Idaho IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Idaho holds the shortest breach-notification timeline of any U.S. jurisdiction (24 hours to the Attorney General for public-sector agencies under Idaho Code § 28-51-105), and the practical effect is that data destruction at hardware end-of-life cannot be a slow or undocumented process for any in-state public or contracted entity. The Enterprise Compliance Reference below is the Idaho executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent enforcement context.
Idaho Enterprise Compliance Reference
| Compliance Topic | What Idaho Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to affected Idaho residents in the most expedient time possible; 24-hour AG notice for breaches involving Idaho state/county/municipal agencies under Idaho Code § 28-51-105. | Idaho Attorney General | Up to $5,000 per violation via ICPA | Certified media shredding with serialized Certificate of Destruction. |
| 2. Reasonable Security | Reasonable and prompt investigation of breach; safeguard duty over personal information under Idaho Code § 28-51-104. | Idaho AG | Up to $5,000 per violation via ICPA | Certified data destruction aligned to NIST SP 800-88 Rev. 2. |
| 3. Records Disposal | No standalone state disposal statute; federal HIPAA Privacy Rule (45 CFR § 164.530) and FTC Disposal Rule (16 CFR Part 682) provide the operative outcome standards. | HHS OCR, FTC | HIPAA up to $2.067M per identical violation per year (2025) | Certified data wiping aligned to NIST Clear / Purge. |
| 4. Data Destruction Standard | No state-specific standard prescribed; NIST SP 800-88 Rev. 2 is the federal civilian baseline. | N/A (federal baseline) | N/A | Hard drive shredding for high-sensitivity media. |
| 5. Hazardous & Universal Waste | RCRA-delegated state program under IDAPA 58.01.05; universal-waste rules at IDAPA 58.01.05.273; CRT rules at 40 C.F.R. § 261.39. | Idaho DEQ | Up to $10,000/day under Idaho Code § 39-4413 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Idaho Compliance Reality
Idaho’s privacy compliance regime is concentrated in the Idaho Identity Theft Protection Act (Idaho Code § 28-51-101 et seq.) and the Idaho Consumer Protection Act (Idaho Code § 48-601 et seq.). Retirement of a Retired Electronic Asset in Idaho is governed by (1) Idaho Code § 28-51-105, which requires breach notice in the most expedient time possible (with a 24-hour AG notice for breaches involving Idaho state, county, or municipal agencies), (2) Idaho Code § 28-51-104, which establishes a safeguard duty across the data life cycle, (3) the IDAPA 58.01.05 hazardous-waste rules administered by the Idaho Department of Environmental Quality (DEQ), and (4) federal sector overlays (HIPAA Privacy Rule, FTC Disposal Rule, FTC Safeguards Rule). Idaho does not operate a statewide manufacturer-takeback EPR program. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.
Idaho and Federal Compliance Interaction
Idaho’s heavy federal-research and defense-contracting footprint (INL, Boise contractors) means FAR 52.204-21, DFARS 252.204-7012, CMMC 2.0, and the HIPAA Security Rule already cover most data handling in the state, with Idaho Code § 28-51 sitting on top as a notification overlay. A regulated enterprise must satisfy the stricter of (1) Idaho statutes including § 28-51-105 (breach notice) and § 28-51-104 (safeguard duty), (2) federal sector rules including the HIPAA Security and Privacy Rules, the FTC Disposal Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. Because Idaho lacks a standalone records-disposal statute, the federal disposal standards are the operative state-facing baseline.
Idaho Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Idaho, whether Idaho law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Idaho Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | equals | Federal regime controls; state law does not exceed the federal floor. |
| FACTA Disposal Rule (16 CFR § 682.3) | Idaho exceeds | Idaho Code § 28-51-105 imposes 24-hour public-sector AG notification window; private-sector breach notification under § 28-51-105. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | IDAPA 58.01.05 implements RCRA Subtitle C; state administers EPA-authorized program at the federal floor. |
NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Idaho must satisfy CMMC 2.0 in addition to Idaho state law.
Idaho Data Security, Privacy, and Disposal Obligations
Idaho Code § 28-51-105 — Breach Notification
Idaho Code § 28-51-105 requires any agency, individual, or commercial entity that conducts business in Idaho and owns or licenses computerized data containing personal information, upon discovery of a breach, to give notice to affected Idaho residents in the most expedient time possible and without unreasonable delay. Breaches involving an Idaho state, county, or municipal agency trigger an additional notice to the Idaho Attorney General within 24 hours. Personal information is SSN, driver’s license, or account number plus security code or password.
Idaho Code § 28-51-104 — Safeguard and Reasonable Security
Idaho Code § 28-51-104 requires any agency, individual, or commercial entity that conducts business in Idaho that owns, licenses, or maintains personal information to conduct in good faith a reasonable and prompt investigation upon discovery of a breach. The statute imposes a general safeguard duty across the data life cycle.
Federal Records-Disposal Anchor
Idaho does not maintain a standalone records-disposal statute. The operative state-facing baseline for IT asset retirement is the federal anchor: HIPAA Privacy Rule (45 CFR § 164.530), HIPAA Security Rule (45 CFR § 164.310(d)(2)(i)), FTC Disposal Rule (16 CFR Part 682, requiring “reasonable measures” with method enumeration), and the FTC Safeguards Rule (16 CFR Part 314). Pre-disposal NIST SP 800-88 Rev. 2 alignment satisfies the federal anchor.
Idaho Public-Sector IT Disposal Posture
Idaho state agencies retire IT assets under Idaho Office of Information Technology Services (ITS) policy. The operative controls include Idaho ITS enterprise security policy; Idaho Division of Purchasing surplus property; Idaho State Archives records retention schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Idaho Office of Information Technology Services (ITS) policy guidance.
Data Destruction and Media Sanitization Expectations
Idaho relies on the federal disposal anchor. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Idaho state agencies follow Idaho Office of Information Technology Services (ITS) cybersecurity standards (Executive Order 2018-09).
Hard Drive Shredding
Idaho-resident PII covered by Idaho Code § 28-51 must reach the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because the 24-hour public-sector AG deadline simply does not accommodate uncertainty about a device’s data state. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information.
Idaho E-Waste, Hazardous Waste, and Environmental Compliance
Idaho does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement in Idaho routes through the federal RCRA-delegated state hazardous-waste program administered by the Idaho Department of Environmental Quality (DEQ) under IDAPA 58.01.05 (Idaho Rules and Standards for Hazardous Waste). Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium.
Enterprise / commercial equipment covered by the Idaho e-waste program: NO. Idaho has no state e-waste EPR program; enterprise IT asset retirement routes through IDAPA 58.01.05 hazardous-waste rules. Idaho is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through IDAPA 58.01.05; the state program operates at the federal floor unless explicitly more stringent.
Universal-waste rules at IDAPA 58.01.05.273 cover batteries, lamps, mercury-containing equipment, mercury thermostats, and pesticides. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under Idaho Code § 39-4413 run up to $10,000 per day per violation. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework.
Mobile Devices
Certified cell phone recycling includes verified erase of internal flash and handling of embedded SIM and eSIM material.
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Idaho enforcement is concentrated at the Idaho Attorney General Consumer Protection Division (ICPA carryover for ITPA), Idaho DEQ (hazardous-waste violations under Idaho Code § 39-4413, up to $10,000/day), and federal regulators with concurrent jurisdiction. Idaho has been a multistate participant in recent cyber actions. The audit-reconstruction-of-events standard is operative.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| Idaho Code § 28-51-105 (breach notice) | Enforceable via ICPA | NO (AG-only) | Idaho AG |
| Idaho Code § 28-51-104 (safeguard duty) | Enforceable via ICPA | NO (AG-only) | Idaho AG |
| Idaho Code § 48-606 (ICPA) | Up to $5,000 per violation | NO (DEQ enforcement) | Idaho AG |
| Idaho Code § 39-4413 (hazardous waste) | Up to $10,000 per day per violation | NO (AG-only) | Idaho DEQ |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Idaho Attorney General and the Idaho environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Idaho Department of Finance examines banks and credit unions for GLBA-aligned information-security-program controls. The Idaho Department of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Idaho Department of Health and Welfare examines healthcare entities for HIPAA Security Rule compliance. The Idaho State Board of Education oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Idaho Public Utilities Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Idaho’s 24-hour public-sector AG notification timeline makes documented chain-of-custody and serialized destruction the only realistic way an enterprise can avoid a punitive Attorney General posture, because absent records leave the regulator no choice but to treat the asset as a continuing exposure.
How All Green Recycling Operationalizes Idaho Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Idaho’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.
Secure Data Destruction
All Green Recycling’s secure data destruction service line aligns to NIST SP 800-88 Rev. 2 and satisfies the federal HIPAA Privacy Rule and FTC Disposal Rule disposal anchors that govern in the absence of an Idaho-specific disposal statute.
Certified Electronics Recycling
Certified electronics recycling routes retired electronic assets through DEQ-authorized channels that satisfy IDAPA 58.01.05 hazardous-waste characterization and universal-waste rules. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Idaho.
What is Idaho’s breach-notification deadline?
Idaho does not impose a fixed-day deadline for private-sector breaches. Under Idaho Code § 28-51-105, notice must be given in the most expedient time possible and without unreasonable delay. Breaches involving an Idaho state, county, or municipal agency require notice to the Idaho Attorney General within 24 hours.
Does Idaho have a standalone records-disposal statute?
No. Idaho relies on the federal anchor: HIPAA Privacy Rule (45 CFR § 164.530), FTC Disposal Rule (16 CFR Part 682), and FTC Safeguards Rule (16 CFR Part 314). The audit-defensible posture is alignment to NIST SP 800-88 Rev. 2 through certified data destruction.
Does Idaho’s personal-information definition include biometric data?
No. The Idaho Identity Theft Protection Act personal-information definition (Idaho Code § 28-51-104) enumerates SSN, driver’s license, and account number plus security code or password. Biometric data is not enumerated, and Idaho has no separate biometric statute.
Why is the 24-hour AG notice for public-sector breaches material to ITAD planning?
If a Retired Electronic Asset originated in an Idaho state, county, or municipal agency and a breach is later discovered, the 24-hour AG notice clock under § 28-51-105 begins immediately. Pre-disposal NIST 800-88 alignment through hard drive shredding eliminates the underlying breach exposure.
Does Idaho have a state-funded electronics-recycling program?
No. Idaho does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement routes through DEQ-authorized hazardous-waste channels and certified electronics recycling with environmental disposition records.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. IDAPA 58.01.05 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by IDAPA 58.01.05.273. Civil penalties under Idaho Code § 39-4413 run up to $10,000 per day per violation.
Which media-sanitization standard does Idaho accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Idaho state agencies follow Idaho Office of Information Technology Services (ITS) cybersecurity standards (Executive Order 2018-09).
What is the maximum penalty for an Idaho privacy or disposal violation?
Violations of the Idaho Identity Theft Protection Act and the Idaho Consumer Protection Act carry civil penalties up to $5,000 per violation under Idaho Code § 48-606. The Idaho AG is the enforcement authority.
What is All Green Recycling’s certification posture for Idaho enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or DEQ examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and contracted-service safeguard terms.
How does the federal HIPAA / GLBA baseline interact with Idaho law?
A regulated enterprise must satisfy the stricter of (1) Idaho statutes including § 28-51-105 (breach notice) and § 28-51-104 (safeguard duty), (2) federal sector rules such as the HIPAA Security Rule and the FTC Safeguards Rule, and (3) customer or prime-contract clauses. The federal disposal anchor is the operative state-facing baseline.
Does Idaho’s breach definition reach the physical loss of unencrypted hardware?
Yes. Idaho Code § 28-51-104 defines breach as unauthorized acquisition of computerized data which extends to physical loss of unencrypted media.
What encryption and sanitization carve-outs does Idaho’s breach statute provide?
Yes. § 28-51-104 excludes encrypted data; NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
Idaho Compliance as Risk Management
Idaho IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was sanitized to the federal disposal anchor before custody transfer, that breach notice surfaced in the most expedient time possible after discovery (with 24-hour notice for public-sector breaches), that downstream processing routed through DEQ-authorized channels, and that hazardous fractions were handled under the universal-waste rules. ICPA per-violation civil penalties, DEQ daily penalties (up to $10,000), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.
Idaho compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need an Idaho-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.