(800) 780-0347
Home»Compliances»Virginia IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance

Virginia IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance

Virginia hosts the largest concentration of hyperscale data-center capacity in the world and operates the Virginia Consumer Data Protection Act (VCDPA, effective January 1, 2023), the first comprehensive U.S. consumer privacy law after California, which makes documented hardware end-of-life destruction a baseline expectation for in-state enterprises. The Enterprise Compliance Reference below is the Virginia executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent Attorney General enforcement context.

Virginia Data Destruction &Amp;Amp; E-Waste Recycling Compliance Regulations

Virginia Enterprise Compliance Reference

Compliance Topic What Virginia Requires Who Enforces Penalty Band What All Green Recycling Provides
1. Breach Notification Notice to affected Virginia residents and the Virginia AG without unreasonable delay under Va. Code § 18.2-186.6. Virginia AG Up to $150,000 per breach under § 18.2-186.6 Certified media shredding with serialized Certificate of Destruction.
2. Records Disposal Destruction or modification rendering personal information unreadable / undecipherable under Va. Code § 59.1-443.2. Virginia AG Up to $2,500 per violation under § 59.1-443.2(D) Certified data wiping aligned to NIST Clear / Purge.
3. Virginia Consumer Data Protection Act (VCDPA) Controller obligations including data minimization, processor flow-down, deletion rights, and sensitive-data opt-in consent under Va. Code § 59.1-575 et seq. (effective January 1, 2023). Virginia AG Up to $7,500 per violation under § 59.1-584 Certified data destruction with controller deletion attestation.
4. Virginia Consumer Protection Act Va. Code § 59.1-196 UDAP carryover applies to disposal and breach failures. Virginia AG; private parties Up to $2,500 per willful violation under § 59.1-206 Certified data destruction with documented chain of custody.
5. Hazardous Waste & CRT Handling RCRA-delegated state program under 9 VAC 20-60; universal-waste rules at 9 VAC 20-60-1496; CRT rules at 40 C.F.R. § 261.39. Virginia DEQ Up to $32,500/day under Va. Code § 10.1-1455 Certified electronics recycling with environmental disposition record.
6. Federal Overlay & Audit Posture HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. HHS OCR, FTC, federal prime contractors HIPAA up to $2.067M per identical violation per year (2025) IT asset reporting packaged for compliance, legal, and audit teams.

Virginia Compliance Reality

Virginia’s compliance regime spans (1) the Virginia Breach Notification Statute at Va. Code § 18.2-186.6 (notice without unreasonable delay; up to $150,000 per breach), (2) the records-disposal duty at Va. Code § 59.1-443.2 (with $2,500 per-violation civil penalties), (3) the Virginia Consumer Data Protection Act (VCDPA) at Va. Code § 59.1-575 et seq. (effective January 1, 2023; second comprehensive state privacy law in the U.S. after CCPA; biometric and genetic data enumerated as sensitive requiring opt-in consent), (4) the Virginia Consumer Protection Act at Va. Code § 59.1-196 et seq. (private right of action), and (5) the Virginia DEQ hazardous-waste rules at 9 VAC 20-60. Virginia is a major federal-contractor state with significant DoD presence; DFARS 252.204-7012 flow-down is operationally significant.

Virginia and Federal Compliance Interaction

Virginia’s federal-contractor, defense, and intelligence-community footprint (Pentagon, NSA, CIA, Northrop, Boeing, Lockheed) pulls FAR 52.204-21, DFARS 252.204-7012, CMMC 2.0, HIPAA, GLBA, the FTC Safeguards Rule, and FACTA over most in-state enterprises, with VCDPA layered on top. A regulated enterprise must satisfy the stricter of (1) Virginia statutes including § 18.2-186.6 (breach), § 59.1-443.2 (disposal), § 59.1-575 (VCDPA), and § 59.1-196 (VCPA), (2) federal sector rules including HIPAA Security Rule, FTC Disposal Rule, FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses.

Virginia Preemption Matrix (Federal Floor vs. State Posture)

The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Virginia, whether Virginia law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.

Federal Regime Virginia Posture Stricter Element (if any)
HIPAA Security Rule (45 CFR Part 164 Subpart C) equals Federal regime controls; state law does not exceed the federal floor.
GLBA / FTC Safeguards Rule (16 CFR Part 314) equals Federal regime controls; state law does not exceed the federal floor.
FACTA Disposal Rule (16 CFR § 682.3) exceeds Va. Code § 18.2-186.6 imposes up to $150,000 per breach; § 59.1-443.2 mandates rendering personal information unreadable or undecipherable.
DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) equals Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down.
RCRA Subtitle C (40 CFR Parts 260-279) equals Virginia state hazardous-waste program implements RCRA Subtitle C at the federal floor.

For federal contractors operating in Virginia, the Defense Federal Acquisition Regulation Supplement at DFARS 252.204-7012, the Federal Acquisition Regulation at FAR 52.204-21, and the Cybersecurity Maturity Model Certification 2.0 program codified at 32 CFR Part 170 (effective December 16, 2024) impose media-sanitization, chain-of-custody, and incident-reporting duties that flow down through prime-contractor clauses. NIST SP 800-171 Revision 3 (final May 2024) is the operative control framework for covered defense information and controlled unclassified information; NIST SP 800-88 Revision 2 (operative September 26, 2025) is the operative sanitization standard for both DFARS and CMMC 2.0 audit defensibility.

Virginia Data Security, Privacy, and Disposal Obligations

Va. Code § 18.2-186.6 — Breach Notification

Va. Code § 18.2-186.6 requires notice to affected Virginia residents and to the Virginia AG without unreasonable delay following discovery of the breach. The 2017 amendments added income-tax information to the personal-information definition for breaches involving tax-preparation services. Civil penalties run up to $150,000 per breach.

Va. Code § 59.1-443.2 — Records Disposal

Va. Code § 59.1-443.2 requires entities to take reasonable steps to destroy or arrange for the destruction of records containing personal information by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable. Civil penalties run up to $2,500 per violation under § 59.1-443.2(D).

Virginia Consumer Data Protection Act (VCDPA) — Va. Code § 59.1-575

The Virginia Consumer Data Protection Act at Va. Code § 59.1-575 et seq. became effective January 1, 2023. VCDPA was the second comprehensive state privacy law in the U.S. after CCPA. VCDPA imposes controller obligations including data minimization, processor accountability, deletion rights, and sensitive-data opt-in consent. Sensitive data is enumerated to include genetic or biometric data, personal data of a known child, precise geolocation, racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status. Civil penalties run up to $7,500 per violation under § 59.1-584.

Virginia Consumer Protection Act — Va. Code § 59.1-196

Virginia’s Consumer Protection Act at Va. Code § 59.1-196 provides a private right of action under § 59.1-204 with actual damages or $500 statutory damages whichever is greater (up to $1,000 for willful violations).

Virginia Insurance Data Security Act (NAIC Insurance Data Security Adoption)

Virginia has adopted the NAIC Insurance Data Security Model Law at Va. Code § 38.2-621 et seq. (effective July 1, 2020). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.

Virginia Student Online Personal Information Protection Act (Student-Data Privacy)

Virginia’s student-data privacy statute at Va. Code § 22.1-289.01 et seq. regulates K-12 ed-tech operators and schools that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under Virginia’s outcome standard and retain the destruction certificate.

Virginia Public-Sector IT Disposal Posture

Virginia state agencies retire IT assets under Virginia Information Technologies Agency (VITA) policy. The operative controls include VITA Information Security Standards (SEC501); Library of Virginia Records Retention Schedules under Va. Code § 42.1-86.1; State Surplus Property under Va. Code § 2.2-1124. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See VITA policy guidance.

Data Destruction and Media Sanitization Expectations

Va. Code § 59.1-443.2 prescribes the “unreadable or undecipherable” outcome standard via shredding, erasing, or modifying personal information. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Virginia state agencies follow VITA Security Policy.

Hard Drive Shredding

Virginia-resident personal data on fixed media requires the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because VCDPA § 59.1-578 controller duties and § 18.2-186.6 breach trigger both reach unencrypted media in enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.

Certified Data Wiping

Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.

Media Degaussing

Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).

Certified Media Shredding

Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information.

Virginia E-Waste, Hazardous Waste, and Environmental Compliance

Virginia has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through the federal RCRA-delegated state hazardous-waste program at 9 VAC 20-60, administered by Virginia DEQ.

Enterprise / commercial equipment covered by the Virginia e-waste program: NO. Virginia has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through the federal RCRA-delegated state hazardous-waste program at 9 VAC 20-60, administered by Virginia DEQ. Virginia is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through 9 VAC 20-60; the state program operates at the federal floor unless explicitly more stringent.

Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium. Universal-waste rules at 9 VAC 20-60-1496 cover batteries, lamps, mercury-containing equipment, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Civil penalties run up to $32,500 per day per violation under Va. Code § 10.1-1455. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.

Regulated Asset Types and Enterprise Scenarios

Servers and Storage Arrays

Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.

End-User Computing Assets

Certified laptop recycling and certified computer recycling route through R2v3-aligned channels combined with NIST 800-88 Rev. 2 data sanitization. Asset remarketing recovers residual value while preserving chain of custody.

Mobile Devices and Biometric Sensors

Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint).

Equipment Destruction and Product-Recall Scenarios

Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.

Enforcement, Penalties, and Audit Risk

Virginia enforcement is concentrated at the Virginia AG (Breach Notification Statute § 18.2-186.6 up to $150,000 per breach; VCDPA § 59.1-584 up to $7,500 per violation; VCPA § 59.1-206 up to $2,500 per willful violation with private right of action under § 59.1-204), the Virginia State Corporation Commission Bureau of Insurance (Insurance Data Security Act § 38.2-621), Virginia DEQ (9 VAC 20-60 hazardous-waste violations up to $32,500/day under § 10.1-1455), and federal regulators with concurrent jurisdiction.

Statutory Penalty Schedule

Statute / Authority Civil Penalty Band Private Right of Action Enforcer
§ 18.2-186.6 (breach notice) Up to $150,000 per breach NO (AG-only) VA AG
§ 59.1-443.2 (records disposal) Up to $2,500 per violation under § 59.1-443.2(D) NO (AG-only) VA AG
§ 59.1-575 (VCDPA) Up to $7,500 per violation under § 59.1-584 NO (AG-only with 30-day cure period) VA AG
§ 59.1-196 (VCPA) Up to $2,500 per willful violation under § 59.1-206; $500 / $1,000 statutory damages for private plaintiffs YES (private right of action under § 59.1-204) VA AG; private parties
§ 38.2-621 (Insurance Data Security Act) SCC civil penalties up to $5,000 per violation NO (Bureau of Insurance only) VA Bureau of Insurance
9 VAC 20-60 (hazardous waste) Up to $32,500 per day per violation under § 10.1-1455 NO (Virginia DEQ enforcement) Virginia DEQ
HIPAA (federal overlay) Up to $2,067,813 per identical violation per year (2025 adjusted) LIMITED (HIPAA private actions) HHS OCR

State Sectoral Regulators and Audit Authority

In addition to the Virginia Office of the Attorney General and the Virginia Department of Environmental Quality (Virginia DEQ), state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Virginia State Corporation Commission Bureau of Financial Institutions examines banks and credit unions for GLBA-aligned information-security-program controls. The Virginia State Corporation Commission Bureau of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Virginia Department of Health examines healthcare entities for HIPAA Security Rule compliance. The State Council of Higher Education for Virginia oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Virginia State Corporation Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.

Documentation, Chain of Custody, and Audit-Ready Proof

Virginia Attorney General Office of Consumer Protection enforcement under VCDPA (§ 59.1-584, up to $7,500 per violation) is built from documentary evidence, and a Retired Electronic Asset without serialized destruction records is directly monetizable for enforcement.

How All Green Recycling Operationalizes Virginia Compliance

IT Asset Disposition

All Green Recycling operates certified IT asset disposition structured around Virginia’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through Virginia Department of Environmental Quality (Virginia DEQ)-authorized channels, and audit-ready reporting.

Secure Data Destruction

All Green Recycling’s secure data destruction service line is structured to satisfy Virginia’s outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for sensitive data categories.

Certified Electronics Recycling

Certified electronics recycling routes retired electronic assets through Virginia Department of Environmental Quality (Virginia DEQ)-authorized channels and R2v3-aligned recyclers. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.

Secure Equipment Destruction

Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.

Reverse Logistics and Chain-of-Custody Tracking

Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.

Audit-Ready Reporting

Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.

Frequently Asked Questions

The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Virginia.

What is Virginia’s breach-notification deadline?

Without unreasonable delay under Va. Code § 18.2-186.6. Notice to the Virginia AG is required for breaches affecting Virginia residents. Civil penalties run up to $150,000 per breach.

When did the Virginia Consumer Data Protection Act take effect?

January 1, 2023. VCDPA at Va. Code § 59.1-575 et seq. was the second comprehensive state privacy law in the U.S. (after CCPA). VCDPA imposes controller obligations including sensitive-data opt-in consent for biometric, genetic, racial or ethnic origin, religious beliefs, mental or physical health diagnosis, and other enumerated categories.

Does Virginia enumerate disposal methods?

Yes. Va. Code § 59.1-443.2 requires shredding, erasing, or otherwise modifying personal information to make it unreadable or undecipherable. Certified data destruction satisfies the method-and-outcome standard.

Does Virginia treat biometric and genetic data as sensitive?

Yes. VCDPA enumerates biometric data and genetic data as sensitive data requiring opt-in consent. Other sensitive categories include personal data of a known child, precise geolocation, racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status.

Has Virginia adopted the NAIC Insurance Data Security Model Law?

Yes. The Virginia Insurance Data Security Act at Va. Code § 38.2-621, effective July 1, 2020, adopts the NAIC model. Insurance licensees must maintain a written information security program with annual board certification.

Does Virginia have a state e-waste recycling program?

No. Virginia has not enacted an electronics-recycling extended producer responsibility program. Enterprise IT asset retirement routes through Virginia DEQ-authorized hazardous-waste channels and certified electronics recycling.

Does our enterprise carry generator liability for hazardous fractions of retired electronics?

Yes. 9 VAC 20-60 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by 9 VAC 20-60-1496. Virginia DEQ enforces civil penalties up to $32,500 per day per violation under § 10.1-1455.

Which media-sanitization standard does Virginia accept as audit-defensible?

NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. VITA SEC501 Information Security Standards reference NIST guidance.

What is the maximum penalty for a Virginia privacy violation?

Breach Notification Statute civil penalties run up to $150,000 per breach. VCDPA civil penalties run up to $7,500 per violation under § 59.1-584. VCPA civil penalties run up to $2,500 per willful violation under § 59.1-206, with private right of action and $500 / $1,000 statutory damages. Virginia DEQ hazardous-waste penalties under § 10.1-1455 run up to $32,500 per day.

What is All Green Recycling’s certification posture for Virginia enterprise engagements?

All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.

What documentation should we expect on AG or Virginia DEQ examination?

Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and contracted-service safeguard terms.

Under Virginia law, is a lost or stolen unencrypted drive a security breach?

Yes. Va. Code § 18.2-186.6 defines breach as unauthorized access and acquisition of unencrypted computerized data; physical loss of unencrypted media triggers the analysis.

Does Virginia’s breach-notification statute provide an encryption or sanitization safe harbor?

Yes. § 18.2-186.6 excludes encrypted or redacted data from the breach definition. NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.

Virginia Compliance as Risk Management

Virginia IT asset retirement is a layered risk-management discipline. VCDPA was the second comprehensive state privacy law in the U.S. and effective January 1, 2023 introduced biometric and genetic data as sensitive data requiring opt-in consent. The Virginia Insurance Data Security Act effective July 1, 2020 imposes written information security program controls on insurance licensees. Compliant retirement proves data was rendered unreadable or undecipherable before custody transfer, breach notice surfaced without unreasonable delay (with AG notice), VCDPA-controlled data was retired consistent with deletion rights and sensitive-data handling, and hazardous fractions were handled under 9 VAC 20-60. Breach $150,000 per-breach penalties, VCDPA $7,500 per-violation penalties, VCPA $2,500 per-violation penalties with private right of action and $500 / $1,000 statutory damages, Virginia DEQ daily penalties (up to $32,500), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.

Virginia compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Virginia-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.