BreachExchange mailing list archives
Disney ID cards risk identity theft, violate employee privacy, suit says
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Wed, 18 May 2011 21:32:56 -0400
http://newsandinsight.thomsonreuters.com/California/News/2011/05_-_May/Disney_ID_cards_risk_identity_theft,_violate_employee_privacy,_suit_says/ May 17 (Westlaw Journals) - Employee identification cards required by Walt Disney Co. compromise workers’ identity and privacy because they contain a bar code imbedded with employees’ Social Security numbers, a California state court lawsuit says. Barcode scanners, now available on many mobile phones, can read and interpret the data on the identification cards, putting workers at risk for identity theft if the cards are lost or stolen, the plaintiffs say. Kristi Richards and Jorge Iniestra, employees at two Disney hotels in California, filed suit in the Los Angeles County Superior Court on behalf of more than 20,000 current and former Disney employees (plus future employees in California) issued identification cards containing their Social Security numbers since February 2007. The complaint is identical to the one the plaintiffs filed in federal court in February. According to the suit, employees use the ID cards for everything, including clocking in and out and gaining access to restricted areas such as employee parking lots. The cards must be presented to security personnel upon request. The company also retains former employees’ cards in an unsecured location, making them susceptible to theft or illegal use, the plaintiffs assert. According to the suit, Disney learned about the risks posed by the ID cards three years ago, when a security guard discovered that any barcode scanner could read them. Encoding employee Social Security numbers on the IDs violates Cal. Civ. Code § 1798.85, which makes it is unlawful to publicly display or print a SSN on an identification card, the complaint says. In addition, use of the cards violates the individual right to privacy guaranteed by the state Constitution because employees have a reasonable expectation of privacy at work and retain the right not to disclose personal information, the plaintiffs add. The suit seeks injunctive relief to stop Disney from putting the personal information on the cards. It also seeks as damages, including credit monitoring and fraud insurance, to protect employees from the possible effects of identity theft. Richards et al. v. Walt Disney Co. et al., No. BC459779, complaint filed (Cal. Super. Ct., L.A. County Apr. 20, 2011). _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Disney ID cards risk identity theft, violate employee privacy, suit says Jake Kouns (May 23)