Arkansas IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Arkansas governs IT asset retirement through the Personal Information Protection Act at Ark. Code Section 4-110-101 et seq., which was amended in 2019 to add biometric data to the personal-information definition, a records-disposal duty at Ark. Code Section 4-110-104, and the Arkansas Insurance Data Security Act at Ark. Code Section 23-61-1101, one of a growing number of states to adopt the NAIC Insurance Data Security Model Law.
The Deceptive Trade Practices Act at Ark. Code Section 4-88-101 provides a private right of action with penalties up to $10,000 per violation, the ADEQ-administered hazardous-waste program under APC&EC Reg. 23 covers the environmental dimension, and HIPAA, the FTC Safeguards Rule, GLBA, and DFARS 252.204-7012 establish the federal baseline.
The Enterprise Compliance Reference below delivers the executive briefing for IT Asset Disposition, secure data destruction, and certified electronics recycling in Arkansas; the sections that follow expand every statute, regulator, and penalty band with cited authority.
Arkansas Enterprise Compliance Reference
| Compliance Topic | What Arkansas Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to affected Arkansas residents in the most expedient time possible and to the Arkansas AG if breach affects more than 1,000 residents under Ark. Code § 4-110-105. | Arkansas AG | Deceptive Trade Practices Act up to $10,000 per violation under § 4-88-113 | Certified media shredding with serialized Certificate of Destruction. |
| 2. Records Disposal | Destruction or modification rendering personal information unreadable or undecipherable under Ark. Code § 4-110-104. | Arkansas AG | Deceptive Trade Practices Act carryover | Certified data wiping aligned to NIST Clear / Purge. |
| 3. Deceptive Trade Practices Act | Ark. Code § 4-88-101 UDAP carryover applies to disposal and breach failures. | Arkansas AG; private parties | Up to $10,000 per violation under § 4-88-113; private right of action under § 4-88-113(f) | Certified data destruction with documented chain of custody. |
| 4. Biometric / Genetic Privacy | Notice and consumer-rights provisions for biometric and genetic information under Ark. Code § 4-110-103 (2019 amendments). | Arkansas AG | Deceptive Trade Practices Act carryover | Certified data destruction with biometric / genetic data attestation. |
| 5. Hazardous Waste & CRT Handling | RCRA-delegated state program under APC&EC Reg. 23; universal-waste rules; CRT rules at 40 C.F.R. § 261.39. | ADEQ | Up to $25,000/day under Ark. Code § 8-7-303 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Arkansas Compliance Reality
Arkansas’s compliance regime spans (1) the Personal Information Protection Act at Ark. Code § 4-110-101 et seq. (notice in the most expedient time possible; AG notice required for breaches affecting more than 1,000 Arkansas residents; the 2019 amendments added biometric data to the personal-information definition and introduced biometric and genetic information consumer-rights provisions), (2) the records-disposal duty at Ark. Code § 4-110-104, (3) the Deceptive Trade Practices Act at Ark. Code § 4-88-101 (private right of action with up to $10,000 per violation), (4) the Arkansas Insurance Data Security Act at Ark. Code § 23-61-1101 (effective January 1, 2022; adopted NAIC Insurance Data Security Model Law), and (5) the ADEQ hazardous-waste rules at APC&EC Reg. 23.
Arkansas and Federal Compliance Interaction
Arkansas’s state regime layers on top of HIPAA, the FTC Safeguards Rule, FACTA, FAR 52.204-21, and DFARS 252.204-7012, and the compliance ceiling for any given asset is whichever regime imposes the stricter destruction outcome and documentation duty. A regulated enterprise must satisfy the stricter of (1) Arkansas statutes including § 4-110-101 (PIPA / breach), § 4-110-104 (disposal), § 4-110-103 (biometric / genetic), § 4-88-101 (Deceptive Trade Practices Act), and § 23-61-1101 (Insurance Data Security Act), (2) federal sector rules including HIPAA Security Rule, FTC Disposal Rule, FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses.
Arkansas Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Arkansas, whether Arkansas law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Arkansas Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | exceeds | Ark. Code § 23-61-1101 Insurance Data Security Act imposes written information security program with annual board certification. |
| FACTA Disposal Rule (16 CFR § 682.3) | equals | Federal regime controls; state law does not exceed the federal floor. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | Arkansas state hazardous-waste program implements RCRA Subtitle C at the federal floor. |
For federal contractors operating in Arkansas, the Defense Federal Acquisition Regulation Supplement at DFARS 252.204-7012, the Federal Acquisition Regulation at FAR 52.204-21, and the Cybersecurity Maturity Model Certification 2.0 program codified at 32 CFR Part 170 (effective December 16, 2024) impose media-sanitization, chain-of-custody, and incident-reporting duties that flow down through prime-contractor clauses.
NIST SP 800-171 Revision 3 (final May 2024) is the operative control framework for covered defense information and controlled unclassified information; NIST SP 800-88 Revision 2 (operative September 26, 2025) is the operative sanitization standard for both DFARS and CMMC 2.0 audit defensibility.
Arkansas Data Security, Privacy, and Disposal Obligations
Ark. Code § 4-110-105 — PIPA Breach Notification
Ark. Code § 4-110-105 requires notice to affected Arkansas residents in the most expedient time possible and without unreasonable delay. Notice to the Arkansas AG is required if the breach affects more than 1,000 Arkansas residents.
Ark. Code § 4-110-103 — Biometric and Genetic Information (2019 amendments)
Ark. Code § 4-110-103 was amended in 2019 to add biometric data to the personal-information definition and to introduce consumer-rights provisions for biometric and genetic information. Biometric data includes fingerprint, palm print, retina, iris, voiceprint, scan of hand, face geometry, gait analysis, and DNA.
Ark. Code § 4-110-104 — Records Disposal
Ark. Code § 4-110-104 requires entities to take reasonable steps to destroy or arrange for the destruction of customer records containing personal information by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable.
Deceptive Trade Practices Act — Ark. Code § 4-88-101
Arkansas’s Deceptive Trade Practices Act at Ark. Code § 4-88-101 provides a private right of action under § 4-88-113(f) for actual damages and attorney fees. Civil penalties run up to $10,000 per violation under § 4-88-113.
Arkansas Insurance Data Security Act (NAIC Insurance Data Security Adoption)
Arkansas has adopted the NAIC Insurance Data Security Model Law at Ark. Code § 23-61-1101 et seq. (effective January 1, 2022). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.
Arkansas Public-Sector IT Disposal Posture
Arkansas state agencies retire IT assets under Arkansas Division of Information Systems (DIS) policy. The operative controls include Arkansas DIS Statewide Information Security Standards; Arkansas State Archives Records Retention Schedules under Ark. Code § 13-4-201; State Marketing and Redistribution Section under Ark. Code § 22-7-105; Arkansas Computer and Electronic Solid Waste Management Act Ark. Code § 8-9-401. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel.
Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Arkansas DIS policy guidance.
Data Destruction and Media Sanitization Expectations
Ark. Code § 4-110-104 prescribes the “unreadable or undecipherable” outcome standard via shredding, erasing, or modifying personal information. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Arkansas state agencies follow Arkansas DIS Security Policy.
Hard Drive Shredding
Arkansas’s personal-information definition reaches medical and biometric data inside Ark. Code § 4-110-103, and physical shredding to a NIST 800-88 Rev. 2 Destroy outcome is the only audit posture that closes off the 45-day notification trigger for fixed media. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information.
Arkansas E-Waste, Hazardous Waste, and Environmental Compliance
Arkansas has not enacted an electronics-recycling extended producer responsibility program covering private-sector waste. The Arkansas Computer and Electronic Solid Waste Management Act at Ark. Code § 8-9-401 governs state-agency e-waste disposal. Enterprise IT asset retirement routes through ADEQ-authorized hazardous-waste channels at APC&EC Reg. 23.
Enterprise / commercial equipment covered by the Arkansas e-waste program: NO. Arkansas has not enacted an electronics-recycling extended producer responsibility program. The Arkansas Computer and Electronic Solid Waste Management Act at Ark. Code § 8-9-401 governs state-agency e-waste disposal but does not establish a private-sector EPR program. Enterprise IT asset retirement routes through APC&EC Reg. 23 hazardous-waste channels. Arkansas is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through APC&EC Reg. 23; the state program operates at the federal floor unless explicitly more stringent.
Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium. Universal-waste rules cover batteries, lamps, mercury-containing equipment, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Civil penalties run up to $25,000 per day per violation under Ark. Code § 8-7-303. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through R2v3-aligned channels combined with NIST 800-88 Rev. 2 data sanitization. Asset remarketing recovers residual value while preserving chain of custody.
Mobile Devices and Biometric Sensors
Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint).
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Arkansas enforcement is concentrated at the Arkansas AG (Personal Information Protection Act § 4-110-105 with Deceptive Trade Practices Act carryover up to $10,000 per violation under § 4-88-113; private right of action under § 4-88-113(f)), the Arkansas Insurance Department (Insurance Data Security Act § 23-61-1101 effective January 1, 2022), ADEQ (APC&EC Reg. 23 hazardous-waste violations up to $25,000/day under § 8-7-303), and federal regulators with concurrent jurisdiction.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| § 4-110-105 (PIPA breach) | DTPA carryover up to $10,000 per violation under § 4-88-113 | YES (DTPA private action under § 4-88-113(f)) | AR AG; private parties |
| § 4-110-104 (records disposal) | DTPA carryover up to $10,000 per violation | YES (DTPA private action) | AR AG; private parties |
| § 4-110-103 (biometric / genetic) | DTPA carryover up to $10,000 per violation | YES (DTPA private action) | AR AG; private parties |
| § 4-88-101 (DTPA) | Up to $10,000 per violation under § 4-88-113; private actual damages and attorney fees | YES (private right of action under § 4-88-113(f)) | AR AG; private parties |
| § 23-61-1101 (Insurance Data Security Act) | Insurance Department penalties | NO (Insurance Commissioner only) | AR Insurance Department |
| APC&EC Reg. 23 (hazardous waste) | Up to $25,000 per day per violation under § 8-7-303 | NO (ADEQ enforcement) | ADEQ |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Arkansas Office of the Attorney General and the Arkansas Division of Environmental Quality (ADEQ), state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Arkansas State Bank Department examines banks and credit unions for GLBA-aligned information-security-program controls. The Arkansas Insurance Department examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent.
The Arkansas Department of Health examines healthcare entities for HIPAA Security Rule compliance. The Arkansas Division of Higher Education oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Arkansas Public Service Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Arkansas Attorney General investigations under Ark. Code § 4-110-105 are built from the documents an enterprise can produce, and a Retired Electronic Asset without serialized destruction evidence is treated as if the underlying PII was abandoned in clear text.
How All Green Recycling Operationalizes Arkansas Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Arkansas’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through Arkansas Division of Environmental Quality (ADEQ)-authorized channels, and audit-ready reporting.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy Arkansas’s outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for sensitive data categories.
Certified Electronics Recycling
Certified electronics recycling routes retired electronic assets through Arkansas Division of Environmental Quality (ADEQ)-authorized channels and R2v3-aligned recyclers. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Arkansas.
What is Arkansas’s breach-notification deadline?
In the most expedient time possible and without unreasonable delay under Ark. Code § 4-110-105. Notice to the Arkansas AG is required if the breach affects more than 1,000 Arkansas residents.
Does Arkansas enumerate disposal methods?
Yes. Ark. Code § 4-110-104 requires shredding, erasing, or otherwise modifying personal information to make it unreadable or undecipherable. Certified data destruction satisfies the method-and-outcome standard.
Has Arkansas adopted the NAIC Insurance Data Security Model Law?
Yes. The Arkansas Insurance Data Security Act at Ark. Code § 23-61-1101, effective January 1, 2022, adopts the NAIC model. Insurance licensees must maintain a written information security program with annual board certification.
Does Arkansas have a comprehensive consumer privacy law?
No. Arkansas has not enacted a comprehensive consumer data privacy act. Disposal and breach duties operate through PIPA at § 4-110-101, the Deceptive Trade Practices Act, and the Insurance Data Security Act.
Does Arkansas have a private right of action?
Yes. The Deceptive Trade Practices Act at Ark. Code § 4-88-113(f) provides a private right of action with actual damages and reasonable attorney fees. Civil penalties run up to $10,000 per violation under § 4-88-113.
Does Arkansas have a state e-waste recycling program?
No. Arkansas has not enacted a private-sector electronics-recycling extended producer responsibility program. The Arkansas Computer and Electronic Solid Waste Management Act at Ark. Code § 8-9-401 governs state-agency e-waste disposal. Enterprise IT asset retirement routes through ADEQ-authorized hazardous-waste channels and certified electronics recycling.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. APC&EC Reg. 23 implements federal RCRA with cradle-to-grave generator liability. ADEQ enforces civil penalties up to $25,000 per day per violation under Ark. Code § 8-7-303.
Which media-sanitization standard does Arkansas accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Arkansas DIS Statewide Information Security Standards reference NIST guidance.
What is the maximum penalty for an Arkansas privacy violation?
Deceptive Trade Practices Act civil penalties run up to $10,000 per violation under § 4-88-113, with private right of action under § 4-88-113(f) for actual damages and attorney fees. ADEQ hazardous-waste penalties under § 8-7-303 run up to $25,000 per day.
What is All Green Recycling’s certification posture for Arkansas enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or ADEQ examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and contracted-service safeguard terms.
Does Arkansas treat the disappearance of unencrypted media as a security breach?
Yes. Ark. Code § 4-110-103(7) defines breach as unauthorized acquisition of computerized data; physical loss of unencrypted media triggers the analysis.
Does Arkansas recognize encryption or verified data sanitization as breach-notification exemptions?
Yes. § 4-110-103(7) excludes encrypted data from the breach definition. NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
Arkansas Compliance as Risk Management
Arkansas IT asset retirement is a layered risk-management discipline. The 2019 amendments expanded the Personal Information Protection Act to include biometric data and introduced consumer-rights provisions for biometric and genetic information; the Arkansas Insurance Data Security Act effective January 1, 2022 implements the NAIC model with written information security program controls on insurance licensees. Compliant retirement proves data was rendered unreadable or undecipherable before custody transfer, breach notice surfaced in the most expedient time possible (with AG notice when 1,000+ residents affected), biometric and genetic information was handled under § 4-110-103 controls, insurance-licensee nonpublic information was handled under § 23-61-1101 controls, and hazardous fractions were handled under APC&EC Reg. 23.
DTPA $10,000 per-violation penalties with private right of action and attorney fees, Insurance Department penalties, ADEQ daily penalties (up to $25,000), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.
Arkansas compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Arkansas-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.