There is no single national law for retiring IT equipment in the United States. There's a patchwork. Twenty-five states plus the District of Columbia regulate how covered electronics can be disposed of. Thirty-two states require businesses to securely destroy records containing personal information before they're discarded. And all fifty states require you to notify people when a data breach exposes that information.
Then your industry stacks federal rules on top of the state ones. Healthcare answers to HIPAA. Financial services to GLBA and the FTC Safeguards Rule. Schools to FERPA. Defense and aerospace contractors to CMMC, DFARS, and ITAR. The same pallet of retired hardware can carry a completely different rulebook depending on who you are and where you operate.
The exposure is the layer you didn't know applied — a laptop left in a closet in a state with a disposal statute, holding records your industry's federal rule says must be destroyed. That's how a forgotten drive becomes a reportable breach. The fix isn't memorizing fifty statutes. It's knowing, for your states and your industry, exactly which rules apply — and keeping the documentation that proves you followed them.
State counts and statute references above are current as of June 2026 and simplified for general guidance. Laws change — do your own research and verify the rules for your state and industry with your own legal and compliance teams. This isn't legal advice.
The Compliance Map pulls your states and your industry into one view — recycling, data disposal, breach notification, and the federal frameworks on top.