out and gaining access to restricted areas
such as employee parking lots.  The cards must be presented to
security personnel upon request.

The company also retains former employees’ cards in an unsecured
location, making them susceptible to theft or illegal use, the
plaintiffs assert.

According to the suit, Disney learned about the risks posed by the ID
cards three years ago, when a security guard discovered that any
barcode scanner could read them.

Encoding employee Social Security numbers on the IDs violates Cal.
Civ. Code § 1798.85, which makes it is unlawful to publicly display or
print a SSN on an identification card, the complaint says.

In addition, use of the cards violates the individual right to privacy
guaranteed by the state Constitution because employees have a
reasonable expectation of privacy at work and retain the right not to
disclose personal information, the plaintiffs add.

The suit seeks injunctive relief to stop Disney from putting the
personal information on the cards.  It also seeks as damages,
including credit monitoring and fraud insurance, to protect employees
from the possible effects of identity theft.

Richards et al. v. Walt Disney Co. et al., No. BC459779, complaint
filed (Cal. Super. Ct., L.A. County Apr. 20, 2011).
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/