(800) 780-0347
Home»Compliances»Indiana IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance

Indiana IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance

Indiana’s Disclosure of Security Breach statute (Ind. Code § 24-4.9) and dedicated records-disposal duty at Ind. Code § 24-4-14 specifically require destruction or redaction of personal information before a record is discarded, making documented hardware end-of-life a statutory rather than discretionary process. The Enterprise Compliance Reference below is the Indiana executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent Attorney General enforcement context.

Indiana Data Destruction &Amp;Amp; E-Waste Recycling Compliance Regulations

Indiana Enterprise Compliance Reference

Compliance Topic What Indiana Requires Who Enforces Penalty Band What All Green Recycling Provides
1. Breach Notification Notice to affected Indiana residents and to the Attorney General without unreasonable delay under Ind. Code § 24-4.9-3-1. Indiana Attorney General Up to $5,000 per violation via Indiana CPA Certified media shredding with serialized Certificate of Destruction.
2. Records Disposal Shred, incinerate, mutilate, erase, or otherwise modify personal information to render it unreadable or unusable under Ind. Code § 24-4-14-8. Indiana AG Up to $5,000 per violation via Indiana CPA Certified data wiping aligned to NIST Clear / Purge.
3. Indiana CDPA (Effective Jan 1, 2026) Controller obligations including data-minimization, purpose-limitation, and sensitive-data consent (biometric data included) under Ind. Code § 24-15. Indiana AG Up to $7,500 per violation Certified data destruction with biometric-data attestation.
4. Data Destruction Standard Statutory outcome (“unreadable or unusable”); NIST SP 800-88 Rev. 2 is the federal civilian baseline. N/A (federal baseline) N/A Hard drive shredding for high-sensitivity media.
5. E-Waste & Hazardous Waste Manufacturer takeback for residential covered devices under Ind. Code § 13-20.5; hazardous-waste characterization for commercial generators under 329 IAC 3.1. Indiana IDEM Up to $25,000/day under Ind. Code § 13-30-4 Certified electronics recycling with environmental disposition record.
6. Federal Overlay & Audit Posture HIPAA, FTC Safeguards, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. HHS OCR, FTC, federal prime contractors HIPAA up to $2.067M per identical violation per year (2025) IT asset reporting packaged for compliance, legal, and audit teams.

Indiana Compliance Reality

Indiana’s privacy compliance regime spans (1) the Indiana Disclosure of Security Breach Act (Ind. Code § 24-4.9), (2) the records-disposal statute at Ind. Code § 24-4-14, (3) the Indiana Consumer Data Protection Act (Ind. Code § 24-15) effective January 1, 2026, (4) the Indiana E-Waste Law (Ind. Code § 13-20.5) administered by IDEM, and (5) the federal sector overlays of HIPAA, GLBA, and the FTC Safeguards Rule. Retirement of a Retired Electronic Asset in Indiana is governed by the breach-notice duty under § 24-4.9-3-1 (notice without unreasonable delay to affected Indiana residents and to the Attorney General), the records-disposal duty under § 24-4-14-8 (method enumeration: shred, incinerate, mutilate, erase, or otherwise modify to unreadable or unusable outcome), the CDPA sensitive-data consent and controller duties (effective 2026, biometric data enumerated), and the IDEM hazardous-waste rules. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.

Indiana and Federal Compliance Interaction

Indiana’s manufacturing and logistics economy means most in-state enterprises operate against HIPAA, GLBA, the FTC Safeguards Rule, FACTA, FAR 52.204-21, and DFARS 252.204-7012 federal regimes, and the Ind. Code § 24-4.9 and 24-4-14 statutes sit on top of that floor. A regulated enterprise must satisfy the stricter of (1) Indiana statutes including § 24-4.9 (breach notice), § 24-4-14 (records disposal), and § 24-15 (CDPA, effective 2026), (2) federal sector rules including the HIPAA Security Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. Indiana CDPA sensitive-data duties (biometric data, health-condition data, precise geolocation) take effect January 1, 2026 and apply to controllers conducting business in Indiana or producing products/services targeted to Indiana residents and meeting threshold tests.

Indiana Preemption Matrix (Federal Floor vs. State Posture)

The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Indiana, whether Indiana law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.

Federal Regime Indiana Posture Stricter Element (if any)
HIPAA Security Rule (45 CFR Part 164 Subpart C) equals Federal regime controls; state law does not exceed the federal floor.
GLBA / FTC Safeguards Rule (16 CFR Part 314) Indiana exceeds Ind. Code § 27-2-27 (NAIC Insurance Data Security adoption) imposes a written information security program with annual board certification.
FACTA Disposal Rule (16 CFR § 682.3) Indiana exceeds Ind. Code § 24-4-14-8 enumerates specific disposal methods (shredding, incineration, mutilation, erasing).
DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) equals Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down.
RCRA Subtitle C (40 CFR Parts 260-279) equals 329 IAC 3.1 implements RCRA Subtitle C; state administers EPA-authorized program at the federal floor.

NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Indiana must satisfy CMMC 2.0 in addition to Indiana state law.

Indiana Data Security, Privacy, and Disposal Obligations

Ind. Code § 24-4.9 — Disclosure of Security Breach

Ind. Code § 24-4.9-3-1 requires a database owner that experiences a breach to disclose the breach to each Indiana resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notification must be without unreasonable delay. Notice to the Indiana Attorney General is also required without unreasonable delay (no fixed-day deadline). Personal information is SSN, driver’s license, state ID, or account/credit/debit card number combined with a security code or password.

Ind. Code § 24-4-14-8 — Records Disposal With Method Enumeration

Ind. Code § 24-4-14-8 requires a person that owns, maintains, or otherwise possesses personal information of an Indiana resident, at the time of disposal, to take reasonable measures to dispose of the records by shredding, incinerating, mutilating, erasing, or otherwise modifying the personal information to make it unreadable or unusable. The statute enumerates methods (shred, incinerate, mutilate, erase, modify) and prescribes the outcome standard (unreadable or unusable).

Indiana Consumer Data Protection Act (Effective Jan 1, 2026)

The Indiana Consumer Data Protection Act at Ind. Code § 24-15-1 et seq. takes effect January 1, 2026. Modeled on the Virginia CDPA, the Indiana CDPA imposes controller obligations including (i) data-minimization, (ii) purpose-limitation, (iii) reasonable administrative, technical, and physical safeguards, (iv) opt-out rights for sale of personal data, targeted advertising, and profiling with legal or similarly significant effects, and (v) sensitive-data consent (biometric data, health-condition data, precise geolocation, immigration status, racial/ethnic origin, religious beliefs, citizenship, sexual orientation, mental/physical health diagnosis, children’s data). Civil penalties are up to $7,500 per violation enforced by the Indiana Attorney General.

Federal Records-Disposal Anchor

Federal records-disposal duties (HIPAA Privacy Rule, FTC Disposal Rule, FTC Safeguards Rule) layer on top of the Indiana statutory baseline.

Indiana Public-Sector IT Disposal Posture

Indiana state agencies retire IT assets under Indiana Office of Technology (IOT) policy. The operative controls include Indiana IOT IT-01 Information Security; Department of Administration State Surplus Property; Indiana Commission on Public Records retention schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Indiana Office of Technology (IOT) policy guidance.

Indiana Insurance Data Security Law (NAIC Insurance Data Security Adoption)

Indiana has adopted the NAIC Insurance Data Security Model Law at Ind. Code § 27-2-27 (effective July 1, 2020). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.

Data Destruction and Media Sanitization Expectations

Ind. Code § 24-4-14-8 prescribes an “unreadable or unusable” outcome standard with method enumeration. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Indiana state agencies follow Indiana Office of Technology (IOT) information-security standards.

Hard Drive Shredding

Indiana-resident PII on fixed media requires the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because Ind. Code § 24-4-14’s discard-without-destruction prohibition reaches any unencrypted media in enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.

Certified Data Wiping

Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.

Media Degaussing

Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).

Certified Media Shredding

Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information subject to § 24-4-14-8.

Indiana E-Waste, Hazardous Waste, and Environmental Compliance

Indiana operates the Indiana E-Waste Law at Ind. Code § 13-20.5 (P.L. 178-2009, effective 2009), which imposes manufacturer takeback for residential covered devices (computers, monitors, televisions, printers, fax machines, peripherals). The program is administered by the Indiana Department of Environmental Management (IDEM). Indiana does not impose a statewide landfill ban on commercial electronics; commercial generators remain subject to RCRA-delegated hazardous-waste characterization for any waste exhibiting toxicity characteristic for lead, mercury, cadmium, or chromium.

Enterprise / commercial equipment covered by the Indiana e-waste program: PARTIAL. Indiana E-Waste Program (Ind. Code § 13-20.5) is manufacturer-funded for households and small businesses under 10 employees; enterprise bulk disposal routes through 329 IAC 3.1 hazardous-waste rules. Indiana is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through 329 IAC 3.1; the state program operates at the federal floor unless explicitly more stringent.

Hazardous-waste rules at 329 IAC 3.1 incorporate federal 40 C.F.R. Parts 260-279. Universal-waste rules at 329 IAC 3.1-16 cover batteries, lamps, mercury-containing equipment, mercury thermostats, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under Ind. Code § 13-30-4 run up to $25,000 per day per violation. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.

Regulated Asset Types and Enterprise Scenarios

Servers and Storage Arrays

Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.

End-User Computing Assets

Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework.

Mobile Devices

Certified cell phone recycling includes verified erase of internal flash and handling of embedded SIM and eSIM material.

Equipment Destruction and Product-Recall Scenarios

Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.

Enforcement, Penalties, and Audit Risk

Indiana enforcement is concentrated at the Indiana Attorney General Consumer Protection Division (breach-notice and records-disposal carryover under the Indiana CPA, up to $5,000 per violation; CDPA enforcement effective 2026 at up to $7,500 per violation), Indiana IDEM (hazardous-waste violations under Ind. Code § 13-30-4, up to $25,000/day), and federal regulators with concurrent jurisdiction. Indiana was part of the AG v. Anthem $40M multistate settlement (2020). The audit-reconstruction-of-events standard is operative.

Statutory Penalty Schedule

Statute / Authority Civil Penalty Band Private Right of Action Enforcer
Ind. Code § 24-4.9 (breach notice) Enforceable via Indiana CPA up to $5,000 per violation NO (AG-only) Indiana AG
Ind. Code § 24-4-14 (records disposal) Enforceable via Indiana CPA up to $5,000 per violation NO (AG-only under Indiana CDPA effective Jan 1, 2026) Indiana AG
Ind. Code § 24-15 (CDPA, effective 2026) Up to $7,500 per violation NO (Department of Insurance enforcement) Indiana AG
Ind. Code § 13-20.5 (e-waste manufacturer takeback) Civil penalties via IDEM NO (IDEM enforcement) Indiana IDEM
Ind. Code § 13-30-4 (hazardous waste) Up to $25,000 per day per violation NO (AG-only) Indiana IDEM
HIPAA (federal overlay) Up to $2,067,813 per identical violation per year (2025 adjusted) LIMITED (HIPAA private actions) HHS OCR

State Sectoral Regulators and Audit Authority

In addition to the Indiana Attorney General and the Indiana environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Indiana Department of Financial Institutions examines banks and credit unions for GLBA-aligned information-security-program controls. The Indiana Department of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Indiana Department of Health examines healthcare entities for HIPAA Security Rule compliance. The Indiana Commission for Higher Education oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Indiana Utility Regulatory Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.

Documentation, Chain of Custody, and Audit-Ready Proof

Indiana Attorney General consumer-protection investigations under Ind. Code § 24-4-14 are built from the documentary record an enterprise can produce, and a Retired Electronic Asset that cannot be tied to serialized destruction evidence is treated as a presumptive records-disposal violation.

How All Green Recycling Operationalizes Indiana Compliance

IT Asset Disposition

All Green Recycling operates certified IT asset disposition structured around Indiana’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through IDEM-compliant channels, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.

Secure Data Destruction

All Green Recycling’s secure data destruction service line is structured to satisfy the Ind. Code § 24-4-14-8 “unreadable or unusable” outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for Indiana CDPA biometric-data requirements effective January 1, 2026.

Certified Electronics Recycling

Certified electronics recycling routes retired electronic assets through IDEM-authorized channels that satisfy Ind. Code § 13-20.5 manufacturer-takeback program requirements for residential covered devices and 329 IAC 3.1 hazardous-waste characterization for commercial generators. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.

Secure Equipment Destruction

Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.

Reverse Logistics and Chain-of-Custody Tracking

Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.

Audit-Ready Reporting

Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.

Frequently Asked Questions

The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Indiana.

What is Indiana’s breach-notification deadline?

Indiana does not impose a fixed-day deadline. Ind. Code § 24-4.9-3-1 requires notice to affected Indiana residents and to the Indiana Attorney General without unreasonable delay.

Does Indiana enumerate disposal methods?

Yes. Ind. Code § 24-4-14-8 enumerates shredding, incinerating, mutilating, erasing, or otherwise modifying personal information to render it unreadable or unusable. Certified data destruction satisfies the method-and-outcome standard.

When does the Indiana Consumer Data Protection Act take effect?

January 1, 2026. The Indiana CDPA imposes controller obligations including data-minimization, purpose-limitation, opt-out rights, and sensitive-data consent (biometric data, health-condition data, precise geolocation, etc.). Civil penalties up to $7,500 per violation enforced by the Indiana Attorney General.

Does Indiana’s personal-information definition include biometric data for breach notice?

Not under § 24-4.9 breach notice (which is tied to SSN, driver’s license, state ID, or account number plus security code/password). The Indiana CDPA effective 2026 treats biometric data as sensitive data requiring consent and additional safeguards under controller duties.

Does Indiana have a state-funded electronics-recycling program?

Yes for residential. Ind. Code § 13-20.5 establishes manufacturer takeback for residential covered devices (computers, monitors, televisions, printers, fax machines, peripherals), administered by IDEM. Commercial generators route through certified electronics recycling.

Does our enterprise carry generator liability for hazardous fractions of retired electronics?

Yes. 329 IAC 3.1 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by 329 IAC 3.1-16. Civil penalties under Ind. Code § 13-30-4 run up to $25,000 per day per violation.

Which media-sanitization standard does Indiana accept as audit-defensible?

NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Indiana Office of Technology (IOT) information-security standards reference NIST 800-88.

What is the maximum penalty for an Indiana privacy violation?

Violations of the breach-notice and records-disposal statutes are enforceable via the Indiana Consumer Protection Act up to $5,000 per violation. Indiana CDPA violations (effective 2026) carry civil penalties up to $7,500 per violation. The Indiana Attorney General is the enforcement authority.

What is All Green Recycling’s certification posture for Indiana enterprise engagements?

All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.

What documentation should we expect on AG or IDEM examination?

Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, IDEM disposition records, and contracted-service safeguard terms.

How does the federal HIPAA / GLBA baseline interact with Indiana law?

A regulated enterprise must satisfy the stricter of (1) Indiana statutes including § 24-4.9, § 24-4-14, and § 24-15 (CDPA), (2) federal sector rules such as the HIPAA Security Rule and the FTC Safeguards Rule, and (3) customer or prime-contract clauses. The Indiana CDPA does not preempt federal sector rules.

Does Indiana’s disclosure-of-security-breach statute include physical loss of unencrypted devices?

Yes. Ind. Code § 24-4.9 covers unauthorized acquisition of personal information which extends to physical loss of unencrypted media.

How does Indiana treat encryption and verified data sanitization for breach-notice relief?

Yes. § 24-4.9-2-3 excludes encrypted data; § 24-4-14-8 enumerates disposal methods (shred, incinerate, mutilate, erase); NIST SP 800-88 Revision 2 verified sanitization satisfies these standards.

Indiana Compliance as Risk Management

Indiana IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered unreadable or unusable through enumerated methods before custody transfer, that breach notice surfaced without unreasonable delay to both affected residents and the Attorney General, that biometric data was handled under the Indiana CDPA consent and safeguards regime effective 2026, that downstream processing routed through IDEM-authorized channels, and that hazardous fractions were handled under the universal-waste rules. CPA per-violation civil penalties, CDPA $7,500 per-violation penalties (effective 2026), IDEM daily penalties (up to $25,000), HIPAA federal overlay, FTC Safeguards Rule, and audit-driven counterparty review converge on the same set of records.

Indiana compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need an Indiana-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.