New Hampshire IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
New Hampshire enacted the New Hampshire Data Privacy Act (effective January 1, 2025) over an existing N.H. Rev. Stat. § 359-C:19 to 21 breach-notification regime, and the state’s electronics-recycling EPR program governs the physical disposition of every retired device after data destruction is complete. Use the Enterprise Compliance Reference below as the New Hampshire executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent enforcement context.
New Hampshire Enterprise Compliance Reference
| Compliance Topic | What New Hampshire Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to affected New Hampshire residents and the New Hampshire AG under RSA 359-C:20. | New Hampshire AG Consumer Protection & Antitrust Bureau | Up to $10,000 per violation under RSA 358-A:4 | Certified media shredding with serialized Certificate of Destruction. |
| 2. Records Disposal | Render personal information unreadable or unusable under RSA 359-C:20. | New Hampshire AG | Consumer Protection Act (RSA 358-A) carryover | Certified data wiping aligned to NIST Clear / Purge. |
| 3. Insurance Data Security Act | Written information security program; annual board certification; incident notification under RSA 420-P. | NH Insurance Department | Up to $2,500 per violation under RSA 400-A:15 | Certified data destruction with insurance-licensee attestation. |
| 4. Consumer Protection Act (RSA 358-A) | UDAP carryover applies to disposal and breach failures. Private right of action with double or treble damages. | New Hampshire AG; private parties | Up to $10,000 per violation; double / treble damages | Certified data destruction with documented chain of custody. |
| 5. Hazardous Waste & CRT Handling | RCRA-delegated state program under Env-Hw 100-1100; universal-waste rules at Env-Hw 1102; CRT rules at 40 C.F.R. § 261.39. | NHDES | Up to $50,000/day under RSA 147-A:17 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
New Hampshire Compliance Reality
New Hampshire’s compliance regime spans (1) the Notice of Security Breach Act at RSA 359-C:19-21 (notice to affected residents as quickly as possible and to the New Hampshire AG; private right of action under RSA 358-A; broad personal-information definition), (2) the records-disposal duty at RSA 359-C:20 (render personal information unreadable or unusable), (3) the New Hampshire Insurance Data Security Act at RSA 420-P (effective January 1, 2020; adopted NAIC Insurance Data Security Model Law), (4) the Consumer Protection Act at RSA 358-A (private right of action with double or treble damages), and (5) the NHDES hazardous-waste rules at Env-Hw 100-1100.
New Hampshire and Federal Compliance Interaction
New Hampshire’s manufacturing, banking, and healthcare industries operate against HIPAA, GLBA, the FTC Safeguards Rule, FACTA, FAR 52.204-21, and DFARS 252.204-7012 federal regimes, with NHDPA and N.H. Rev. Stat. § 359-C layered on top as a state controller-and-notification overlay. A regulated enterprise must satisfy the stricter of (1) New Hampshire statutes including RSA 359-C:20 (breach and disposal), RSA 420-P (Insurance Data Security Act), and RSA 358-A (Consumer Protection Act with private right of action), (2) federal sector rules including HIPAA Security Rule, FTC Disposal Rule, FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses.
New Hampshire Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in New Hampshire, whether New Hampshire law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | New Hampshire Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | exceeds | RSA 420-P Insurance Data Security Act imposes written information security program with annual board certification on insurance licensees. |
| FACTA Disposal Rule (16 CFR § 682.3) | exceeds | RSA 358-A Consumer Protection Act provides a private right of action with double or treble damages for unfair or deceptive acts that include disposal failures. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | New Hampshire state hazardous-waste program implements RCRA Subtitle C at the federal floor. |
For federal contractors operating in New Hampshire, the Defense Federal Acquisition Regulation Supplement at DFARS 252.204-7012, the Federal Acquisition Regulation at FAR 52.204-21, and the Cybersecurity Maturity Model Certification 2.0 program codified at 32 CFR Part 170 (effective December 16, 2024) impose media-sanitization, chain-of-custody, and incident-reporting duties that flow down through prime-contractor clauses. NIST SP 800-171 Revision 3 (final May 2024) is the operative control framework for covered defense information and controlled unclassified information; NIST SP 800-88 Revision 2 (operative September 26, 2025) is the operative sanitization standard for both DFARS and CMMC 2.0 audit defensibility.
New Hampshire Data Security, Privacy, and Disposal Obligations
RSA 359-C:19-21 — Breach Notification
RSA 359-C:20 requires notice to affected New Hampshire residents as quickly as possible and to the New Hampshire Attorney General Consumer Protection & Antitrust Bureau. Personal information is defined broadly to include name plus SSN, driver’s license, financial-account, or other identifiers.
RSA 359-C:20 — Records Disposal
RSA 359-C:20 requires entities to render personal information unreadable or unusable when records are no longer retained. Disposal failures are actionable through the Consumer Protection Act at RSA 358-A.
Consumer Protection Act — RSA 358-A
New Hampshire’s Consumer Protection Act at RSA 358-A provides a private right of action with double or treble damages for unfair or deceptive acts. Civil penalties run up to $10,000 per violation under RSA 358-A:4.
New Hampshire Insurance Data Security Act (NAIC Insurance Data Security Adoption)
New Hampshire has adopted the NAIC Insurance Data Security Model Law at RSA 420-P (effective January 1, 2020). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.
New Hampshire Student Online Personal Information Privacy Act (Student-Data Privacy)
New Hampshire’s student-data privacy statute at RSA 189:65 to 189:68-a regulates K-12 ed-tech operators and schools that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under New Hampshire’s outcome standard and retain the destruction certificate.
New Hampshire Public-Sector IT Disposal Posture
New Hampshire state agencies retire IT assets under New Hampshire Department of Information Technology (NH DoIT) policy. The operative controls include NH DoIT Security Policy; State Records Retention Schedule under RSA 5:38; Surplus Property Division procedures under RSA 21-I:14. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See NH DoIT policy guidance.
Data Destruction and Media Sanitization Expectations
RSA 359-C:20 prescribes the “unreadable or unusable” outcome standard. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. New Hampshire state agencies follow NH DoIT Security Policy.
Hard Drive Shredding
New Hampshire-resident PII on fixed media must reach the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because N.H. Rev. Stat. § 359-C:19’s breach trigger reaches unencrypted media in enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information.
New Hampshire E-Waste, Hazardous Waste, and Environmental Compliance
New Hampshire has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through the federal RCRA-delegated state hazardous-waste program at Env-Hw 100-1100, administered by NHDES.
Enterprise / commercial equipment covered by the New Hampshire e-waste program: NO. New Hampshire has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through the federal RCRA-delegated state hazardous-waste program at Env-Hw 100-1100, administered by NHDES. New Hampshire is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through Env-Hw 100-1100; the state program operates at the federal floor unless explicitly more stringent.
Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium. Universal-waste rules at Env-Hw 1102 cover batteries, lamps, mercury-containing equipment, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Civil penalties run up to $50,000 per day per violation under RSA 147-A:17. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through R2v3-aligned channels combined with NIST 800-88 Rev. 2 data sanitization. Asset remarketing recovers residual value while preserving chain of custody.
Mobile Devices and Biometric Sensors
Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint).
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
New Hampshire enforcement is concentrated at the New Hampshire AG Consumer Protection & Antitrust Bureau (RSA 359-C:20 breach and disposal; RSA 358-A CPA up to $10,000 per violation with private right of action and double / treble damages), the New Hampshire Insurance Department (RSA 420-P up to $2,500 per violation under RSA 400-A:15), NHDES (Env-Hw 100-1100 hazardous-waste violations up to $50,000/day under RSA 147-A:17), and federal regulators with concurrent jurisdiction.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| RSA 359-C:20 (breach + disposal) | CPA carryover up to $10,000 per violation | YES (via RSA 358-A:10 private action with double / treble damages) | NH AG; private parties |
| RSA 358-A (Consumer Protection Act) | Up to $10,000 per violation; double / treble damages | YES (private right of action with double / treble damages) | NH AG; private parties |
| RSA 420-P (Insurance Data Security Act) | Up to $2,500 per violation under RSA 400-A:15 | NO (NH Insurance Commissioner only) | NH Insurance Department |
| Env-Hw 100-1100 (hazardous waste) | Up to $50,000 per day per violation under RSA 147-A:17 | NO (NHDES enforcement) | NHDES |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the New Hampshire Department of Justice (NH AG) and the New Hampshire Department of Environmental Services (NHDES), state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The New Hampshire Banking Department examines banks and credit unions for GLBA-aligned information-security-program controls. The New Hampshire Insurance Department examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The New Hampshire Department of Health and Human Services examines healthcare entities for HIPAA Security Rule compliance. The New Hampshire Department of Education Bureau of Postsecondary Education oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The New Hampshire Public Utilities Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
New Hampshire Attorney General Consumer Protection and Antitrust Bureau enforcement under N.H. Rev. Stat. § 358-A is built from documentary evidence, and a Retired Electronic Asset without serialized destruction records is treated as a presumptive 359-C:19 notification-trigger event.
How All Green Recycling Operationalizes New Hampshire Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around New Hampshire’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through New Hampshire Department of Environmental Services (NHDES)-authorized channels, and audit-ready reporting.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy New Hampshire’s outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for sensitive data categories.
Certified Electronics Recycling
Certified electronics recycling routes retired electronic assets through New Hampshire Department of Environmental Services (NHDES)-authorized channels and R2v3-aligned recyclers. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in New Hampshire.
What is New Hampshire’s breach-notification deadline?
As quickly as possible following discovery under RSA 359-C:20. Notice to the New Hampshire Attorney General Consumer Protection & Antitrust Bureau is required.
Does New Hampshire enumerate disposal methods?
RSA 359-C:20 requires entities to render personal information unreadable or unusable. Certified data destruction satisfies the outcome standard.
Does New Hampshire have a private right of action for data violations?
Yes. The Consumer Protection Act at RSA 358-A:10 provides a private right of action with double or treble damages for willful or knowing violations. Disposal and breach failures are actionable as unfair or deceptive acts.
Does New Hampshire have a comprehensive consumer privacy law?
No. New Hampshire has not enacted a comprehensive consumer data privacy act. Disposal and breach duties operate through RSA 359-C:20 and the Consumer Protection Act at RSA 358-A.
Has New Hampshire adopted the NAIC Insurance Data Security Model Law?
Yes. The New Hampshire Insurance Data Security Act at RSA 420-P, effective January 1, 2020, adopts the NAIC model. Insurance licensees must maintain a written information security program with annual board certification.
Does New Hampshire have a state e-waste recycling program?
No. New Hampshire has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through NHDES-authorized hazardous-waste channels and certified electronics recycling.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. Env-Hw 100-1100 implements federal RCRA with cradle-to-grave generator liability. NHDES enforces civil penalties up to $50,000 per day per violation under RSA 147-A:17.
Which media-sanitization standard does New Hampshire accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. NH DoIT Security Policy references NIST guidance.
What is the maximum penalty for a New Hampshire privacy violation?
Consumer Protection Act civil penalties run up to $10,000 per violation under RSA 358-A:4, with double / treble damages available to private plaintiffs under RSA 358-A:10. Insurance Department penalties under RSA 400-A:15 run up to $2,500 per violation.
What is All Green Recycling’s certification posture for New Hampshire enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or NHDES examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and contracted-service safeguard terms.
Under New Hampshire RSA 359-C:20, is losing unencrypted hardware a security breach?
Yes. RSA 359-C:19 defines breach as unauthorized acquisition of computerized data including physical loss of unencrypted media.
Under New Hampshire RSA 359-C:20, what is the encryption / sanitization safe harbor?
Yes. RSA 359-C:19 excludes encrypted data from the breach definition where the key is not also acquired. NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
New Hampshire Compliance as Risk Management
New Hampshire IT asset retirement is a layered risk-management discipline. New Hampshire is one of the small set of states where the Consumer Protection Act at RSA 358-A:10 provides a meaningful private right of action with double or treble damages for unfair or deceptive acts that include disposal failures. Compliant retirement proves data was rendered unreadable or unusable before custody transfer, breach notice surfaced as quickly as possible (with AG notice), insurance-licensee nonpublic information was handled under RSA 420-P controls, and hazardous fractions were handled under Env-Hw 1102 universal-waste rules. CPA $10,000 per-violation penalties with private double / treble damages, NHDES daily penalties (up to $50,000), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.
New Hampshire compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a New Hampshire-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.