Arizona IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Arizona governs IT asset retirement through a duty surface that converges data security, records disposal, and environmental compliance into a single regulated event. A.R.S. Sections 18-551 and 18-552 impose a 45-day breach-notification deadline with biometric and mental-health data in scope, A.R.S. Section 44-7601 sets an outcome-based records-disposal standard, and the ADEQ-administered hazardous-waste program under A.A.C. Title 18 Chapter 8 covers end-of-life electronics, all layered over a federal baseline of HIPAA, the FTC Safeguards Rule, GLBA, and DFARS 252.204-7012.
The Enterprise Compliance Reference below delivers the executive briefing for IT Asset Disposition, secure data destruction, and certified electronics recycling in Arizona; the sections that follow expand every statute, regulator, and penalty band with cited authority.
Arizona Enterprise Compliance Reference
| Compliance Topic | What Arizona Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice within 45 days of determination under A.R.S. § 18-552(B); AG and DHS notice for 1,000+ residents. Personal information includes biometric data and medical/mental-health information per A.R.S. § 18-551(11). | Arizona Attorney General; AZ Department of Homeland Security | Up to $10,000 per affected person; $500,000 cap per breach | Certified media shredding with serialized Certificate of Destruction. |
| 2. Records Disposal | Redact or destroy records containing PII under A.R.S. § 44-7601(A). | Arizona AG; county attorneys | $500 / $1,000 / $5,000 tiered for repeat violations | Certified data wiping aligned to NIST Clear / Purge. |
| 3. Data Security Standard | No standalone reasonable-security statute; HIPAA/GLBA federal overlay; ADOA P8120 for state agencies. | HHS OCR; FTC; ADOA (state agencies) | Federal-overlay penalties apply | Certified data destruction aligned to NIST SP 800-88 Rev. 2. |
| 4. Biometric Data Handling | Biometric data is “personal information” under A.R.S. § 18-551(11); breach trigger and disposal duty apply. | Arizona AG | Same as breach notice band | Hard drive shredding for media that has processed biometric templates. |
| 5. Hazardous & Universal Waste | RCRA-delegated state program under A.A.C. Title 18, Chapter 8; universal-waste rules at A.A.C. R18-8-273; CRT rules at 40 C.F.R. § 261.39. | ADEQ | Up to $25,000/day under A.R.S. § 49-923 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Arizona Compliance Reality
Arizona’s privacy compliance regime is structured around two state statutes and federal overlays. Retirement of a Retired Electronic Asset in Arizona is governed by (1) A.R.S. §§ 18-551 and 18-552, which include biometric data and medical or mental-health information as “personal information” subject to a 45-day breach-notification deadline, (2) A.R.S. § 44-7601, which prohibits discarding or disposing of records containing PII without redaction or destruction, (3) the federal overlay of HIPAA and GLBA (Arizona has no standalone reasonable-security statute), (4) the ADEQ-administered RCRA-delegated hazardous-waste program at A.A.C. Title 18, Chapter 8, and (5) the universal-waste rules at A.A.C. R18-8-273.
Arizona does not operate a statewide manufacturer-takeback or EPR program for electronics. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.
Arizona and Federal Compliance Interaction
Arizona has no standalone reasonable-security statute, which means the HIPAA Security Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012 set the baseline that A.R.S. §§ 18-551, 18-552, and 44-7601 extend rather than replace. A regulated enterprise must satisfy the stricter of (1) Arizona statutes including A.R.S. § 18-552 (breach notice) and A.R.S. § 44-7601 (records disposal), (2) federal sector rules including the HIPAA Security Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses.
Arizona’s breach-notification statute exempts HIPAA-covered entities and GLBA-covered entities under A.R.S. § 18-552(N), so for those entities the federal sector rule controls. Arizona’s records-disposal statute applies regardless of federal sector status.
Arizona Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Arizona, whether Arizona law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Arizona Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | equals | Federal regime controls; state law does not exceed the federal floor. |
| FACTA Disposal Rule (16 CFR § 682.3) | Arizona exceeds | A.R.S. § 44-7601 requires destruction of records containing personal identifying information by burning, pulverizing, or shredding. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | AAC Title 18 Ch. 8 implements RCRA Subtitle C; state administers EPA-authorized program at the federal floor. |
NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Arizona must satisfy CMMC 2.0 in addition to Arizona state law.
Arizona Data Security, Privacy, and Disposal Obligations
A.R.S. § 18-552 — Breach Notification
A.R.S. § 18-552 requires any person that conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information, upon awareness of a security incident, to conduct an investigation and, if the investigation determines a breach has occurred, to notify affected Arizona residents within 45 days. When the breach affects more than 1,000 residents, notice is also required to the three largest nationwide consumer reporting agencies, the Arizona Attorney General, and the Director of the Arizona Department of Homeland Security. Civil penalties under § 18-552(K) run up to $10,000 per affected person with a $500,000 cap per breach.
A.R.S. § 18-551 — Personal Information Definitions (with Biometric Overlay)
Arizona’s “personal information” definition at A.R.S. § 18-551(11) covers the traditional name + SSN / driver license / financial-account-number framework and explicitly enumerates biometric data and medical or mental-health information as “specified data elements.” The breach-notice trigger therefore attaches to any retired hardware that has processed biometric template files or medical/mental-health information when that data remains accessible after custody transfer. The audit-defensible posture is sanitization to NIST 800-88 Purge or Destroy before custody transfer so that the breach trigger never attaches.
A.R.S. § 44-7601 — Records Disposal
A.R.S. § 44-7601 prohibits an entity from knowingly discarding or disposing of records or documents containing an individual’s first and last name (or first initial and last name) in combination with a complete Social Security number, credit/charge/debit card number, retirement account number, savings/checking/securities entitlement account number, or driver license/nonoperating ID number, without either redacting the information or destroying the records. Civil penalties follow a tiered schedule: up to $500 for a first violation, up to $1,000 for a second, and up to $5,000 for a third or subsequent. Enforcement authority is concurrent between the Arizona AG and county attorneys.
An entity that maintains its own procedures consistent with the section requirements is afforded an affirmative defense.
Arizona Public-Sector IT Disposal Posture
Arizona state agencies retire IT assets under Arizona Department of Administration (ADOA-ASET) policy. The operative controls include ADOA Statewide Information Security Policy P8120; Arizona State Library Records Retention Schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel.
Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Arizona Department of Administration (ADOA-ASET) policy guidance.
Data Destruction and Media Sanitization Expectations
The A.R.S. § 44-7601 records-disposal statute prescribes an outcome (redacted or destroyed) and remains method-agnostic. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Arizona state agencies follow ADOA P8120 series Statewide Information Security policies, which reference NIST 800-88 as the operative baseline.
The audit-defensible position for an Arizona enterprise is NIST 800-88 Rev. 2 alignment with method selection driven by media type, data sensitivity, and federal sector overlay (HIPAA, GLBA, DFARS).
Hard Drive Shredding
For Arizona-resident PII covered by A.R.S. § 18-551’s biometric and mental-health information overlay, the only defensible posture for fixed magnetic and solid-state media is physical shredding to a NIST 800-88 Rev. 2 Destroy outcome. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed. Per-drive serialized records feed the Certificate of Data Destruction.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing PII subject to § 44-7601.
Arizona E-Waste, Hazardous Waste, and Environmental Compliance
Arizona does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement in Arizona routes through the federal RCRA-delegated state hazardous-waste program administered by the Arizona Department of Environmental Quality (ADEQ) under A.A.C. Title 18, Chapter 8. Hazardous-waste characterization follows the federal toxicity characteristic for lead (from CRT glass and circuit-board solder), mercury (from LCD backlights, switches, and thermostats), cadmium (from batteries and pigments), and chromium (from circuit boards).
Enterprise / commercial equipment covered by the Arizona e-waste program: NO. Arizona has no state e-waste EPR program; enterprise IT asset retirement routes through AAC Title 18 Ch. 8 hazardous-waste rules administered by ADEQ. Arizona is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through Arizona Administrative Code Title 18 Chapter 8; the state program operates at the federal floor unless explicitly more stringent.
A.A.C. R18-8-273 (universal-waste rules) covers batteries, lamps, mercury-containing equipment, electronic devices, and mercury thermostats with streamlined management standards. Generator status under A.A.C. R18-8-262 follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under A.R.S. § 49-923 run up to $25,000 per day per violation.
Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records and, where applicable, hazardous-waste manifests.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when biometric, medical or mental-health, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework as server hardware. Locally cached credentials and authentication tokens must be sanitized before remarketing or recycling.
Mobile Devices
Certified cell phone recycling includes verified erase of internal flash and handling of embedded SIM and eSIM material containing subscriber identifiers.
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Arizona enforcement is concentrated at the Arizona Attorney General, county attorneys (for records-disposal violations), ADEQ (for hazardous-waste violations), and federal regulators with concurrent jurisdiction. Arizona has been a frequent multistate participant in recent cyber actions (TikTok 2024, Marriott 2024, Equifax 2019). The audit-reconstruction-of-events standard is operative.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| A.R.S. § 18-552 (breach notice) | Up to $10,000 per affected person; $500,000 cap per breach | NO (AG-only) | Arizona AG |
| A.R.S. § 44-7601 (records disposal) | $500 / $1,000 / $5,000 tiered | NO (AG-only) | Arizona AG; county attorneys |
| A.A.C. Title 18, Ch. 8 (hazardous waste) | Up to $25,000/day per violation under A.R.S. § 49-923 | NO (ADEQ enforcement) | ADEQ |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Arizona Attorney General and the Arizona environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Arizona Department of Insurance and Financial Institutions examines banks and credit unions for GLBA-aligned information-security-program controls. The Arizona Department of Insurance and Financial Institutions examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent.
The Arizona Department of Health Services examines healthcare entities for HIPAA Security Rule compliance. The Arizona Board of Regents oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Arizona Corporation Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Arizona’s A.R.S. § 44-7601 records-disposal duty is a destruction-outcome statute, not a methods statute, and the Attorney General evaluates an enterprise’s posture by whether it can show the outcome through serialized device-level evidence. The A.R.S. § 44-7601 affirmative defense at § 44-7601(D) depends on documented procedures consistent with the section’s requirements, which the documentation packet directly supports.
How All Green Recycling Operationalizes Arizona Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Arizona’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy A.R.S. § 44-7601, the § 18-552 breach-trigger pre-emption posture, and NIST SP 800-88 Rev. 2. Method selection is driven by media type and data sensitivity.
Certified Electronics Recycling
Certified electronics recycling diverts retired electronic assets from landfill through ADEQ-authorized channels that satisfy A.A.C. Title 18, Chapter 8 hazardous-waste characterization. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction. The chain-of-custody record is structured for direct delivery to a regulator, an OEM, or a prime contractor.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Arizona.
What is Arizona’s breach-notification deadline?
Under A.R.S. § 18-552(B), notice to affected Arizona residents must occur within 45 days after determination of the breach. AG and Arizona Department of Homeland Security notice is required when more than 1,000 residents are affected. Civil penalties run up to $10,000 per affected person with a $500,000 cap per breach.
Does Arizona’s records-disposal statute prescribe a specific destruction method?
No. A.R.S. § 44-7601 requires either redaction or destruction of records containing PII; the destruction method is method-agnostic. The audit-defensible posture is alignment to NIST SP 800-88 Rev. 2 through certified data destruction with verification per device. An affirmative defense is available under § 44-7601(D) for entities maintaining their own procedures consistent with the section.
Does Arizona’s definition of personal information include biometric data?
Yes. A.R.S. § 18-551(11) explicitly enumerates biometric data and medical or mental-health information as specified data elements within “personal information.” Retired hardware that has processed biometric template files must be sanitized to NIST 800-88 Purge or Destroy before custody transfer so that the breach-notice trigger never attaches.
Are HIPAA and GLBA entities exempt from Arizona’s breach-notice statute?
Yes. A.R.S. § 18-552(N) provides that the statute does not apply to a person subject to HIPAA or GLBA. For those entities the federal sector rule controls. The records-disposal statute at A.R.S. § 44-7601 applies regardless of federal sector status.
Does Arizona have a state-funded electronics-recycling program?
No. Arizona does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement routes through ADEQ-authorized hazardous-waste channels under A.A.C. Title 18, Chapter 8 and is executed through certified electronics recycling with environmental disposition records.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. A.A.C. Title 18, Chapter 8 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by A.A.C. R18-8-273. Civil penalties under A.R.S. § 49-923 run up to $25,000 per day per violation.
Which media-sanitization standard does Arizona accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Arizona state agencies follow ADOA P8120 series standards, which reference NIST 800-88.
What standard applies to Arizona state-agency IT asset retirement?
Arizona state agencies operate under ADOA Statewide Information Security Policies (P8120 series) issued by the Arizona Department of Administration. The policies reference NIST SP 800-88 as the operative media-sanitization baseline. State agencies route through approved disposal channels with documented chain of custody.
What is All Green Recycling’s certification posture for Arizona enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect from an Arizona engagement on AG examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and the contracted-service safeguard terms. The packet supports the § 44-7601(D) affirmative defense and is structured for direct delivery to the Arizona AG, ADEQ, HHS OCR, FTC, or counterparty audit.
How does the federal HIPAA / GLBA baseline interact with Arizona law?
A regulated enterprise must satisfy the stricter of (1) Arizona records-disposal statute A.R.S. § 44-7601 (which applies to all entities) and breach-notice statute A.R.S. § 18-552 (which exempts HIPAA and GLBA entities), (2) federal sector rules such as the HIPAA Security Rule and the FTC Safeguards Rule, and (3) customer or prime-contract clauses.
How does Arizona’s breach statute classify the loss of unencrypted devices?
Yes. A.R.S. § 18-552 covers unauthorized acquisition of personal information including physical loss of unencrypted media.
Can verified NIST 800-88 sanitization or encryption defer Arizona’s breach-notification duty?
Yes. A.R.S. § 18-552 provides an encryption safe harbor; NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach definition.
Arizona Compliance as Risk Management
Arizona IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered unreadable before custody transfer, that biometric and medical or mental-health information were respected for the § 18-552 breach-trigger and disposal duty, and that downstream processing routed through ADEQ-authorized channels.
A.R.S. § 18-552 per-affected-person civil penalties, § 44-7601 tiered records-disposal penalties, ADEQ daily penalties, HIPAA federal overlay, FTC Safeguards Rule, and audit-driven counterparty review converge on the same set of records: serialized destruction logs, chain-of-custody continuity, environmental disposition evidence, hazardous-waste manifests where applicable, and contracted-service safeguard terms.
Arizona compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need an Arizona-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.