Texas IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance

Q: Which certifications does All Green Recycling hold, and which standards does All Green Recycling reference as framework alignment?

All Green Recycling holds ISO 14001:2015 (environmental management) and ISO 45001:2018 (occupational health and safety) certifications. R2v3, NAID AAA, and e-Stewards are referenced as framework alignment rather than held certifications; alignment to HIPAA, GLBA, FTC Safeguards, NIST SP 800-88 Rev. 2, FAR 52.204-21, and DFARS 252.204-7012 is documented through operating procedure rather than a single attestation. Current certifications and registrations actually held are confirmed in writing on request to compliance leadership.

Texas governs IT asset retirement through one of the broadest layered duty surfaces in the United States, spanning the Texas Business and Commerce Code’s safeguard and disposal duties, the Texas Data Privacy and Security Act, the Capture or Use of Biometric Identifier statute, and a TCEQ-administered manufacturer-takeback recycling program. Tex. BCC Section 521.052 imposes safeguarding and disposal duties on sensitive personal information that survive hardware retirement, Tex. BCC Section 72.004 carries up to $500 per record disposed in violation, the TDPSA at Tex. BCC Ch. 541 extends controller and processor obligations with $2,000–$50,000 per violation and up to $250,000 per breach, Tex. BCC Section 503.001 (CUBI) regulates biometric identifier capture and destruction, the Texas Computer Equipment Recycling Program at HSC Ch. 361 Subch. Y imposes manufacturer takeback, and the TCEQ hazardous-waste rules at 30 TAC Ch. 335 cover end-of-life electronics, layered over a federal baseline of HIPAA, the FTC Safeguards Rule, GLBA, RCRA Subtitle C, FAR 52.204-21, and DFARS 252.204-7012.

The Enterprise Compliance Reference below delivers the executive briefing for IT Asset Disposition, secure data destruction, and certified electronics recycling in Texas; the sections that follow expand every statute, regulator, and penalty band with cited authority.

Texas Enterprise Compliance Reference

Compliance Topic	What Texas Requires	Who Enforces	Penalty Band	What All Green Recycling Provides
1. Data Security & Privacy	Reasonable safeguarding of sensitive personal information under Tex. Bus. & Comm. Code § 521.052 and consumer-data duties under the Texas Data Privacy and Security Act (Chapter 541).	Texas Attorney General	$2,000–$50,000 per violation; up to $250,000 per breach	Certified data destruction executed before media leaves enterprise custody.
2. Data Disposal (Records)	Shred, erase, or modify records containing sensitive personal information so the data is unreadable under § 521.052(b) and Tex. Bus. & Comm. Code § 72.004.	Texas Attorney General	$500 per record disposed in violation under § 72.004(c)	Audit-ready ITAD with a serialized Certificate of Data Destruction per asset.
3. Data Destruction Standards	Alignment to NIST SP 800-88 Rev. 2 Clear / Purge / Destroy categories and 32 CFR Part 117 (NISPOM) for federal contractors.	Texas DIR Security Control Standards plus NIST baseline	Audit finding and breach-liability exposure	Secure data destruction across shredding, degaussing, crushing, and certified erasure.
4. E-Waste Recycling	Manufacturer takeback under the Texas Computer Equipment Recycling Program (HSC Ch. 361 Subch. Y) and hazardous-waste routing under 30 TAC Chapter 335.	Texas Commission on Environmental Quality (TCEQ)	$50–$25,000 per day per violation under HSC § 361.224	Certified electronics recycling with zero-landfill routing through registered Texas processors.
5. Federal Overlay	HIPAA Security Rule (45 CFR Part 164 Subpart C), FTC Safeguards Rule (16 CFR Part 314), FACTA Disposal Rule (16 CFR § 682.3), RCRA Subtitle C.	HHS-OCR, FTC, and EPA	HIPAA tiered to $1.9M annual cap; FTC consent orders; EPA day-per-violation	ITAD program operating across HIPAA, GLBA, RCRA, and federal-contractor environments.
6. Enforcement & Audit Posture	AG identity-theft enforcement under Tex. BCC Chapter 521, TDPSA enforcement (post-cure) under Chapter 541, and TCEQ enforcement decisions on hazardous-waste and recycling.	Texas Attorney General and TCEQ	Recent multistate settlements $52M–$600M; TCEQ agreed orders $5K–$250K+	IT asset disposition operations with documentation structured for AG and TCEQ examinations.

Texas Compliance Reality

Texas IT Asset Disposition programs operate under overlapping state privacy, data-destruction, and environmental statutes that survive past production deployment and bear on every end-of-life event. Texas Business & Commerce Code § 521.052 sets safeguarding and disposal duties that survive hardware retirement, while the Texas Data Privacy and Security Act extends those duties across the full data lifecycle. Federal regimes including HIPAA, the FTC Safeguards Rule, and RCRA establish a baseline that Texas law extends, not replaces. Enterprises operating in Texas carry continuing custody, documentation, and destruction obligations across every asset that leaves the production environment.

Texas and Federal Compliance Interaction

Texas operates one of the largest federal-contractor, healthcare, and energy economies in the country, and HIPAA, GLBA, the FTC Safeguards Rule, FACTA, RCRA, FAR 52.204-21, DFARS 252.204-7012, and CMMC 2.0 cover most in-state enterprises, with TDPSA, CUBI, and Tex. BCC § 521 layered on top. The Texas Office of the Attorney General enforces statutory duties under the Identity Theft Enforcement and Protection Act, and the TCEQ enforces environmental and Certified Electronics Recycling duties. The federal baseline applies regardless of state alignment, and audit defensibility for a Retired Electronic Asset depends on satisfying both layers as a single posture.

Texas Preemption Matrix (Federal Floor vs. State Posture)

The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Texas, whether Texas law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.

Federal Regime	Texas Posture	Stricter Element (if any)
HIPAA Security Rule (45 CFR Part 164 Subpart C)	Texas exceeds	Texas Medical Records Privacy Act (Tex. HSC Ch. 181) extends covered-entity definition beyond HIPAA to any entity assembling, analyzing, or transmitting PHI.
GLBA / FTC Safeguards Rule (16 CFR Part 314)	Texas exceeds	Texas Insurance Data Security Act (Tex. Ins. Code Ch. 559) imposes a written information security program with annual board certification.
FACTA Disposal Rule (16 CFR § 682.3)	Texas exceeds	Tex. BCC § 521.052 imposes section-specific reasonable procedures with a $500-per-record disposal penalty.
DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170)	equals	Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down.
RCRA Subtitle C (40 CFR Parts 260-279)	equals	30 TAC 335 implements RCRA Subtitle C; state administers EPA-authorized program at the federal floor.

NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Texas must satisfy CMMC 2.0 in addition to Texas state law.

The Layered Compliance Model

A defensible Texas IT asset retirement program satisfies state and federal duties as a single posture, not as parallel checklists. The state duties apply at the moment of disposal; the federal duties apply during the entire retention lifecycle that precedes it.

Layer	Source	Operative Texas Effect
Federal baseline	HIPAA Security Rule, FTC Safeguards Rule, FACTA Disposal Rule, RCRA Subtitle C, NISPOM	Establishes minimum safeguarding, breach-notification, and disposal duties applicable in every jurisdiction.
Texas state overlay	Tex. BCC §§ 521.052–.053, Tex. BCC § 72.004, TDPSA (Ch. 541), Tex. Health & Safety Code Ch. 361	Adds reasonable-procedures duty, 60-day breach notification, $500-per-record disposal penalty, manufacturer-takeback recycling regime, and TCEQ hazardous-waste handler controls.
Sectoral overlay	HIPAA for healthcare; GLBA / Texas Department of Banking for financial services; NISPOM / ITAR / EAR / CMMC for defense and aerospace	Adds entity-specific safeguarding, audit, and disposition duties on top of state and federal baselines.

State compliance alone is insufficient when the enterprise is also a HIPAA covered entity, a GLBA-regulated financial institution, or a federally cleared defense contractor. A program designed to the federal-plus-state union satisfies every applicable regime.

Texas Data Security, Privacy, and Disposal Obligations

Texas data-security and data-disposal obligations attach to any enterprise that owns or licenses sensitive personal information, protected health information, biometric identifiers, or regulated records of a Texas resident. The duty to safeguard and to render unreadable extends from active use through end-of-life retirement of the media on which the data resides, and the resulting compliance obligation travels with every Retired Electronic Asset as it moves through Secure Data Destruction or IT Asset Disposition. The Texas Office of the Attorney General has exclusive enforcement authority across the Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Medical Records Privacy Act, the Capture or Use of Biometric Identifier Act, and the Texas Data Broker Law.

Sensitive Personal Information and the Reasonable-Procedures Duty

Tex. BCC § 521.052(a) requires every business that owns or licenses sensitive personal information of a Texas resident to implement and maintain reasonable procedures to protect that information from unlawful use or disclosure. The duty applies to data at rest on retired drives, in storage media held for disposition, and in transit to a destruction or recycling vendor.

Reasonable procedures must include corrective action when controls fail. Documented chain-of-custody continuity, sealed-transport controls, and serialized destruction records are the evidence regulators expect during examination.

Data Disposal Duty (Records)

Texas codifies the records-disposal duty in two complementary statutes. Both require an outcome of “unreadable or undecipherable,” but neither prescribes a specific technical method. Defensibility derives from alignment to a recognized destruction standard (see Section 4) and from documented sanitization of the underlying media.

Statute	Scope	Duty
Tex. BCC § 521.052(b)	Sensitive personal information of a Texas resident	Modify by shredding, erasing, or other means so the information is unreadable or undecipherable when the record is disposed.
Tex. BCC § 72.004	Personal identifying information of a customer	Same outcome standard; safe harbor for use of a certified third-party records-destruction service under § 72.004(b).

The § 72.004(b) safe harbor is the statutory basis for engaging a documented third-party destruction service. The safe harbor is conditioned on contracting with a third party “engaged in the business of disposal of business records” and on that third party complying with the disposal duty.

Breach Notification Window

Tex. BCC § 521.053 requires notice to affected individuals no later than 60 days after the business determines the breach occurred. The Texas Attorney General Data Breach Reporting portal must receive the report when the breach affects 250 or more Texans, no later than 30 days after discovery. All reports to the OAG since September 1, 2023 must be submitted electronically using the OAG Data Breach Report form.

Texas Data Privacy and Security Act (TDPSA)

The TDPSA (Tex. BCC Chapter 541) took effect on July 1, 2024 and applies to companies that conduct business in Texas or produce a product or service consumed by Texas residents and that process consumers’ personal data. The Act extends data-minimization, retention-limitation, and deletion duties across the data lifecycle.

The Texas Office of the Attorney General holds exclusive enforcement authority. The Act provides a 30-day cure period before AG action, with civil penalties up to $7,500 per violation under § 541.155.

Texas Medical Records Privacy Act (TMRPA)

The Texas Medical Records Privacy Act (Tex. Health & Safety Code Chapter 181) extends healthcare-data safeguarding duties beyond the HIPAA-covered-entity footprint to any “covered entity” that assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information. § 181.101 requires biennial workforce training on state and federal health-privacy laws within 90 days of hire. The statute carries civil penalties up to $5,000 per violation for negligent violations and up to $1.5 million per year for knowing or intentional violations under § 181.201. PHI frequently resides on imaging workstations, laptops, mobile devices, and departmental file shares that are not classified as EHR systems; the TMRPA disposal duty attaches at the moment of retirement regardless of where the PHI lived.

Capture or Use of Biometric Identifier Act (CUBI)

The Capture or Use of Biometric Identifier Act (Tex. BCC Chapter 503) governs the capture, storage, and destruction of biometric identifiers (fingerprints, voiceprints, retina or iris scans, hand or face geometry). § 503.001(c)(3) requires destruction within one year of the date the purpose for collection expires, and § 503.001(d) authorizes the Texas Attorney General to seek civil penalties up to $25,000 per violation. Biometric templates and identifiers persist in endpoint caches, access-control systems, mobile device profiles, and timekeeping appliances; retiring those assets without validated destruction triggers CUBI exposure independently of any data-breach event.

Texas Data Broker Law

The Texas Data Broker Law (Tex. BCC Chapter 509) requires data brokers operating in Texas to register annually with the Texas Secretary of State and maintain a comprehensive information security program. § 509.151 carries civil penalties of $100 per day of non-registration up to $10,000 per year, plus AG enforcement of the security-program duty under § 509.052. Enterprises that operate as data brokers face exposure across both the customer-facing dataset flows and the backend systems and storage media that stage those datasets.

Texas Public-Sector IT Disposal Posture

Texas state agencies retire IT assets under Texas Department of Information Resources (DIR) policy. The operative controls include DIR Texas Cybersecurity Framework; Tex. Gov. Code § 2054.130 state-agency permanent-removal duty; Texas State Records Retention Schedules administered by TSLAC. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Texas Department of Information Resources (DIR) policy guidance.

Texas Insurance Data Security Act (NAIC Insurance Data Security Adoption)

Texas has adopted the NAIC Insurance Data Security Model Law at Tex. Ins. Code Ch. 559 (effective January 1, 2020). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.

Texas Student Privacy Act (Student-Data Privacy)

Texas’s student-data privacy statute at Tex. Education Code § 32.151 et seq. regulates K-12 ed-tech operators that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under Texas’s outcome standard and retain the destruction certificate.

Data Destruction and Media Sanitization Expectations

Texas statute prescribes the outcome (“unreadable or undecipherable”) but not the method, which means Secure Data Destruction must be aligned to a recognized federal or industry standard to satisfy audit defensibility for every Retired Electronic Asset. All Green Recycling structures its data destruction operations to satisfy that alignment across every destruction modality, with the goal of rendering data unreadable before custody transfer.

NIST SP 800-88 as the Texas-Operative Baseline

NIST Special Publication 800-88 Revision 2 (Sep 26, 2025) is the operative federal media-sanitization standard, superseding NIST SP 800-88 Revision 1 (Dec 2014). The standard establishes three categories:

Clear. Logical overwrite techniques applicable to media that will be reused within the enterprise. Operationally aligned to certified data wipe workflows for self-encrypting drives and reused media.
Purge. Logical or physical techniques rendering data infeasible to recover with state-of-the-art laboratory techniques. Includes cryptographic erasure for self-encrypting drives and media degaussing for magnetic media.
Destroy. Physical destruction such that the media cannot be reused. Includes hard drive shredding, crushing, disintegration, and certified media shredding for SSDs and optical media.

Texas DIR Security Control Standards cross-reference NIST SP 800-53 and SP 800-88 for media sanitization on state-government systems. The federal contracting baseline is set by 32 CFR Part 117 (NISPOM).

Industry Standards

IEEE 2883-2022 (Standard for Sanitizing Storage) complements NIST SP 800-88 with current terminology and procedures across storage types (HDD, SSD, NVMe, embedded). The DoD 5220.22-M three-pass overwrite specification remains in vendor contracts and audit checklists as the legacy benchmark.

Destruction Method Selection

Method selection is driven by media type, classification, reuse intent, and audit posture. The table below maps the four operative methods in audit-ready data destruction to media and NIST categories.

Method	Media	NIST SP 800-88 Category	Texas Defensibility Use Case
Hard drive shredding	HDDs, SSDs, tapes, optical media, printers, phones	Destroy	High-sensitivity assets; assets that will not be reused; assets with classified data residue.
Crushing	HDDs, smaller form-factor media	Destroy	Volume retirements where shredding equipment is unavailable on-site.
Magnetic media degaussing	HDDs, magnetic tape	Purge	Magnetic media only; not effective on SSDs or flash.
Certified data wiping (overwrite or cryptographic)	HDDs, SSDs, self-encrypting drives, cloud volumes	Clear or Purge	Assets slated for reuse or remarketing where defensibility plus residual value matters.

The Certificate of Data Destruction issued for every event records the method, equipment, operator, witness, destruction date, and serialized asset, traceable to the chain-of-custody log.

Texas E-Waste Recycling and Environmental Compliance

Certified Electronics Recycling in Texas is regulated under a manufacturer-responsibility model administered by the Texas Commission on Environmental Quality (TCEQ), and it determines whether a Retired Electronic Asset diverts from landfill into a defensible recycling chain. The state operates two statewide manufacturer-takeback programs, applies hazardous-waste handler rules to electronics that test “hazardous” under TCLP, and routes covered material through registered processors. Improper electronics recycling exposes the enterprise to TCEQ enforcement, environmental liability, and reputational risk on the public-facing enforcement docket.

Enterprise / commercial equipment covered by the Texas e-waste program: PARTIAL. Texas Recycles Computers and Texas Recycles TVs programs (Tex. HSC Ch. 361 Subchs. Y, Z) are manufacturer-funded consumer-takeback regimes; enterprise bulk disposal routes through 30 TAC 335 hazardous-waste, universal-waste, and CRT rules. Texas is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through 30 TAC 335; the state program operates at the federal floor unless explicitly more stringent.

Texas Recycles Computers Program

Tex. Health & Safety Code Chapter 361 Subchapter Y, the Texas Computer Equipment Recycling Act enacted by House Bill 2714 (80th Texas Legislature, 2007), established the Texas Recycles Computers Program. The implementing rule is 30 TAC § 328.137. Manufacturers offering to sell new computer equipment in or into Texas must:

Offer Texas consumers a free and convenient recycling program for their own brand of computer equipment.
Submit a notification and recovery plan to TCEQ.
Submit an annual manufacturers’ computer recycling report by January 31 of each year tracking weight collected, recycled, and reused.

Retailers may sell only computer equipment from manufacturers listed on the TCEQ list of computer equipment manufacturers. The retailer registry is the operative gating control on the Texas computer-equipment market.

Texas Recycles TVs Program

Tex. Health & Safety Code Chapter 361 Subchapter Z, enacted by Senate Bill 329 (82nd Texas Legislature, 2011), established the parallel Texas Recycles TVs Program. Television manufacturers operate state-population-weighted recovery plans against a share-based target.

TCEQ Hazardous and Industrial Waste Rules

Enterprise volumes of electronics recycling do not travel through the consumer manufacturer-takeback programs. They travel through TCEQ-registered recyclers and treatment-storage-disposal facilities under the hazardous and industrial waste rules.

Rule	Scope	Operative Effect on Enterprise IT Retirement
30 TAC Chapter 328	Waste Minimization and Recycling	Collection, processing, and recycling rules for computer and television equipment; Subchapter K applies the Texas universal-waste rule to elected electronics.
30 TAC Chapter 330	Municipal Solid Waste	Disposal-ban exposure for non-hazardous electronics that would otherwise be landfilled.
30 TAC Chapter 335	Industrial Solid Waste and Municipal Hazardous Waste	RCRA-equivalent regime; full generator, transporter, and TSDF requirements for electronics that test “hazardous” under TCLP (mercury switches, lead-bearing CRTs, lithium and lead-acid batteries, certain circuit-board fractions).

A Texas enterprise that retires data-center hardware, telecom equipment, or laboratory electronics in volume may cross a generator threshold under TCEQ hazardous waste generator rules and trigger registration, manifesting, and biennial-reporting duties even if the underlying assets are routed to recycling.

Universal Waste and CRT Rules

The federal Universal Waste Rule (40 CFR Part 273) is adopted in Texas under 30 TAC § 335 Subchapter H. Batteries, mercury-containing equipment, lamps, and elected electronics are handled under the streamlined universal-waste regime with reduced regulatory burden compared to full RCRA Subtitle C. The federal CRT Rule (40 CFR Part 261 Subpart E) applies to cathode ray tubes and CRT glass; TCEQ administers Texas-specific notification and recordkeeping under 30 TAC Chapter 335.

Lead-acid batteries fall under Tex. Health & Safety Code §§ 361.421–.429, which requires retailers to accept used lead-acid batteries and route them to permitted recyclers.

Compliance Posture for Enterprise Electronics Recycling

Enterprise electronics recycling in Texas is defensible when three controls are documented: (1) routing through TCEQ-registered recyclers; (2) hazardous-waste manifesting for any fraction that tests hazardous; and (3) chain-of-custody continuity that connects each serialized asset to its final disposition. All Green Recycling operates certified electronics recycling under a zero-landfill policy and routes covered electronic equipment through that documented chain, supporting the divert-from-landfill outcome that defines Certified Electronics Recycling as a regulated content category in Texas.

Regulated Asset Types and Enterprise Scenarios

Texas data-security and electronics recycling duties attach to every Retired Electronic Asset that has stored, processed, or transmitted regulated data, or that meets the definition of covered electronic equipment under Chapter 361. The asset inventory below defines the regulated content categories that drive IT Asset Disposition exposure across Texas enterprise environments.

Asset Inventory in Scope

The asset categories below are in scope for Texas IT Asset Disposition compliance. Data-bearing assets carry both the § 521.052 reasonable-procedures duty and the disposal duty; non-data-bearing assets carry the e-waste recycling and environmental duty.

Servers and storage arrays. Production and decommissioned chassis, internal drives, removable storage, and embedded firmware media. Retirement of this asset class follows the certified server recycling chain after Secure Data Destruction.
Endpoint hardware. Desktops, laptops, tablets, and convertibles, including assets that have stored sensitive personal information or PHI. Endpoint refresh programs route through certified laptop recycling and certified computer recycling after data destruction.
Mobile devices. Smartphones, ruggedized handhelds, scanners, and corporate-issued devices carrying cached credentials and PII. Mobile retirements route through certified cell phone recycling.
Networking equipment. Routers, switches, firewalls, and wireless controllers carrying configuration data, certificates, and credentials.
Imaging and printing equipment. Multifunction printers with internal storage that has retained scanned documents.
Industrial and IoT equipment. Building-management controllers, SCADA devices, point-of-sale terminals, and connected sensors.

Enterprise Scenarios That Trigger Texas Exposure

Data-center consolidation across Dallas-Fort Worth, Austin, San Antonio, or Houston with multi-thousand-asset retirement volumes.
HIPAA-covered hospital systems retiring imaging equipment, patient endpoints, and lab workstations.
Financial-services retirements in Houston and Dallas under TDPSA, FTC Safeguards Rule, and Texas Department of Banking expectations.
Defense-contractor retirements in the Lockheed Martin / Bell / L3Harris corridor (DFW), the Johnson Space Center supply chain (Houston), and the Fort Bliss / Holloman supply chain (El Paso) under NISPOM, ITAR, and CMMC; these scenarios drive classified equipment destruction.
Energy-sector retirements across the Permian Basin and the Houston corporate-headquarters cluster under SOX recordkeeping and TDPSA duties.
Product-recall and field-failure events that route through product recall management and defective product destruction to terminate downstream-counterfeit and warranty-fraud exposure.
Public-sector retirements by Texas state agencies under Tex. Gov. Code § 2054.130, the Texas DIR Sale or Transfer of Computers and Software Guidelines, TSLAC records-retention schedules, and Texas DIR Security Control Standards. § 2054.130 requires permanent removal of data before any state-agency computer leaves state control.
Healthcare retirements following Texas SB 1188 (89R), which takes effect in 2026 and requires electronic health records to be physically maintained within the United States with access-control duties on the supporting infrastructure. EHR refresh and decommissioning programs that span legacy on-premises systems now carry localization risk alongside the underlying HIPAA and TMRPA safeguard duties.
Lifecycle-strategy shifts under Texas HB 2963 (89R), which takes effect September 2026 and obligates manufacturers to provide repair documentation, parts, and tools for digital electronic equipment. The repair-versus-replacement decision now sits earlier in the lifecycle, but end-of-life data-destruction and electronics recycling duties remain unchanged.

Scale magnifies exposure. A single retired drive containing sensitive personal information triggers the same statutory duty as a thousand drives; the difference is the volume of evidence required during examination.

Enforcement, Penalties, and Audit Risk

Texas enforcement on IT Asset Disposition is led by the Office of the Attorney General on identity-theft, consumer-data, healthcare-privacy, biometric, and data-broker duties, and by TCEQ on environmental and electronics recycling duties. Federal regulators (HHS-OCR, FTC, EPA) overlay the state regime where the federal jurisdiction applies. The Texas AG and TCEQ both conduct audit reconstruction of events when responding to breach reports, complaints, or counterparty referrals; the records that must withstand reconstruction are enumerated in the Documentation section that follows.

Statutory Penalty Schedule

Statute	Penalty	Private Right of Action
Tex. BCC § 521.151 (failure to comply with breach notification)	Up to $50,000 per violation	NO (AG-only)
Tex. BCC § 521.152 (failure to take reasonable action under § 521.052)	$2,000 to $50,000 per violation	NO (AG-only)
Tex. BCC § 521.153 (failure to provide breach notice)	$100 per individual per consecutive day, capped at $250,000 per breach	NO (AG-only)
Tex. BCC § 72.004(c) (disposal of business records)	$500 per record disposed in violation	NO (AG-only)
Tex. BCC § 541.155 (TDPSA)	Up to $7,500 per violation after 30-day cure period	NO (AG-only)
Tex. Health & Safety Code § 181.201 (TMRPA negligent violation)	Up to $5,000 per violation, up to $1.5 million per year for knowing or intentional violations	NO (AG-only)
Tex. BCC § 503.001(d) (CUBI)	Up to $25,000 per violation	NO (AG-only)
Tex. BCC § 509.151 (Texas Data Broker Law)	$100 per day of non-registration, up to $10,000 per year	NO (AG-only)
Tex. Health & Safety Code § 361.224 (hazardous and solid-waste violations)	$50 to $25,000 per day per violation	NO (AG-only)
HIPAA civil money penalties	Tiered $100–$50,000+ per violation; annual cap to $1.9M per identical-violation tier	LIMITED (private federal HIPAA actions per 42 U.S.C. § 1320a-7a)

State Sectoral Regulators and Audit Authority

In addition to the Texas Attorney General and the Texas environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Texas Department of Banking examines banks and credit unions for GLBA-aligned information-security-program controls. The Texas Department of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Texas Health and Human Services Commission examines healthcare entities for HIPAA Security Rule compliance.

The Texas Higher Education Coordinating Board oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Public Utility Commission of Texas examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.

Recent Texas Enforcement Activity

The Texas Office of the Attorney General has taken visible enforcement posture under ITEPA, TDPSA, TMRPA, CUBI, and the Texas Data Broker Law over the last 24 months. Settlements and pending actions surface across data-security, biometric, and consumer-data fronts:

Meta (July 2024). Texas AG settlement with Meta Platforms, $1.4 billion, resolving CUBI claims over unauthorized biometric capture; the largest single-state biometric settlement on record and the operative reference enforcement action for Texas biometric exposure.
Allstate / Arity (January 2025). Texas AG TDPSA suit against Allstate and Arity over the unlawful collection, use, and sale of driver location data from over 45 million Americans; the first major TDPSA enforcement action since the statute took effect.
TDPSA enforcement (2024–2025). Texas AG action against TP-Link, Alibaba, CapCut, and other Chinese-affiliated companies.
Marriott International (October 2024). 50-AG multistate settlement, $52 million; Texas participating state.
Blackbaud (October 2023). 49-AG multistate settlement, $49.5 million; Texas participating state.
Equifax (July 2019). 50-AG multistate settlement, $600 million; reference enforcement action defining Texas AG expectations on reasonable procedures.

On the federal-overlay side, HHS-OCR’s resolution with the Texas Health and Human Services Commission is the operative reference for HIPAA Security Rule enforcement in a Texas venue.

TCEQ enforcement decisions on hazardous-waste and recycling violations typically settle in the $5,000–$250,000+ range per agreed order, with repeat-violator status driving higher settlements.

Audit Risk Vectors

Texas enterprises face audit-driven risk on four vectors: regulator-initiated examination, breach-triggered enforcement, insurance and reinsurance review, and customer or counterparty due diligence. Each vector requires the same evidence: serialized destruction records, certified sanitization attestations, environmental disposition documentation, and contractual safeguard terms with downstream service providers.

Documentation, Chain of Custody, and Audit-Ready Proof

Texas Office of the Attorney General enforcement under Tex. BCC § 521 ($100-per-individual-per-day, up to $50,000 per violation), CUBI ($25,000-per-violation), and TDPSA (no statutory cap on cure-period failures) is built from documentary evidence, and a Retired Electronic Asset without serialized destruction records is directly monetizable for enforcement. Audit defensibility for a Retired Electronic Asset lives in the records the enterprise can produce on request: who held the asset, when, in what condition, and how it was destroyed or diverted. Chain-of-custody continuity is the operative measure regulators and counterparties apply to evaluate a Texas IT Asset Disposition program.

Required Documentation Set

A defensible Texas IT Asset Disposition program produces the following documentation per engagement:

Serialized asset list. Manufacturer, model, serial number, and media type with capacity for every data-bearing asset.
Chain-of-custody record. Continuous from collection through destruction, with timestamps, transfers, transport identifiers, and operator names at each handoff.
Certificate of Data Destruction. Per asset or per batch, with destruction method, equipment, operator, witness, and date, traceable to the serialized list.
Certificate of Recycling and environmental disposition record. Per handler chain, documenting the route from collection through final disposition under TCEQ rules.
Hazardous-waste manifest (where applicable). Generator, transporter, and TSDF entries for any fraction that tests hazardous under TCLP.
Audit log and exception record. Every deviation from the documented chain-of-custody or destruction protocol, with disposition.

Chain-of-Custody Standard

Chain-of-custody records satisfy Texas audit expectations when they are continuous, tamper-evident, and time-stamped. Continuous means no time gap exists in which the asset’s location and custody are unknown. Tamper-evident means the record itself is protected against alteration. Time-stamped means each handoff is anchored to a verifiable system clock.

Sealed transport with tamper-evident containers and access-controlled handoffs supports the continuity standard. Real-time tracking systems support the time-stamping standard. Internal access-control logs support the tamper-evidence standard.

Evidence Regulators and Auditors Expect

Enterprise compliance teams asked to produce IT-asset-retirement evidence in a Texas AG inquiry, a TCEQ examination, an HHS-OCR breach review, an FTC consent-order audit, or a customer due-diligence response are routinely asked for: a sample serialized destruction record, a sample chain-of-custody log, a representative Certificate of Destruction, the destruction-method specification, the operator and witness identities, the environmental disposition record, the hazardous-waste manifest (where applicable), and the contract or service-level agreement under which the disposition was performed. A program that cannot produce that packet in a single retrieval is operating below the Texas enterprise standard.

How All Green Recycling Operationalizes Texas Compliance

All Green Recycling, LLC operates as compliance infrastructure for Texas enterprises retiring a Retired Electronic Asset, not as a recycler bidding for tonnage. The control set described below maps directly to the statutory and regulatory duties enumerated above. Each control is a measurable operating output traceable to a serialized asset across IT Asset Disposition, Secure Data Destruction, Certified Electronics Recycling, Secure Equipment Destruction, and Reverse Logistics & Chain-of-Custody Tracking.

IT Asset Disposition

All Green Recycling operates certified IT asset disposition across secure removal, refurbishment, redeployment, resale, and remarketing under chain-of-custody control. Every asset is captured on a serialized list at collection through IT equipment packaging and transport. Data-bearing assets are sanitized or destroyed before any reuse decision is made. Asset remarketing is structured to maximize return on retirement without compromising Texas data-security duties.

Secure Data Destruction

All Green Recycling operates secure data destruction services across four methods aligned to NIST SP 800-88 Rev. 2: certified hard drive shredding, magnetic media degaussing, crushing, and certified media shredding. On-site and off-site destruction options are available with full audit trails. The program operates within Clear, Purge, and Destroy categories and supports HIPAA, FTC Safeguards Rule, FACTA Disposal Rule, NISPOM, and TDPSA environments. Every destruction event produces a serialized Certificate of Data Destruction tied to the asset’s serial number.

Certified Electronics Recycling and Environmental Compliance

All Green Recycling operates certified electronics recycling services under a zero-landfill policy and routes covered electronic equipment and hazardous-waste-classified components through the Texas regulated recycling and hazardous-waste handler chain. The program aligns to TCEQ’s Texas Recycles Computers and Texas Recycles TVs program structures for consumer-volume material, and to 30 TAC Chapter 335 for enterprise-volume hazardous-waste handler duties. R2v3 is the recognized industry framework for responsible electronics recycling; All Green Recycling references R2v3 as the framework that defines the responsible-recycling standard, while certifications and registrations actually held are confirmed in writing on request to compliance leadership.

Secure Equipment Destruction for Sensitive and Specialized Hardware

For medical, telecom, defense, and aerospace equipment, All Green Recycling provides secure equipment destruction to prevent reuse or data leakage. Witnessed destruction is available where contractually required. The program covers product recall management, defective product destruction, and classified equipment destruction. Destruction documentation aligns to the customer’s compliance regime, including HIPAA, ITAR, EAR, 32 CFR Part 117, and CMMC environments.

Reverse Logistics and Chain-of-Custody Tracking

All Green Recycling operates reverse logistics with nationwide secure transport supporting Texas enterprises across multi-site retirements, cross-metro consolidation across Dallas-Fort Worth, Austin, San Antonio, and Houston, and out-of-state collection. The Green Pulse tracking system records movement from pickup through final disposition. Tamper-evident containers and sealed transport satisfy the chain-of-custody continuity standard.

Audit-Ready Reporting

Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and TDPSA / HIPAA / FTC documentation entries where the federal overlay applies. The documentation package is structured for direct delivery to compliance, legal, audit, and regulator teams without reformatting.

Frequently Asked Questions

The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Texas. Answers are statute-anchored, declaration-first, and scoped to the operational decisions a Chief Compliance Officer, Chief Information Security Officer, IT Director, in-house counsel, or procurement lead actually makes.

Does Texas have a data-privacy statute that applies beyond HIPAA and GLBA?

Yes. The Texas Data Privacy and Security Act (Tex. BCC Chapter 541) took effect on July 1, 2024 and applies to companies that conduct business in Texas or produce a product or service consumed by Texas residents and that process consumers’ personal data. The Texas Attorney General holds exclusive enforcement authority with civil penalties up to $7,500 per violation after a 30-day cure period.

What is Texas’s breach-notification deadline?

Under Tex. BCC § 521.053, notice to affected individuals must occur no later than 60 days after the business determines the breach occurred. When 250 or more Texans are affected, the Texas Office of the Attorney General must receive electronic notice no later than 30 days after discovery.

Does Texas offer a safe harbor for using a certified third-party records-destruction service?

Yes. Tex. BCC § 72.004(b) provides a statutory safe harbor when the business engages a third party that is “in the business of disposal of business records” and complies with the § 72.004(a) outcome standard rendering records unreadable. All Green Recycling operates certified data destruction structured to satisfy that safe-harbor framework with a serialized Certificate of Destruction per asset.

Which media-sanitization standard does Texas accept as audit-defensible?

NIST Special Publication 800-88 Revision 2 (Sep 26, 2025) is the operative federal media-sanitization standard and is cross-referenced by the Texas DIR Security Control Standards for state-government systems. Texas statute prescribes the outcome (“unreadable or undecipherable”) but not the method, so alignment to the NIST Clear / Purge / Destroy categories through certified data wiping or physical destruction is what carries audit defensibility.

Are enterprise electronics covered by Texas’s manufacturer-takeback program, or do they route through hazardous-waste handler rules?

Enterprise volumes do not route through the consumer-facing manufacturer programs (Texas Recycles Computers and Texas Recycles TVs); they route through TCEQ-registered recyclers under 30 TAC Chapter 335 and the related Subchapters governing universal waste, hazardous waste, and industrial solid waste. All Green Recycling operates certified electronics recycling through that documented chain with zero-landfill routing.

If a downstream recycler mishandles a hazardous fraction, does generator liability remain with the enterprise?

Yes. Under the RCRA-equivalent regime in 30 TAC Chapter 335 and TCEQ hazardous-waste generator rules, generator responsibility for hazardous fractions persists from cradle to grave, including when material is shipped to a recycler and the recycler mismanages it. Documentation of TCEQ-registered downstream partners and hazardous-waste manifest copies are the audit-defensibility records examiners ask for.

What additional disposal duty applies when Texas public-sector or higher-education assets are involved?

Tex. Gov. Code § 2054.130 requires permanent removal of data from any state-agency computer or storage device before the device leaves state control, and the Texas DIR Sale or Transfer of Computers and Software Guidelines operationalize that standard. All Green Recycling operates certified IT asset disposition aligned to that public-sector outcome standard with a serialized destruction record per asset.

How does Texas regulate biometric identifiers held on retired endpoints?

The Capture or Use of Biometric Identifier Act (Tex. BCC Chapter 503) requires destruction of biometric identifiers within one year of the date the purpose for collection expires under § 503.001(c)(3), with civil penalties up to $25,000 per violation under § 503.001(d). Biometric templates persist in endpoint caches, access-control systems, and mobile device profiles, and the $1.4 billion Meta settlement (July 2024) is the operative reference enforcement action.

Which certifications does All Green Recycling hold, and which standards does All Green Recycling reference as framework alignment?

All Green Recycling holds ISO 14001:2015 (environmental management) and ISO 45001:2018 (occupational health and safety) certifications. R2v3, NAID AAA, and e-Stewards are referenced as framework alignment rather than held certifications; alignment to HIPAA, GLBA, FTC Safeguards, NIST SP 800-88 Rev. 2, FAR 52.204-21, and DFARS 252.204-7012 is documented through operating procedure rather than a single attestation. Current certifications and registrations actually held are confirmed in writing on request to compliance leadership.

What documentation should an enterprise be prepared to produce during a Texas AG or TCEQ examination?

A Texas AG or TCEQ examination typically requests the same packet on the same day: serialized asset list with serial numbers and media types, chain-of-custody log with timestamped handoffs, Certificate of Data Destruction per asset, Certificate of Recycling with downstream disposition, hazardous-waste manifest where applicable, the destruction-method specification, the operator and witness identities, and the contracted service-level agreement. All Green Recycling delivers that packet through IT asset reporting in a single retrieval.

How does the federal HIPAA / GLBA / FAR / DFARS baseline interact with Texas’s privacy and disposal regime?

The federal baseline applies regardless of state alignment, and Texas law operates as an overlay that extends rather than replaces the federal duty. A regulated enterprise must satisfy the stricter of (1) Texas statutes including ITEPA, TDPSA, TMRPA, and CUBI, (2) federal sector rules such as the HIPAA Security Rule, the FTC Safeguards Rule, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses, based on the actual data types present on the assets being dispositioned.

Under Tex. BCC § 521, does losing an unencrypted device qualify as a security breach?

Yes. Tex. BCC § 521.053(a) defines breach as unauthorized acquisition of computerized data, which extends to physical loss of unencrypted media or devices.

How does Tex. BCC § 521.053 treat encryption and NIST 800-88 sanitization as breach-notice relief?

Yes. Tex. BCC § 521.053(a) excludes encrypted data from the breach definition unless the key is also acquired. NIST SP 800-88 Revision 2 verified sanitization removes sensitive personal information from the asset and from the breach trigger entirely.

Texas Compliance as Risk Management

Texas IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered unreadable or indecipherable before custody transfer, that regulated records were disposed of in accordance with state law, and that downstream processing did not create environmental liability. ITEPA civil penalties, TDPSA civil penalties, TMRPA per-year exposure, CUBI per-violation exposure, § 72.004 per-record exposure, TCEQ enforcement on hazardous-waste and improper recycling, HIPAA and FTC Safeguards Rule overlays, and audit-driven counterparty review converge on the same set of records: serialized destruction logs, chain-of-custody continuity, environmental disposition evidence, hazardous-waste manifests where applicable, and contracted-service safeguard terms. Enterprises that operationalize that record set carry defensible compliance posture across regulator inquiry, audit cycle, and incident response.

Texas compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Texas-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.