A small item on Courthouse News mentions that Bright House Networks has been sued in a potential class action lawsuit. The complaint, filed in federal court in California, alleges that Bright House Networks, provider of cable TV, Internet and phone services, collects personal information of consumers and retains it indefinitely.
The plaintiff, Robert Hodsdon, alleges that after consumers terminate their service with BHN, the firm continues to maintain personally identifiable information even when it is no longer needed for the purpose for which it was collected. Hodsdon claims this conduct violates the Cable Communications Policy Act of 1984 (47 U.S.C. § 551, et. seq.), which requires cable providers to destroy personally identifiable information when it is no longer required for the purpose for which it was collected:
A cable operator shall destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (d) of this section or pursuant to a court order.
Hodsdon was a customer between 2005 to February 2011. His lawsuit was filed this week. If it is true that BHN still retains his data, why do they still have it? The alleged data retention appears to conflict not only with the federal law but with BHN’s stated privacy policy:
We maintain customer information, including personally identifiable information, while you are a subscriber to Bright House services. We also maintain customer information for a period of time after you are no longer a subscriber if the information is necessary for the purposes for which it was collected or to satisfy legal requirements. These purposes typically include business, legal, accounting or tax purposes. If these purposes no longer apply, we will destroy the information according to our internal policies and procedures.
Hodsdon’s complaint also alleges that consumers are not even aware that their data have not been deleted because BHN does not send out annual privacy notices.
There is also a state-level complaint incorporated in the complaint under California law:
A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means.
Cal.Civ.Code § 1798.81.
Hodson also alleges that the firm does not encrypt data, even though the firm’s privacy policy says they use encryption.
I’ve uploaded the complaint here.
Bright House Networks declined to comment on the matter, citing their policy of not commenting on litigation. Hodsdon’s attorneys did not respond to an inquiry as to why Hodsdon claims the data are not encrypted.