New Mexico IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
New Mexico’s Data Breach Notification Act at N.M. Stat. § 57-12C-1 enumerates biometric data inside the personal-information definition and requires destruction or redaction of any record carrying PII before it is discarded, making documented hardware end-of-life a statutory rather than discretionary process. Use the Enterprise Compliance Reference below as the New Mexico executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent enforcement context.
New Mexico Enterprise Compliance Reference
| Compliance Topic | What New Mexico Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to affected New Mexico residents within 45 calendar days under NMSA § 57-12C-6. | New Mexico AG | Up to $25,000 plus $10 per failure to notify under § 57-12C-11 | Certified media shredding with serialized Certificate of Destruction. |
| 2. Records Disposal | Disposal methods that render personal identifying information unreadable or undecipherable under NMSA § 57-12C-3. | New Mexico AG | Up to $25,000 under § 57-12C-11 | Certified data wiping aligned to NIST Clear / Purge. |
| 3. Reasonable Security Procedures | Reasonable security procedures and practices appropriate to nature of personal identifying information under § 57-12C-4. | New Mexico AG | Up to $25,000 under § 57-12C-11 | Certified data destruction with safeguards attestation. |
| 4. Unfair Practices Act (NMUPA) | NMSA § 57-12-1 UDAP carryover applies to disposal and breach failures. | New Mexico AG; private parties | Up to $5,000 per violation; treble damages for willful violations | Certified data destruction with documented chain of custody. |
| 5. Hazardous Waste & CRT Handling | RCRA-delegated state program under NMAC 20.4.1; universal-waste rules at NMAC 20.4.2; CRT rules at 40 C.F.R. § 261.39. | NMED Hazardous Waste Bureau | Up to $25,000/day under NMSA § 74-4-10 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
New Mexico Compliance Reality
New Mexico’s compliance regime spans (1) the Data Breach Notification Act at NMSA § 57-12C-1 et seq. (effective June 16, 2017; notice within 45 calendar days; biometric data was included in the personal-identifying-information definition from enactment), (2) the records-disposal duty at § 57-12C-3 (render personal identifying information unreadable or undecipherable), (3) the reasonable-security duty at § 57-12C-4, (4) the New Mexico Unfair Practices Act at NMSA § 57-12-1 (private right of action with treble damages for willful violations), and (5) the NMED hazardous-waste rules at NMAC 20.4.1.
New Mexico and Federal Compliance Interaction
New Mexico’s national-laboratory (Sandia, Los Alamos), military-base, and healthcare industries pull FAR 52.204-21, DFARS 252.204-7012, CMMC 2.0, HIPAA, GLBA, the FTC Safeguards Rule, and FACTA over most in-state enterprises, with N.M. Stat. § 57-12C-1 layered on top. A regulated enterprise must satisfy the stricter of (1) New Mexico statutes including § 57-12C-6 (45-day breach), § 57-12C-3 (disposal), § 57-12C-4 (safeguards), and § 57-12-1 (NMUPA), (2) federal sector rules including HIPAA Security Rule, FTC Disposal Rule, FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses.
New Mexico Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in New Mexico, whether New Mexico law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | New Mexico Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | equals | Federal regime controls; state law does not exceed the federal floor. |
| FACTA Disposal Rule (16 CFR § 682.3) | exceeds | NMSA § 57-12C-6 imposes 45-calendar-day notification window (stricter than the federal floor) and § 57-12C-3 requires rendering personal identifying information unreadable or undecipherable with biometric data enumerated. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | New Mexico state hazardous-waste program implements RCRA Subtitle C at the federal floor. |
For federal contractors operating in New Mexico, the Defense Federal Acquisition Regulation Supplement at DFARS 252.204-7012, the Federal Acquisition Regulation at FAR 52.204-21, and the Cybersecurity Maturity Model Certification 2.0 program codified at 32 CFR Part 170 (effective December 16, 2024) impose media-sanitization, chain-of-custody, and incident-reporting duties that flow down through prime-contractor clauses. NIST SP 800-171 Revision 3 (final May 2024) is the operative control framework for covered defense information and controlled unclassified information; NIST SP 800-88 Revision 2 (operative September 26, 2025) is the operative sanitization standard for both DFARS and CMMC 2.0 audit defensibility.
New Mexico Data Security, Privacy, and Disposal Obligations
NMSA § 57-12C-6 — Breach Notification
NMSA § 57-12C-6 requires notice to affected New Mexico residents within 45 calendar days of discovery of a security breach. Personal identifying information includes name plus SSN, driver’s license, government-issued identification, financial-account information with access code, or biometric data such as fingerprint, voice print, iris or retina pattern, facial characteristics, or hand geometry. Notice to the New Mexico AG is required if more than 1,000 New Mexico residents are affected.
NMSA § 57-12C-3 — Records Disposal
NMSA § 57-12C-3 requires entities to dispose of records containing personal identifying information by shredding, erasing, or otherwise modifying the personal identifying information to make it unreadable or undecipherable.
Reasonable Security — NMSA § 57-12C-4
NMSA § 57-12C-4 requires entities to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information to protect the personal identifying information from unauthorized access, destruction, use, modification, or disclosure.
New Mexico Student Information Privacy Act (Student-Data Privacy)
New Mexico’s student-data privacy statute at NMSA § 22-21-1 et seq. regulates K-12 ed-tech operators and schools that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under New Mexico’s outcome standard and retain the destruction certificate.
New Mexico Public-Sector IT Disposal Posture
New Mexico state agencies retire IT assets under New Mexico Department of Information Technology (NM DoIT) policy. The operative controls include NM DoIT Information Security Policy; State Records and Archives under NMSA § 14-3-15; State Surplus Property Bureau under NMSA § 13-6-1. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See NM DoIT policy guidance.
Data Destruction and Media Sanitization Expectations
NMSA § 57-12C-3 prescribes the “unreadable or undecipherable” outcome standard via shredding, erasing, or modifying personal identifying information. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. New Mexico state agencies follow NM DoIT Security Policy.
Hard Drive Shredding
New Mexico-resident PII on fixed media requires the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because N.M. Stat. § 57-12C-7’s disposal duty and § 57-12C-6’s 45-day notice clock both depend on whether the underlying data was actually rendered unusable. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information.
New Mexico E-Waste, Hazardous Waste, and Environmental Compliance
New Mexico has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through the federal RCRA-delegated state hazardous-waste program at NMAC 20.4.1.
Enterprise / commercial equipment covered by the New Mexico e-waste program: NO. New Mexico has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through the federal RCRA-delegated state hazardous-waste program at NMAC 20.4.1, administered by the NMED Hazardous Waste Bureau. New Mexico is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through NMAC 20.4.1; the state program operates at the federal floor unless explicitly more stringent.
Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium. Universal-waste rules at NMAC 20.4.2 cover batteries, lamps, mercury-containing equipment, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Civil penalties run up to $25,000 per day per violation under NMSA § 74-4-10. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through R2v3-aligned channels combined with NIST 800-88 Rev. 2 data sanitization. Asset remarketing recovers residual value while preserving chain of custody.
Mobile Devices and Biometric Sensors
Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint).
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
New Mexico enforcement is concentrated at the New Mexico Attorney General (Data Breach Notification Act § 57-12C-11 civil penalties up to $25,000 plus $10 per failure to notify; NMUPA § 57-12-1 UDAP up to $5,000 with treble damages for willful violations), NMED Hazardous Waste Bureau (NMAC 20.4.1 hazardous-waste violations up to $25,000/day under NMSA § 74-4-10), and federal regulators with concurrent jurisdiction.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| § 57-12C-6 (breach notice) | Up to $25,000 plus $10 per failure to notify under § 57-12C-11 | NO (AG-only) | NM AG |
| § 57-12C-3 (records disposal) | Up to $25,000 under § 57-12C-11 | NO (AG-only) | NM AG |
| § 57-12C-4 (reasonable security) | Up to $25,000 under § 57-12C-11 | NO (AG-only) | NM AG |
| § 57-12-1 (NM Unfair Practices Act) | Up to $5,000 per willful violation; treble damages for willful violations | YES (treble damages) | NM AG; private parties |
| NMAC 20.4.1 (hazardous waste) | Up to $25,000 per day per violation under NMSA § 74-4-10 | NO (NMED enforcement) | NMED Hazardous Waste Bureau |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the New Mexico Office of the Attorney General and the New Mexico Environment Department (NMED), state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The New Mexico Financial Institutions Division examines banks and credit unions for GLBA-aligned information-security-program controls. The New Mexico Office of Superintendent of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The New Mexico Department of Health examines healthcare entities for HIPAA Security Rule compliance. The New Mexico Higher Education Department oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The New Mexico Public Regulation Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
New Mexico Attorney General Consumer Protection investigations under N.M. Stat. § 57-12-1 (Unfair Practices Act) are built from documentary evidence, and a Retired Electronic Asset without serialized destruction records is treated as a presumptive 57-12C-7 disposal-duty failure.
How All Green Recycling Operationalizes New Mexico Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around New Mexico’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through New Mexico Environment Department (NMED)-authorized channels, and audit-ready reporting.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy New Mexico’s outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for sensitive data categories.
Certified Electronics Recycling
Certified electronics recycling routes retired electronic assets through New Mexico Environment Department (NMED)-authorized channels and R2v3-aligned recyclers. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in New Mexico.
What is New Mexico’s breach-notification deadline?
Within 45 calendar days following discovery under NMSA § 57-12C-6. Notice to the New Mexico Attorney General is required if more than 1,000 NM residents are affected. The 45-day window is among the strictest in the U.S.
Does New Mexico enumerate disposal methods?
Yes. NMSA § 57-12C-3 requires shredding, erasing, or otherwise modifying personal identifying information to make it unreadable or undecipherable. Certified data destruction satisfies the method-and-outcome standard.
Does New Mexico treat biometric data as personal identifying information?
Yes. NMSA § 57-12C-2 enumerates biometric data including fingerprint, voice print, iris or retina pattern, facial characteristics, or hand geometry in the personal-identifying-information definition that triggers breach notification.
Does New Mexico have a comprehensive consumer privacy law?
No. New Mexico has not enacted a comprehensive consumer data privacy act as of 2025. Disposal and breach duties operate through § 57-12C and the Unfair Practices Act.
Does New Mexico have a private right of action?
Yes. The New Mexico Unfair Practices Act at § 57-12-10 provides a private right of action with treble damages for willful violations. The Data Breach Notification Act itself does not provide a direct private right of action.
Does New Mexico have a state e-waste recycling program?
No. New Mexico has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through NMED-authorized hazardous-waste channels and certified electronics recycling.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. NMAC 20.4.1 implements federal RCRA with cradle-to-grave generator liability. NMED Hazardous Waste Bureau enforces civil penalties up to $25,000 per day per violation under NMSA § 74-4-10.
Which media-sanitization standard does New Mexico accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. NM DoIT Information Security Policy references NIST guidance.
What is the maximum penalty for a New Mexico privacy violation?
DBNA civil penalties run up to $25,000 plus $10 per failure to notify under § 57-12C-11. NMUPA private treble damages for willful violations. NMED hazardous-waste penalties under NMSA § 74-4-10 run up to $25,000 per day.
What is All Green Recycling’s certification posture for New Mexico enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or NMED examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and contracted-service safeguard terms.
Is missing or stolen unencrypted media a notifiable breach under New Mexico law?
Yes. NMSA § 57-12C-2 defines breach as unauthorized acquisition of unencrypted computerized data or encrypted computerized data with the encryption key; physical loss of unencrypted media triggers the analysis.
How does the New Mexico DBNA treat encrypted assets and verified data sanitization?
Yes. § 57-12C-2 excludes encrypted data from the breach definition where the key is not also acquired. NIST SP 800-88 Revision 2 verified sanitization removes personal identifying information from the breach trigger.
New Mexico Compliance as Risk Management
New Mexico IT asset retirement is a layered risk-management discipline. The state’s 45-calendar-day breach-notification window under § 57-12C-6 is among the strictest in the U.S., and the New Mexico Unfair Practices Act at § 57-12-1 provides treble damages for willful violations. Compliant retirement proves data was rendered unreadable or undecipherable before custody transfer, breach notice surfaced within 45 days (with AG notice when 1,000+ residents affected), and hazardous fractions were handled under NMAC 20.4.1 universal-waste rules. DBNA $25,000 plus $10 per failure penalties, NMUPA $5,000 per-violation penalties with private treble damages, NMED daily penalties (up to $25,000), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.
New Mexico compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a New Mexico-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.