Wisconsin IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Wisconsin’s Notice of Unauthorized Acquisition of Personal Information statute at Wis. Stat. § 134.98 and the broader Wisconsin Insurance Data Security Law combine with the state’s heavy manufacturing, healthcare, and agricultural-data industries to make hardware end-of-life destruction a recurring multi-regime audit surface. Use the Enterprise Compliance Reference below as the Wisconsin executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent enforcement context.
Wisconsin Enterprise Compliance Reference
| Compliance Topic | What Wisconsin Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to affected Wisconsin residents within 45 days under Wis. Stat. § 134.98. | Wisconsin AG; Wisconsin Department of Agriculture, Trade and Consumer Protection (DATCP) | Up to $1,000 per violation; civil forfeiture per § 134.98(4) | Certified media shredding with serialized Certificate of Destruction. |
| 2. Records Disposal | Reasonable measures to destroy records containing personal information by shredding, erasing, or otherwise modifying the records to make personal information unreadable or unusable under Wis. Stat. § 134.97. | Wisconsin AG; DATCP | Up to $1,000 per violation under § 134.97(5) | Certified data wiping aligned to NIST Clear / Purge. |
| 3. Insurance Data Security Act | Written information security program; annual board certification under Wis. Stat. § 601.955. | Wisconsin Office of the Commissioner of Insurance (OCI) | Up to $5,000 per violation under § 601.64 | Certified data destruction with insurance-licensee attestation. |
| 4. E-Cycle Wisconsin | Manufacturer-funded takeback program for computers, monitors, laptops, and TVs; landfill ban under Wis. Stat. § 287.17. | Wisconsin DNR | Civil penalties under Wis. Stat. § 287.95 | Certified electronics recycling compliant with E-Cycle Wisconsin. |
| 5. Hazardous Waste & CRT Handling | RCRA-delegated state program under NR 660-679; universal-waste rules at NR 673; CRT rules at 40 C.F.R. § 261.39. | Wisconsin DNR | Up to $25,000/day under Wis. Stat. § 291.97 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Wisconsin Compliance Reality
Wisconsin’s compliance regime spans (1) the Wisconsin Notice of Unauthorized Acquisition of Personal Information Act at Wis. Stat. § 134.98 (45-day notice), (2) the records-disposal duty at Wis. Stat. § 134.97 (up to $1,000 per violation), (3) the Wisconsin Insurance Data Security Act at Wis. Stat. § 601.955 (effective March 1, 2022; adopted NAIC Insurance Data Security Model Law), (4) the E-Cycle Wisconsin program at Wis. Stat. § 287.17 (manufacturer-funded takeback with landfill ban), and (5) the Wisconsin DNR hazardous-waste rules at NR 660-679. Wisconsin enforces breach notification through DATCP and the AG concurrently.
Wisconsin and Federal Compliance Interaction
Wisconsin’s manufacturing, healthcare (Aurora, Froedtert), insurance, and agricultural industries pull HIPAA, GLBA, the FTC Safeguards Rule, FACTA, FAR 52.204-21, DFARS 252.204-7012, and the Wisconsin Insurance Data Security Law over most in-state enterprises, with Wis. Stat. § 134.98 layered on top. A regulated enterprise must satisfy the stricter of (1) Wisconsin statutes including § 134.98 (breach), § 134.97 (disposal), § 601.955 (Insurance Data Security Act), and § 287.17 (E-Cycle Wisconsin), (2) federal sector rules including HIPAA Security Rule, FTC Disposal Rule, FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses.
Wisconsin Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Wisconsin, whether Wisconsin law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Wisconsin Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | exceeds | Wis. Stat. § 601.955 Insurance Data Security Act imposes written information security program with annual board certification on insurance licensees. |
| FACTA Disposal Rule (16 CFR § 682.3) | equals | Federal regime controls; state law does not exceed the federal floor. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | Wisconsin state hazardous-waste program implements RCRA Subtitle C at the federal floor. |
For federal contractors operating in Wisconsin, the Defense Federal Acquisition Regulation Supplement at DFARS 252.204-7012, the Federal Acquisition Regulation at FAR 52.204-21, and the Cybersecurity Maturity Model Certification 2.0 program codified at 32 CFR Part 170 (effective December 16, 2024) impose media-sanitization, chain-of-custody, and incident-reporting duties that flow down through prime-contractor clauses. NIST SP 800-171 Revision 3 (final May 2024) is the operative control framework for covered defense information and controlled unclassified information; NIST SP 800-88 Revision 2 (operative September 26, 2025) is the operative sanitization standard for both DFARS and CMMC 2.0 audit defensibility.
Wisconsin Data Security, Privacy, and Disposal Obligations
Wis. Stat. § 134.98 — Notice of Unauthorized Acquisition of Personal Information
Wis. Stat. § 134.98 requires notice to affected Wisconsin residents within 45 days of discovery of the unauthorized acquisition. Personal information includes name plus SSN, driver’s license, financial-account information with access code, biometric data, or DNA profile. Civil forfeitures run up to $1,000 per violation under § 134.98(4).
Wis. Stat. § 134.97 — Records Disposal
Wis. Stat. § 134.97 requires entities to take reasonable measures to destroy records containing personal information by shredding, erasing, or otherwise modifying the records to make the personal information unreadable or unusable. Civil forfeitures run up to $1,000 per violation under § 134.97(5).
Wisconsin Insurance Data Security Act (NAIC Insurance Data Security Adoption)
Wisconsin has adopted the NAIC Insurance Data Security Model Law at Wis. Stat. § 601.95-601.96 (effective March 1, 2022). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.
Wisconsin Pupil Records Law (Student-Data Privacy)
Wisconsin’s student-data privacy statute at Wis. Stat. § 118.125 regulates K-12 schools and pupil records that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under Wisconsin’s outcome standard and retain the destruction certificate.
Wisconsin Public-Sector IT Disposal Posture
Wisconsin state agencies retire IT assets under Wisconsin Department of Administration Division of Enterprise Technology (DOA-DET) policy. The operative controls include DOA-DET Information Security Policies (NIST CSF-aligned); State Records Center Records Retention and Disposition Schedules under Wis. Stat. § 16.61; State Surplus Property under Wis. Stat. § 16.72. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See DOA-DET policy guidance.
Data Destruction and Media Sanitization Expectations
Wis. Stat. § 134.97 prescribes the “unreadable or unusable” outcome standard via shredding, erasing, or modifying records. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Wisconsin state agencies follow DOA-DET Security Policy.
Hard Drive Shredding
Wisconsin-resident PII on fixed media requires the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because Wis. Stat. § 134.98(2)’s breach trigger reaches unencrypted media in enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information.
Wisconsin E-Waste, Hazardous Waste, and Environmental Compliance
Wisconsin has E-Cycle Wisconsin at Wis. Stat. § 287.17, a manufacturer-funded takeback program for covered electronic devices with a landfill ban. Enterprise IT asset retirement routes through Wisconsin DNR-authorized channels at NR 660-679.
Enterprise / commercial equipment covered by the Wisconsin e-waste program: PARTIAL. E-Cycle Wisconsin (Wis. Stat. § 287.17) is a manufacturer-funded takeback program covering computers, monitors, laptops, and TVs from households, K-12 schools, and small businesses with fewer than 25 employees; enterprise bulk disposal routes through NR 660-679 hazardous-waste channels. Wisconsin is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through NR 660-679; the state program operates at the federal floor unless explicitly more stringent.
Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium. Universal-waste rules at NR 673 cover batteries, lamps, mercury-containing equipment, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Civil penalties run up to $25,000 per day per violation under Wis. Stat. § 291.97. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through R2v3-aligned channels combined with NIST 800-88 Rev. 2 data sanitization. Asset remarketing recovers residual value while preserving chain of custody.
Mobile Devices and Biometric Sensors
Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint).
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Wisconsin enforcement is concentrated at the Wisconsin AG and the Wisconsin Department of Agriculture, Trade and Consumer Protection (DATCP) (Notice of Unauthorized Acquisition § 134.98 with civil forfeitures up to $1,000 per violation; records-disposal § 134.97 up to $1,000 per violation), the Wisconsin Office of the Commissioner of Insurance (Insurance Data Security Act § 601.955 effective March 1, 2022 with up to $5,000 per violation under § 601.64), Wisconsin DNR (NR 660-679 hazardous-waste violations up to $25,000/day under § 291.97), and federal regulators with concurrent jurisdiction.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| § 134.98 (breach notice) | Up to $1,000 per violation under § 134.98(4) | NO (AG / DATCP only) | WI AG; DATCP |
| § 134.97 (records disposal) | Up to $1,000 per violation under § 134.97(5) | NO (AG / DATCP only) | WI AG; DATCP |
| § 601.955 (Insurance Data Security Act) | Up to $5,000 per violation under § 601.64 | NO (OCI only) | WI OCI |
| § 287.17 (E-Cycle Wisconsin) | Wisconsin DNR civil penalties | NO (DNR enforcement) | Wisconsin DNR |
| NR 660-679 (hazardous waste) | Up to $25,000 per day per violation under § 291.97 | NO (Wisconsin DNR enforcement) | Wisconsin DNR |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Wisconsin Department of Justice Office of the Attorney General and the Wisconsin Department of Natural Resources (Wisconsin DNR), state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Wisconsin Department of Financial Institutions examines banks and credit unions for GLBA-aligned information-security-program controls. The Wisconsin Office of the Commissioner of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Wisconsin Department of Health Services examines healthcare entities for HIPAA Security Rule compliance. The Wisconsin Higher Educational Aids Board / University of Wisconsin System oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Wisconsin Public Service Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Wisconsin Department of Agriculture, Trade and Consumer Protection enforcement under Wis. Stat. § 100.20 (Unfair Trade Practices) is built from documentary evidence, and a Retired Electronic Asset without serialized destruction records is treated as a presumptive Wis. Stat. § 134.98 notification-trigger event.
How All Green Recycling Operationalizes Wisconsin Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Wisconsin’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through Wisconsin Department of Natural Resources (Wisconsin DNR)-authorized channels, and audit-ready reporting.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy Wisconsin’s outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for sensitive data categories.
Certified Electronics Recycling
Certified electronics recycling routes retired electronic assets through Wisconsin Department of Natural Resources (Wisconsin DNR)-authorized channels and R2v3-aligned recyclers. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Wisconsin.
What is Wisconsin’s breach-notification deadline?
Within 45 days of discovery under Wis. Stat. § 134.98. Civil forfeitures run up to $1,000 per violation.
Does Wisconsin enumerate disposal methods?
Yes. Wis. Stat. § 134.97 requires shredding, erasing, or otherwise modifying records to make personal information unreadable or unusable. Certified data destruction satisfies the method-and-outcome standard.
Has Wisconsin adopted the NAIC Insurance Data Security Model Law?
Yes. The Wisconsin Insurance Data Security Act at Wis. Stat. § 601.955, effective March 1, 2022, adopts the NAIC model. Insurance licensees must maintain a written information security program with annual board certification.
Does Wisconsin have a comprehensive consumer privacy law?
No. Wisconsin has not enacted a comprehensive consumer data privacy act. Disposal and breach duties operate through § 134.98, § 134.97, and the Insurance Data Security Act.
Does Wisconsin have a private right of action?
No. Wisconsin’s breach-notification and records-disposal statutes provide for AG / DATCP enforcement only; there is no statutory private right of action. Common-law negligence and breach-of-contract claims may be available.
Does Wisconsin have a state e-waste recycling program?
Yes. E-Cycle Wisconsin at Wis. Stat. § 287.17 is a manufacturer-funded takeback program with a landfill ban on covered electronic devices. Enterprise bulk disposal routes through Wisconsin DNR-authorized channels and certified electronics recycling.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. NR 660-679 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by NR 673. Wisconsin DNR enforces civil penalties up to $25,000 per day per violation under § 291.97.
Which media-sanitization standard does Wisconsin accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. DOA-DET Information Security Policies reference NIST CSF.
What is the maximum penalty for a Wisconsin privacy violation?
Notice of Unauthorized Acquisition civil forfeitures run up to $1,000 per violation under § 134.98(4). Records-disposal forfeitures run up to $1,000 per violation under § 134.97(5). Insurance Data Security Act penalties under § 601.64 run up to $5,000 per violation. Wisconsin DNR hazardous-waste penalties under § 291.97 run up to $25,000 per day.
What is All Green Recycling’s certification posture for Wisconsin enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or Wisconsin DNR examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and contracted-service safeguard terms.
Under Wisconsin Stat. § 134.98, does losing unencrypted hardware trigger breach notice?
Yes. Wis. Stat. § 134.98 defines breach as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information; physical loss of unencrypted media triggers the analysis.
Under Wisconsin Stat. § 134.98, what encryption and sanitization carve-outs apply?
Yes. § 134.98 excludes encrypted data from the breach trigger. NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
Wisconsin Compliance as Risk Management
Wisconsin IT asset retirement is a layered risk-management discipline. The Wisconsin Insurance Data Security Act effective March 1, 2022 implements the NAIC model with written information security program controls on insurance licensees, and E-Cycle Wisconsin imposes a landfill ban on covered electronic devices. Compliant retirement proves data was rendered unreadable or unusable before custody transfer, breach notice surfaced within 45 days, insurance-licensee nonpublic information was handled under § 601.955 controls, and hazardous fractions were handled under NR 660-679. Breach $1,000 per-violation civil forfeitures, records-disposal $1,000 per-violation forfeitures, OCI $5,000 per-violation penalties, Wisconsin DNR daily penalties (up to $25,000), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.
Wisconsin compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Wisconsin-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.