Louisiana IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance

Louisiana’s Database Security Breach Notification Law (La. R.S. 51:3071) and the related Identity Theft Protection Act run through the Office of the Attorney General with notice to both individuals and the AG, making documented hardware destruction a precondition rather than a recovery posture. The Enterprise Compliance Reference below is the Louisiana executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent enforcement context.

Louisiana Enterprise Compliance Reference

Louisiana Compliance Reality

Louisiana’s privacy compliance regime spans (1) the Louisiana Database Security Breach Notification Law (La. R.S. 51:3071–3077) with a 60-day resident-notice deadline and a 10-day Attorney General notice under La. R.S. 51:3074, (2) the records-disposal duty at La. R.S. 51:3074(F) which prescribes method enumeration (shred, erase, modify) and outcome (“unreadable or undecipherable through any means”), (3) the biometric-data enumeration in the personal-information definition since Act 382 of 2018 (DNA, fingerprint, iris/retina, voiceprint), (4) the Louisiana Unfair Trade Practices Act (La. R.S. 51:1401), and (5) the LDEQ hazardous-waste rules at LAC 33:V. Louisiana has not enacted a comprehensive consumer privacy law as of 2025–2026, does not operate a state-funded electronics EPR program, and does not impose a statewide e-waste landfill ban. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.

Louisiana and Federal Compliance Interaction

Louisiana’s heavy energy, healthcare, and port-logistics industries put HIPAA, GLBA, the FTC Safeguards Rule, FACTA, RCRA, FAR 52.204-21, and DFARS 252.204-7012 federal duties on most in-state enterprises, with La. R.S. 51:3071 sitting as a state notification overlay. A regulated enterprise must satisfy the stricter of (1) Louisiana statutes including La. R.S. 51:3074 (breach notice, disposal, biometric, reasonable security) and La. R.S. 51:1401 (LUTPA carryover), (2) federal sector rules including the HIPAA Security Rule, the FTC Disposal Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. The 60-day notice deadline plus 10-day AG notice and the “unreadable or undecipherable through any means” disposal outcome are the state-specific anchors layered on top of the federal baseline.

Louisiana Preemption Matrix (Federal Floor vs. State Posture)

The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Louisiana, whether Louisiana law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.

NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Louisiana must satisfy CMMC 2.0 in addition to Louisiana state law.

Louisiana Data Security, Privacy, and Disposal Obligations

La. R.S. 51:3074 — Breach Notification (60-Day Deadline)

La. R.S. 51:3074 requires any person that conducts business in Louisiana, or any agency that owns or licenses computerized data that includes personal information, upon discovery of a breach, to notify affected Louisiana residents in the most expedient time possible and without unreasonable delay, but not later than 60 days from the discovery of the breach (Act 382 of 2018). Notice to the Louisiana Attorney General Consumer Protection Section is required within 10 days of distribution of resident notice. Personal information includes SSN, driver’s license, account number plus security/access code, and biometric data (DNA, fingerprint, iris/retina, voiceprint).

La. R.S. 51:3074(F) — Records Disposal

La. R.S. 51:3074(F) requires an entity that maintains computerized data containing personal information to take all reasonable steps to destroy or arrange for the destruction of records containing personal information when the records are no longer to be retained, by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable through any means. The statute enumerates methods (shred, erase, modify) and prescribes the outcome standard (“unreadable or undecipherable through any means”).

La. R.S. 51:3074(B)(3) — Reasonable Security

La. R.S. 51:3074(B)(3) requires implementation and maintenance of reasonable security procedures and practices appropriate to the nature of the information to protect personal information from unauthorized access, destruction, use, modification, or disclosure.

Biometric Enumeration Since Act 382 of 2018

Act 382 of 2018 expanded the personal-information definition under La. R.S. 51:3074(B) to include biometric data (DNA, fingerprint, iris scan, retina scan, voiceprint). A breach of biometric records triggers Louisiana notification duties, including the 60-day resident notice and 10-day AG notice. There is no separate Louisiana biometric privacy act.

Louisiana Public-Sector IT Disposal Posture

Louisiana state agencies retire IT assets under Louisiana Office of Technology Services (OTS) policy. The operative controls include Louisiana OTS Information Security Policy; Louisiana Property Assistance Agency surplus; State Archives records retention schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Louisiana Office of Technology Services (OTS) policy guidance.

Louisiana Insurance Data Security Law (NAIC Insurance Data Security Adoption)

Louisiana has adopted the NAIC Insurance Data Security Model Law at La. R.S. § 22:2501 et seq. (effective August 1, 2020). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.

Louisiana Student Privacy Act (Student-Data Privacy)

Louisiana’s student-data privacy statute at La. R.S. § 17:3914 regulates K-12 ed-tech operators that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under Louisiana’s outcome standard and retain the destruction certificate.

Data Destruction and Media Sanitization Expectations

La. R.S. 51:3074(F) prescribes the “unreadable or undecipherable through any means” outcome standard with method enumeration. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Louisiana state agencies follow Louisiana Office of Technology Services (OTS) information-security policies.

Hard Drive Shredding

Louisiana-resident PII on fixed media must reach the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because R.S. 51:3074 prohibits disposal of records containing PII without redaction or destruction. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.

Certified Data Wiping

Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.

Media Degaussing

Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).

Certified Media Shredding

Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information subject to La. R.S. 51:3074(F).

Louisiana E-Waste, Hazardous Waste, and Environmental Compliance

Louisiana does not operate a state-funded manufacturer-takeback or EPR program for electronics and does not impose a statewide landfill ban on covered electronic devices. Enterprise IT asset retirement in Louisiana routes through the federal RCRA-delegated state hazardous-waste program administered by the Louisiana Department of Environmental Quality (LDEQ) Office of Environmental Services under LAC 33:V. Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium.

Enterprise / commercial equipment covered by the Louisiana e-waste program: NO. Louisiana has no state e-waste EPR program; enterprise IT asset retirement routes through LAC Title 33 Part V hazardous-waste rules administered by LDEQ. Louisiana is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through LAC Title 33 Part V; the state program operates at the federal floor unless explicitly more stringent.

Universal-waste rules at LAC 33:V.4001–4007 cover batteries, lamps, mercury-containing equipment, mercury thermostats, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under La. R.S. 30:2025 run up to $32,500 per day per violation. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.

Regulated Asset Types and Enterprise Scenarios

Servers and Storage Arrays

Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.

End-User Computing Assets

Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework.

Mobile Devices and Biometric Sensors

Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint, voiceprint) which is enumerated under La. R.S. 51:3074(B) since 2018.

Equipment Destruction and Product-Recall Scenarios

Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.

Enforcement, Penalties, and Audit Risk

Louisiana enforcement is concentrated at the Louisiana Attorney General Consumer Protection Section (La. R.S. 51:3074 civil penalties up to $5,000 per violation; LUTPA enforcement under La. R.S. 51:1401), Louisiana LDEQ (hazardous-waste violations under La. R.S. 30:2025 up to $32,500/day), and federal regulators with concurrent jurisdiction. Louisiana was a participant in the AG v. Equifax multistate $575M settlement (2019). The audit-reconstruction-of-events standard is operative.

Statutory Penalty Schedule

State Sectoral Regulators and Audit Authority

In addition to the Louisiana Attorney General and the Louisiana environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Louisiana Office of Financial Institutions examines banks and credit unions for GLBA-aligned information-security-program controls. The Louisiana Department of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Louisiana Department of Health examines healthcare entities for HIPAA Security Rule compliance. The Louisiana Board of Regents oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Louisiana Public Service Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.

Documentation, Chain of Custody, and Audit-Ready Proof

Louisiana Attorney General enforcement is built from the documentary record an enterprise can produce, and a Retired Electronic Asset without a serialized destruction Certificate is treated as a presumptive R.S. 51:3074 disposal-duty and R.S. 51:3071 notification trigger.

How All Green Recycling Operationalizes Louisiana Compliance

IT Asset Disposition

All Green Recycling operates certified IT asset disposition structured around Louisiana’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through LDEQ-compliant channels, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.

Secure Data Destruction

All Green Recycling’s secure data destruction service line is structured to satisfy the La. R.S. 51:3074(F) “unreadable or undecipherable through any means” outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for the Louisiana biometric-data enumeration in effect since Act 382 of 2018.

Certified Electronics Recycling

Certified electronics recycling routes retired electronic assets through LDEQ-authorized channels that satisfy LAC 33:V hazardous-waste characterization and universal-waste rules. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.

Secure Equipment Destruction

Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.

Reverse Logistics and Chain-of-Custody Tracking

Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.

Audit-Ready Reporting

Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.

Frequently Asked Questions

The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Louisiana.

Louisiana Compliance as Risk Management

Louisiana IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered unreadable or undecipherable through any means before custody transfer, that breach notice surfaced not later than 60 days from discovery (with 10-day AG notice), that biometric records were handled under the La. R.S. 51:3074(B) enumeration in effect since 2018, that downstream processing routed through LDEQ-authorized channels, and that hazardous fractions were handled under the universal-waste rules. Per-violation civil penalties under La. R.S. 51:3074, LDEQ daily penalties (up to $32,500), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.

Louisiana compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Louisiana-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.