Texas IT Asset Disposition Compliance and Regulations
Retiring IT assets in Texas is a regulated event governed by the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, federal sector regimes, and the Texas Commission on Environmental Quality. State law imposes destruction, breach-notification, and manufacturer-recycling duties that survive hardware retirement. Federal regimes establish a baseline that Texas law extends. Enterprises operating in Texas carry continuing custody, documentation, and destruction obligations across the full asset lifecycle.
Texas Compliance Reality for Retired IT Assets
Texas treats retired data-bearing hardware as a continuing legal exposure, not a logistics problem. Statutory duties under Tex. Bus. & Comm. Code § 521.052, § 521.053, and § 72.004 attach to enterprises until destruction and lawful diversion are complete and documented.
The compliance posture required of Texas enterprises rests on three layered obligations. First, sensitive personal information of Texas residents must be safeguarded and disposed of through shredding, erasing, or other modification that renders the information unreadable or undecipherable under § 521.052 and § 72.004. Second, breaches affecting 250 or more Texans must be reported to the Texas Office of the Attorney General electronically within 30 days of discovery, with notice to affected individuals within 60 days. Third, the Texas Commission on Environmental Quality (TCEQ) administers manufacturer-funded recycling programs for computer equipment and televisions under Tex. Health & Safety Code Chapter 361.
Retiring IT assets in Texas therefore operates as a layered compliance event: data-disposal law, breach-notification law, and manufacturer-responsibility e-waste law each apply concurrently. Enterprises retain liability across that full chain. The controls below are enumerated for compliance leadership accountable for that liability.
State and Federal Compliance Interaction in Texas
Texas’s compliance regime layers directly on top of federal baselines for data security, financial information, healthcare, and hazardous waste. The state extends federal duties through a prescriptive disposal-method statute, a comprehensive consumer-data privacy framework effective July 1, 2024, and dedicated state enforcement authority through the Texas Office of the Attorney General.
Three federal regimes establish the floor that Texas law extends:
- The HIPAA Security Rule at 45 CFR Part 164, governing electronic protected health information.
- The FTC Safeguards Rule at 16 CFR Part 314, governing non-banking financial institutions under the Gramm-Leach-Bliley Act.
- The FACTA Disposal Rule at 16 CFR § 682.3, governing any business that maintains consumer-report information.
Texas overlays each of these. The Texas Identity Theft Enforcement and Protection Act reaches any business that owns or licenses sensitive personal information of a Texas resident, with no revenue threshold. § 521.052 imposes a prescriptive disposal duty: shred, erase, or otherwise modify to make information unreadable or undecipherable. § 521.053 requires breach notice not later than the 60th day after determination, with concurrent AG notice within 30 days for breaches affecting 250 or more Texans. The Texas Data Privacy and Security Act, effective July 1, 2024, adds personal-data minimization, retention, and deletion duties.
Federal sufficiency does not exist for Texas compliance. An enterprise audited solely against HIPAA, GLBA, or FACTA without addressing Texas’s overlay carries unmitigated exposure under § 521.151 civil-penalty authority and TCEQ hazardous-waste enforcement.
Texas Data Security and Privacy Obligations
Texas imposes direct destruction, breach-notification, and recordkeeping duties on enterprises that retain sensitive personal information of Texas residents. Authority rests with the Texas Attorney General through ITEPA enforcement and the TDPSA. These duties extend to retired hardware and storage media until destruction is complete and documented.
Business Duty to Protect Sensitive Personal Information (§ 521.052)
Tex. Bus. & Comm. Code § 521.052 imposes two operative duties on a business that owns or licenses sensitive personal information of a Texas resident. First, the business must implement and maintain reasonable procedures, including taking corrective action when necessary, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. Second, when disposing of records containing sensitive personal information, the business must shred, erase, or otherwise modify the personal information to make the information unreadable or undecipherable.
For retired data-bearing media, this duty extends through transit, storage, sanitization, destruction, and final disposition. A program that loses chain-of-custody control between the production environment and the destruction event does not satisfy § 521.052. A business that contracts with a third-party disposal vendor remains accountable for the destruction outcome.
Disposal of Business Records (§ 72.004)
Tex. Bus. & Comm. Code § 72.004 parallels § 521.052 for the broader category of business records containing personal identifying information of a customer. The disposal duty is identical: shred, erase, or otherwise modify to make the information unreadable or undecipherable. The statute provides a safe harbor when the business contracts with a third party engaged in the business of records disposal and the third party complies with the destruction standard.
Breach Notification (§ 521.053)
Tex. Bus. & Comm. Code § 521.053 requires a person who conducts business in Texas and owns or licenses computerized data including sensitive personal information to disclose any breach of system security to affected individuals. Notice to affected individuals must be made without unreasonable delay and not later than the 60th day after the date the person determines the breach occurred. For breaches affecting 250 or more Texans, the Texas Attorney General Data Breach Reporting requirement applies: notice to the OAG must be submitted as soon as practicably possible and not later than 30 days after discovery of the breach. Effective September 1, 2023, all reports to the Texas AG must be submitted electronically using the OAG Data Breach Report form.
Loss of unencrypted storage media, including drives or arrays released into a non-compliant disposal channel, can constitute the unauthorized acquisition that triggers this duty.
Texas Data Privacy and Security Act (Chapter 541)
The Texas Data Privacy and Security Act, effective July 1, 2024, applies to companies that conduct business in Texas or produce a product or service consumed by Texas residents and that collect, use, store, sell, share, analyze, or process consumers’ personal data. The Act grants Texas residents rights including access, correction, deletion, and opt-out from the sale of personal data and from targeted advertising. Sensitive data carries heightened consent requirements. Small businesses are generally exempt, except that a small business must obtain consumer consent before selling sensitive personal data.
For retired hardware, the TDPSA reinforces the § 521.052 disposal duty: personal-data minimization, retention, and deletion require operational evidence that data has been destroyed when no longer subject to a documented retention basis. The Texas AG has exclusive enforcement authority and may impose civil penalties up to $7,500 per violation after a 30-day cure period.
Data Destruction and Media Sanitization Expectations Under Texas Law
Texas’s destruction expectations are anchored in § 521.052 and § 72.004 and operationalized through recognized technical standards. State authority prescribes the methods (shred, erase, or otherwise modify) and the outcome (unreadable or undecipherable). Technical implementation tracks federal media-sanitization standards.
Recognized Standards for Media Sanitization
The federal baseline standard cited in Texas audits and procurement specifications is NIST Special Publication 800-88 Revision 2, Guidelines for Media Sanitization, published by the National Institute of Standards and Technology on September 26, 2025. The revision supersedes SP 800-88 Rev. 1 (December 2014) and shifts emphasis from individual sanitization techniques to an enterprise media-sanitization program. SP 800-88r2 expands cryptographic-erase guidance, introduces logical sanitization for cloud and virtualized environments, and improves alignment with 16 CFR Part 314, NIST SP 800-53, and ISO/IEC 27040.
NIST SP 800-88r2 organizes sanitization into three categories. Clear applies logical techniques that protect data against simple non-invasive recovery. Purge applies physical or logical techniques that protect data against state-of-the-art laboratory recovery. Destroy renders the storage medium itself unusable through shredding, disintegration, pulverization, or incineration.
Defense, aerospace, and federal-contract environments operating in Texas (including Lockheed Martin in Fort Worth, Bell Helicopter in Hurst, NASA Johnson Space Center in Houston, and the broader Texas defense industrial base) reference 32 CFR Part 117, the National Industrial Security Program Operating Manual rule that replaced DoD 5220.22-M as the operative regulation in 2021. The DoD 5220.22-M overwrite specification remains in colloquial use as a legacy reference.
HIPAA Overlay for Healthcare-Adjacent Data
Healthcare-adjacent Texas enterprises (including the Texas Medical Center in Houston and academic medical systems in Dallas, San Antonio, and Austin) follow 45 CFR § 164.310(d)(2)(i) and (ii) for device and media controls covering disposal and reuse. The U.S. Department of Health and Human Services directs covered entities and business associates to NIST SP 800-88 for practical sanitization guidance and recognizes clearing, purging, and physical destruction as appropriate methods.
Defensible Destruction vs. Informal Disposal
The compliance distinction Texas audits draw is between defensible destruction and informal disposal. Defensible destruction produces a serialized record per asset, a documented method consistent with § 521.052, an attested operator, a witness or chain-of-custody record, and a Certificate of Destruction tied to the asset’s identifier. Informal disposal includes drive wipe without sector-level verification, scrap-yard transfer without certificates, and donation pipelines without documented sanitization. Only defensible destruction discharges the § 521.052 and § 72.004 duties.
Texas E-Waste and Environmental Compliance
Texas operates two manufacturer-funded recycling programs under Texas Health and Safety Code Chapter 361: the Texas Recycles Computers Program (Subchapter Y) and the Texas Television Equipment Recycling Program (Subchapter Z). Hazardous-waste-classified electronic components fall within TCEQ industrial and hazardous waste rules at 30 TAC Chapter 335 and federal RCRA Subtitle C.
Texas Recycles Computers Program
Texas Health and Safety Code Chapter 361, Subchapter Y, enacted by House Bill 2714 (80th Texas Legislature, 2007), establishes the manufacturer-responsibility framework for end-of-life computer equipment. Implementing rule 30 TAC § 328.137 requires that manufacturers offering to sell new computer equipment in or into Texas:
- Offer consumers a free and convenient recycling program.
- Submit a notification and recovery plan to the Texas Commission on Environmental Quality (TCEQ).
- Submit an annual computer recycling report to TCEQ by January 31 each year, tracking weight collected, recycled, and reused.
Retailers may sell only computer equipment from manufacturers listed on the TCEQ list of computer equipment manufacturers.
Texas Television Equipment Recycling Program
Texas Health and Safety Code Chapter 361, Subchapter Z, parallels Subchapter Y for television equipment. Manufacturers must register and offer recycling. Retailers may sell only televisions from registered manufacturers.
Texas Industrial and Hazardous Waste Rules
TCEQ rules referenced at the e-recycling regulations page include:
- 30 TAC Chapter 328 – Waste Minimization and Recycling.
- 30 TAC Chapter 330 – Municipal Solid Waste.
- 30 TAC Chapter 335 – Industrial Solid Waste and Municipal Hazardous Waste.
Used electronics may be classified as hazardous waste depending on how they are generated and managed. Mercury switches, circuit boards, batteries, computer monitors, televisions, laptops, and cellular phones can test “hazardous” under federal and state RCRA-equivalent regimes.
Federal RCRA Baseline
Federal regimes operate concurrently with the Texas framework:
- 40 CFR Part 273 – federal universal-waste rule.
- RCRA Subtitle C – controls hazardous-waste-classified electronic components.
- 40 CFR Part 261, Subpart E – federal CRT Rule for recycling and processing of CRT glass.
Regulated Asset Types and Enterprise Scenarios in Texas
Texas’s compliance regime applies across the full enterprise asset stack. The same statutory and regulatory duties attach whether the retired equipment is one laptop or a multi-rack data-center decommission. Scale changes the magnitude of exposure, not the nature of the duty.
Asset-Type Mapping
| Asset Type | Primary Compliance Driver | Operational Control |
|---|---|---|
| Servers and storage arrays | § 521.052; HIPAA Security Rule; FTC Safeguards Rule | Purge or Destroy per NIST SP 800-88r2; chain-of-custody; serialized Certificate of Destruction |
| Endpoints and laptops | § 521.052; Texas Recycles Computers Program | Drive sanitization with sector-level verification or physical destruction; manufacturer-program-compliant recycling |
| Mobile devices and tablets | § 521.052; FACTA Disposal Rule | Cryptographic erase with verifiable key destruction; physical destruction for high-sensitivity classes |
| Networking equipment, switches, routers | § 521.052; configuration-data sensitivity | Configuration sanitization, firmware reset, controlled refurbishment, or destruction |
| CRT glass, mercury-containing displays | 30 TAC 335; 40 CFR Part 261, Subpart E | Routing through registered recycler under Subchapter Y/Z; CRT conditional-exclusion compliance |
| Medical, telecom, defense, and aerospace equipment | HIPAA; 32 CFR Part 117; ITAR/EAR | Witnessed or on-site destruction; serialized records |
A program that operationalizes IT asset disposition at scale must address each asset class with method-appropriate controls and produce a uniform documentation set across the portfolio.
Enterprise Scenarios
Three scenarios capture the most common Texas enterprise exposure profiles.
The first is data-center decommission. A multi-rack retirement event in Houston, Dallas-Fort Worth, Austin, San Antonio, the Permian Basin, or the North Texas data-center corridor combines high-volume hard-drive sanitization, networking-gear lifecycle disposition, and chassis recycling. Compliance evidence required across the engagement includes a serialized asset list, witnessed destruction logs, environmental routing records, and a consolidated Certificate of Destruction package addressed to the enterprise’s compliance and legal teams.
The second is cyclical hardware refresh. Quarterly or semi-annual endpoint refresh cycles produce continuous flows of laptops and mobile devices. Compliance discipline requires the same documentation rigor at each cycle, with no thresholds below which controls relax.
The third is post-acquisition or branch-closure asset retirement. Inherited or surplus inventory carries unknown-state data risk. Conservative compliance posture treats the inventory as data-bearing until verified otherwise, with destruction or certified sanitization preceding any reuse, resale, or donation.
Enforcement, Penalties, and Audit Risk in Texas
Texas’s enforcement posture is anchored in ITEPA civil-penalty authority, TDPSA enforcement, and TCEQ hazardous-waste enforcement. The Texas Office of the Attorney General operates a dedicated electronic Data Breach Report portal effective September 1, 2023.
Statutory Penalty Schedule
The Texas penalty schedule is set by Tex. Bus. & Comm. Code §§ 521.151–.153, Chapter 541, and Tex. Health & Safety Code § 361.224:
- Up to $50,000 per violation under § 521.151 for failure to comply with breach notification of § 521.053.
- $2,000 to $50,000 per violation under § 521.152 for failure to comply with § 521.052 reasonable-procedures and disposal duties.
- $100 per individual per consecutive day under § 521.153 for failure to provide breach notice, capped at $250,000 per breach.
- Up to $7,500 per violation under TDPSA § 541.155 after a 30-day cure period.
- $50 to $25,000 per day per violation under Tex. Health & Safety Code § 361.224 for unlawful solid- and hazardous-waste disposal.
- Concurrent federal exposure under HIPAA, FTC Safeguards Rule, and FACTA Disposal Rule penalty regimes.
Recent Enforcement Activity
| Date | Action | Resolution |
|---|---|---|
| 2024–2025 | TDPSA enforcement against TP-Link, Alibaba, CapCut, and other Chinese-affiliated companies | Texas AG action under TDPSA |
| October 2024 | Marriott International multistate settlement | 50-AG settlement, $52 million for multi-year breach of Starwood guest-reservation database |
| October 2023 | Blackbaud multistate settlement | 49-AG settlement, $49.5 million for 2020 ransomware breach |
| July 2019 | Equifax multistate settlement | 50-AG settlement, $600 million, the largest data-breach enforcement action in U.S. history at the time |
Audit Risk Posture
Texas enterprises face audit-driven risk on three vectors: regulator-initiated investigation (Texas AG, TCEQ, federal sectoral regulators), insurance and reinsurance review, and customer or counterparty due diligence. Each vector requires the same evidence: serialized destruction records, certified sanitization attestations, environmental disposition documentation, and contractual safeguard terms with downstream service providers.
Documentation, Chain of Custody, and Audit-Ready Proof
Texas audits and enforcement actions turn on documentation. The substance of compliance lives in the records that an enterprise can produce on request: who held the asset, when, in what condition, and how it was destroyed or diverted. A program that satisfies Texas requirements produces those records as a default operating output, not an after-the-fact reconstruction.
Required Documentation Set
A defensible Texas IT asset disposition program produces the following documentation set per engagement:
- Serialized asset list. Every asset is captured by manufacturer, model, serial number, and (for data-bearing media) media type and capacity.
- Chain-of-custody record. Continuous record from collection through destruction, with timestamps, transfers, transport identifiers, and operator names at each handoff.
- Certificate of Data Destruction. Per asset or per batch, with destruction method consistent with § 521.052, equipment used, operator, witness, and destruction date, traceable to the serialized list.
- Certificate of Recycling and environmental disposition record. Per handler chain, documenting the route from collection through final disposition for compliance with Tex. Health & Safety Code Chapter 361 and 30 TAC 335.
- Audit log and exception record. Complete record of any deviations from the documented chain-of-custody or destruction protocol, with disposition.
Chain-of-Custody Standard
Chain-of-custody records satisfy Texas audit expectations when they are continuous, tamper-evident, and time-stamped. Continuous means no time gap exists in which the asset’s location and custody are unknown. Tamper-evident means the record itself is protected against alteration. Time-stamped means each handoff is anchored to a verifiable system clock.
Sealed transport with tamper-evident containers and access-controlled handoffs supports the continuity standard. Real-time tracking systems support the time-stamping standard. Internal access-control logs support the tamper-evidence standard.
Evidence Regulators and Auditors Expect
Enterprise compliance teams asked to produce IT-asset-retirement evidence in a Texas AG inquiry, a TCEQ inspection, an insurance-renewal review, or a customer due-diligence response are routinely asked for: a sample serialized destruction record, a sample chain-of-custody log, a representative Certificate of Destruction, the destruction-method specification consistent with § 521.052 and § 72.004, the operator and witness identities, the environmental disposition record, and the contract or service-level agreement under which the disposition was performed. A program that cannot produce this packet in a single retrieval is operating below the Texas enterprise standard.
How All Green Recycling Operationalizes Texas Compliance
All Green Recycling, LLC operates as compliance infrastructure for Texas enterprises retiring IT assets, not as a recycler bidding for tonnage. The control set described below maps directly to the statutory and regulatory duties enumerated above. Each control is a measurable operating output, traceable to a serialized asset.
IT Asset Disposition
All Green Recycling’s IT asset disposition program provides comprehensive management of retired IT assets with secure removal, refurbishment, redeployment, resale, and remarketing under chain-of-custody control. Every asset is captured on a serialized list at collection. Data-bearing assets are sanitized or destroyed before any reuse decision is made. Asset value recovery is structured to maximize ROI without compromising data security or § 521.052 destruction obligations.
Secure Data Destruction
Secure data destruction is operationalized as the enterprise expression of the § 521.052, § 72.004, and TDPSA disposal duties. The destruction program is aligned to NIST SP 800-88r2 Clear, Purge, and Destroy categories, with cryptographic erasure, sector-level verification, degaussing, shredding, and pulverization available as method choices. Destruction is documented per asset, with witnessed destruction available for high-sensitivity assets and on-site destruction available where transit risk is unacceptable.
Electronics Recycling
Electronics recycling under All Green Recycling’s program routes covered electronic devices through a documented handler chain compliant with the Texas Recycles Computers Program, the Texas Television Equipment Recycling Program, and 30 TAC 335 hazardous-waste regulations. Hazardous-waste-classified components are routed through a permitted handler chain. The downstream chain is documented for the enterprise’s environmental-compliance file.
Operating Standards Alignment
All Green Recycling, LLC maintains operational alignment to:
- ISO 14001 (Environmental Management System) – certified
- ISO 45001 / OHSAS 18001 (Occupational Health and Safety) – certified
- HIPAA alignment for healthcare-data destruction
- NIST SP 800-88 alignment for media sanitization
- DoD 5220.22-M alignment for legacy overwrite specifications
- GDPR alignment for cross-border data-handling considerations
The R2v3 Standard, NAID AAA, e-Stewards, and ISO 27001 are referenced in this document only as recognized industry frameworks. All Green Recycling, LLC does not claim certification under those programs.
Documentation Output
Every Texas engagement produces a serialized asset list, chain-of-custody record, Certificate of Data Destruction, Certificate of Recycling, and environmental disposition record, packaged for the enterprise’s compliance file.
Compliance as Risk Management
Texas IT asset disposition compliance is risk management. Each statutory duty enumerated above corresponds to a specific enterprise exposure: § 521.052 to data-disposal exposure, § 72.004 to records-disposal exposure, § 521.053 to breach-notification exposure, the TDPSA to consumer-data exposure, the Texas Recycles Computers Program to manufacturer-recycling exposure, and the federal regimes to sectoral exposure layered over the state baseline. A program that satisfies these duties does so as a permanent operating output: serialized records, witnessed destruction where required, documented chain-of-custody, environmental disposition records, and a single retrievable evidence packet per engagement.
All Green Recycling operates as compliance infrastructure for Texas enterprises retiring IT assets. Engagements are structured to produce evidence that satisfies a Texas AG inquiry, a TCEQ inspection, a HIPAA audit, a GLBA examination, a board-level compliance review, and an insurance-renewal review from a single documentation set. Enterprise compliance, legal, and security leadership in Texas coordinate engagements through (800) 780-0347 or the allgreenrecycling.com intake channel.