Privacy & Information Security Law Blog

On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.

In its complaint, the California Attorney General alleged that Comcast disposed of “customer records without shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means” in violation of California Civil Code 1798.81 (the “Civil Code”). When disposing of customer records, the Civil Code requires businesses to take “all reasonable steps” to securely dispose of those records containing personal information. The complaint also contained numerous causes of action related to Comcast’s alleged improper disposal of hazardous materials in violation of environmental, health and safety statutes.

In addition to the monetary penalty, the settlement requires Comcast to:

• Take all reasonable steps to securely delete or destroy customer records containing personal information, before disposing of such records.
• Prohibit the disclosure of customer records containing personal information to third parties, except in accordance with applicable law.
• Document the company’s procedures for disposing of customer records containing personal information and provide relevant employees with readily available electronic access to such documents.
• Post signage regarding the company’s procedures for disposing of customer records in relevant facilities in which the records are handled.
• Provide employees with at least one written and one verbal communication annually that addresses (1) the company’s procedures for disposing of customer records, (2) information regarding identity theft, including its potential impact on customers, and (3) information regarding relevant California laws about the disposal of customer records.
• Provide training to relevant employees about the company’s procedures for disposing of customer records.
• Designate an employee to as serve as the “Customer Records Privacy Officer.”
• Make available its customer records disposal procedures to the Attorney General.
• Retain an independent third party auditor to perform three audits over the next five years assessing Comcast’s compliance with its obligations under the settlement related to its disposal of customer records containing personal information.

In the press release announcing the settlement, California Attorney General Kamala D. Harris said, “Comcast’s careless and unlawful hazardous waste disposal practices jeopardized the health and environmental well-being of California communities and exposed their customers to the threat of identity theft.”

Read the settlement with Comcast.