Michigan IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Michigan’s Identity Theft Protection Act (MCL 445.61) and the Insurance Data Security Act (an NAIC IDS Model Law adopter) combine with the state’s automotive, healthcare, and manufacturing concentrations to make documented hardware end-of-life destruction a frequent audit surface. The Enterprise Compliance Reference below is the Michigan executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent enforcement context.
Michigan Enterprise Compliance Reference
| Compliance Topic | What Michigan Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to affected Michigan residents without unreasonable delay; CRA notice if more than 1,000 residents affected under MCL 445.72. | Michigan AG | Civil fines up to $250 per violation; $750,000 aggregate | Certified media shredding with serialized Certificate of Destruction. |
| 2. Records Disposal | Destroy records so personal information cannot be read, deciphered, or reconstructed; methods include shredding, burning, or modifying under MCL 445.72a. | Michigan AG | UDAP carryover via MCPA | Certified data wiping aligned to NIST Clear / Purge. |
| 3. Social Security Number Privacy Act | Regulates use, display, and disclosure of SSNs; requires destruction so SSN cannot be read or reconstructed under MCL 445.81 et seq. | Michigan AG | Civil and criminal penalties | Certified data destruction with SSN-specific attestation. |
| 4. Electronic Waste Takeback Program | Manufacturer-funded takeback for computers, monitors, printers, fax machines, peripherals under Part 173 of NREPA (MCL 324.17301 et seq.); effective 2010. | Michigan EGLE | Registration enforcement | Certified electronics recycling through EGLE-authorized channels. |
| 5. Hazardous & Universal Waste | RCRA-delegated state program under Part 111 of NREPA (R 299.9101 et seq.); universal-waste rules at R 299.11201; CRT rules at 40 C.F.R. § 261.39. | Michigan EGLE | Up to $25,000/day | Certified IT asset disposition with hazardous-waste manifest. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Michigan Compliance Reality
Michigan’s privacy and environmental compliance regime spans (1) the Michigan Identity Theft Protection Act at MCL 445.61 et seq. (breach notice without unreasonable delay; consumer reporting agency notice for breaches affecting more than 1,000 Michigan residents; civil fines up to $250 per violation with a $750,000 aggregate cap), (2) the records-disposal duty at MCL 445.72a (destroy records so personal information cannot be read, deciphered, or reconstructed; methods include shredding, burning, or modifying), (3) the Social Security Number Privacy Act at MCL 445.81 et seq. (one of the most detailed state SSN-protection statutes), (4) the Michigan Consumer Protection Act at MCL 445.901 et seq. (civil penalties up to $25,000 per violation), (5) the Electronic Waste Takeback Program at Part 173 of NREPA (MCL 324.17301 et seq., effective 2010, manufacturer-based takeback for computers, monitors, printers, fax machines, peripherals), and (6) the EGLE hazardous-waste rules at Part 111 of NREPA (R 299.9101 et seq.). Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.
Michigan and Federal Compliance Interaction
Michigan’s automotive and aerospace supply chain pulls FAR 52.204-21, DFARS 252.204-7012, and CMMC 2.0 down to subcontractors, and HIPAA, GLBA, the FTC Safeguards Rule, FACTA, and the NAIC IDS-aligned Insurance Data Security Act ride alongside those federal regimes. A regulated enterprise must satisfy the stricter of (1) Michigan statutes including ITPA (MCL 445.61), MCL 445.72a records disposal, SSN Privacy Act (MCL 445.81), MCPA (MCL 445.901), and Part 173 of NREPA (e-waste takeback), (2) federal sector rules including the HIPAA Security Rule, the FTC Disposal Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. The 445.72a “cannot be read, deciphered, or reconstructed” disposal outcome and the manufacturer-funded Part 173 takeback program are the state-specific anchors layered on top of the federal baseline.
Michigan Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Michigan, whether Michigan law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Michigan Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | Michigan exceeds | Mich. Comp. Laws § 500.550 (NAIC Insurance Data Security adoption) imposes a written information security program with annual board certification. |
| FACTA Disposal Rule (16 CFR § 682.3) | Michigan exceeds | Mich. Comp. Laws § 445.72a imposes destruction-method duty; § 445.81 (SSN Privacy Act) imposes additional SSN-specific safeguards. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | Mich. Admin. Code R 299 implements RCRA Subtitle C; state administers EPA-authorized program at the federal floor. |
NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Michigan must satisfy CMMC 2.0 in addition to Michigan state law.
Michigan Data Security, Privacy, and Disposal Obligations
MCL 445.72 — ITPA Breach Notification
MCL 445.72 requires any person that owns or licenses data that includes personal information about a Michigan resident, upon discovery or notification of a breach, to give notice as soon as practicable and without unreasonable delay. Notice to consumer reporting agencies is required when the breach affects more than 1,000 Michigan residents. Personal information includes SSN, driver’s license, state personal identification card number, and financial account number plus security/access code or password.
MCL 445.72a — Records Disposal
MCL 445.72a requires a person who maintains records containing personal information to destroy the records, including paper records and information stored electronically, in a manner that ensures the records cannot be read, deciphered, or reconstructed. Acceptable methods include shredding, burning, or modifying the information to make it unreadable.
Social Security Number Privacy Act (MCL 445.81 et seq.)
The Social Security Number Privacy Act regulates the use, display, and disclosure of SSNs and requires destruction so the SSN cannot be read or reconstructed. Retired Electronic Assets containing records with SSNs require certified data destruction with SSN-specific attestation.
Michigan Consumer Protection Act (MCL 445.901 et seq.)
The MCPA carryover provides civil penalties up to $25,000 per violation. ITPA, SSN Privacy Act, and disposal-statute violations may be enforced through MCPA.
Michigan Public-Sector IT Disposal Posture
Michigan state agencies retire IT assets under Michigan Department of Technology, Management and Budget (DTMB) policy. The operative controls include Michigan DTMB Information Technology Security Policy 1340.00; Department of Management & Budget surplus property; Michigan Archives records retention schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Michigan Department of Technology, Management and Budget (DTMB) policy guidance.
Michigan Insurance Data Security Act (NAIC Insurance Data Security Adoption)
Michigan has adopted the NAIC Insurance Data Security Model Law at Mich. Comp. Laws § 500.550 et seq. (effective January 20, 2022). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.
Data Destruction and Media Sanitization Expectations
MCL 445.72a prescribes the “cannot be read, deciphered, or reconstructed” outcome standard with method enumeration (shred, burn, modify). The Social Security Number Privacy Act imposes a parallel destruction duty for SSN-bearing records. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Michigan state agencies follow DTMB SPP-138 Information Security policy.
Hard Drive Shredding
Michigan-resident PII on fixed media requires the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because MCL 445.61a’s personal-information-disposal prohibition reaches unencrypted media in enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information subject to MCL 445.72a and the SSN Privacy Act.
Michigan E-Waste, Hazardous Waste, and Environmental Compliance
The Michigan Electronic Waste Takeback Program at Part 173 of NREPA (MCL 324.17301 et seq., effective 2010) requires manufacturers of computers, monitors, printers, fax machines, and peripherals sold in Michigan to register annually with EGLE and provide free in-state collection programs for end-of-life devices. Enterprise IT asset retirement routes through the federal RCRA-delegated state hazardous-waste program at Part 111 of NREPA, administered by the Michigan Department of Environment, Great Lakes, and Energy (EGLE).
Enterprise / commercial equipment covered by the Michigan e-waste program: NO. Michigan Electronic Waste Takeback Program (MCL 324.17301 et seq., Part 173 NREPA) is manufacturer-funded for households; enterprise bulk disposal routes through Mich. Admin. Code R 299 hazardous-waste rules and Part 111 NREPA. Michigan is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through Mich. Admin. Code R 299; the state program operates at the federal floor unless explicitly more stringent.
Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium. Universal-waste rules at R 299.11201 cover batteries, lamps, mercury-containing equipment, mercury thermostats, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under Part 111 of NREPA run up to $25,000 per day per violation. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, SSNs, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through Part 173 of NREPA manufacturer-takeback channels for covered devices, paired with NIST 800-88 Rev. 2 data sanitization.
Mobile Devices
Certified cell phone recycling includes verified erase of internal flash and handling of embedded SIM and eSIM material.
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Michigan enforcement is concentrated at the Michigan Attorney General (ITPA civil fines up to $250 per violation with a $750,000 aggregate cap; SSN Privacy Act civil and criminal penalties; MCPA civil penalties up to $25,000 per violation), EGLE (hazardous-waste violations under Part 111 of NREPA up to $25,000/day; Part 173 e-waste takeback registration enforcement), and federal regulators with concurrent jurisdiction. Michigan was a participant in the AG v. Equifax multistate $575M settlement. The audit-reconstruction-of-events standard is operative.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| MCL 445.72 (ITPA breach notice) | Civil fines up to $250 per violation; $750,000 aggregate | NO (AG-only) | Michigan AG |
| MCL 445.72a (records disposal) | UDAP carryover via MCPA | NO (DIFS enforcement) | Michigan AG |
| MCL 445.81 (SSN Privacy Act) | Civil and criminal penalties | NO (AG-only) | Michigan AG |
| MCL 445.901 (MCPA) | Up to $25,000 per violation | NO (AG-only) | Michigan AG |
| MCL 324.17301 (e-waste takeback) | Registration enforcement | NO (EGLE enforcement) | Michigan EGLE |
| MCL 324.11101 (hazardous waste) | Up to $25,000 per day per violation | NO (EGLE enforcement) | Michigan EGLE |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Michigan Attorney General and the Michigan environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Michigan Department of Insurance and Financial Services examines banks and credit unions for GLBA-aligned information-security-program controls. The Michigan Department of Insurance and Financial Services examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Michigan Department of Health and Human Services examines healthcare entities for HIPAA Security Rule compliance. The Michigan Department of Lifelong Education, Advancement, and Potential oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Michigan Public Service Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Michigan Attorney General Consumer Protection investigations under MCL 445.63 are built from the documentary record an enterprise can produce, and a Retired Electronic Asset without serialized destruction records is treated as a presumptive Identity Theft Protection Act disposal-duty failure.
How All Green Recycling Operationalizes Michigan Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Michigan’s statutory duty surface, including the ITPA breach-notice duty, the MCL 445.72a disposal outcome standard, the SSN Privacy Act destruction duty, and the Part 173 of NREPA e-waste takeback program. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through EGLE-authorized channels, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy the MCL 445.72a “cannot be read, deciphered, or reconstructed” outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for the SSN Privacy Act.
Certified Electronics Recycling
Certified electronics recycling routes retired electronic assets through EGLE-authorized channels under the Michigan Electronic Waste Takeback Program at Part 173 of NREPA. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs (including those operating under the Part 173 of NREPA manufacturer-takeback framework), and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device (with SSN-destruction attestation where applicable), Certificate of Recycling, environmental disposition record cross-referenced to the Michigan Electronic Waste Takeback Program, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Michigan.
What is Michigan’s breach-notification deadline?
Notice to affected Michigan residents as soon as practicable and without unreasonable delay under MCL 445.72. Consumer reporting agency notice is required when the breach affects more than 1,000 Michigan residents.
Does Michigan enumerate disposal methods?
Yes. MCL 445.72a requires destruction of records containing personal information so they cannot be read, deciphered, or reconstructed; acceptable methods include shredding, burning, or modifying the information to make it unreadable. Certified data destruction satisfies the method-and-outcome standard.
Does Michigan have a separate Social Security Number statute?
Yes. The Social Security Number Privacy Act (MCL 445.81 et seq.) regulates use, display, and disclosure of SSNs and requires destruction so the SSN cannot be read or reconstructed. SSN-bearing media require hard drive shredding with SSN-specific attestation.
Does Michigan’s personal-information definition include biometric data?
No. The ITPA personal-information definition enumerates SSN, driver’s license, state ID, and account number plus access code. Biometric data is not enumerated, and Michigan has no separate biometric statute (HB 4148 introduced; not enacted).
Does Michigan have a state e-waste recycling program?
Yes. The Michigan Electronic Waste Takeback Program at Part 173 of NREPA (MCL 324.17301 et seq.), effective 2010, requires manufacturers of computers, monitors, printers, fax machines, and peripherals sold in Michigan to register annually with EGLE and provide free in-state collection programs.
Does Michigan have a comprehensive consumer privacy law?
Not as of 2025–2026. HB 4348 has been introduced but not enacted. Operative state-level regimes are ITPA, the records-disposal duty at MCL 445.72a, the SSN Privacy Act, and the MCPA.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. Part 111 of NREPA implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by R 299.11201. Civil penalties run up to $25,000 per day per violation.
Which media-sanitization standard does Michigan accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Michigan DTMB SPP-138 Information Security policy references NIST 800-88.
What is the maximum penalty for a Michigan privacy violation?
ITPA civil fines run up to $250 per violation with a $750,000 aggregate cap. MCPA civil penalties run up to $25,000 per violation. SSN Privacy Act violations carry civil and criminal penalties. The Michigan Attorney General is the enforcement authority.
What is All Green Recycling’s certification posture for Michigan enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or EGLE examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device (with SSN-destruction attestation where applicable), Certificate of Recycling, environmental disposition record (cross-referenced to the Michigan Electronic Waste Takeback Program), hazardous-waste manifest where applicable, and contracted-service safeguard terms.
How does Michigan’s Identity Theft Protection Act treat unencrypted-media loss?
Yes. Mich. Comp. Laws § 445.72 covers unauthorized access to and acquisition of personal information which extends to physical loss of unencrypted media.
How does Michigan’s Identity Theft Protection Act treat encryption as breach-notice relief?
Yes. § 445.72 excludes encrypted data; § 445.72a imposes destruction duty (shred, erase, modify); NIST SP 800-88 Revision 2 verified sanitization removes information from the breach trigger.
Michigan Compliance as Risk Management
Michigan IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered so personal information cannot be read, deciphered, or reconstructed before custody transfer, that SSNs were handled under the dedicated Social Security Number Privacy Act, that breach notice surfaced without unreasonable delay (with CRA notice when more than 1,000 Michigan residents were affected), that downstream processing routed through EGLE-authorized channels under the Part 173 of NREPA manufacturer-takeback program, and that hazardous fractions were handled under the universal-waste rules. ITPA per-violation civil fines (up to $250 with a $750,000 aggregate cap), MCPA per-violation civil penalties (up to $25,000), EGLE daily penalties (up to $25,000), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.
Michigan compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Michigan-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.