State Compliance · Maryland

ITAD in Maryland: The Disposal Law and the Breach Rules

Maryland funds electronics recycling through manufacturers, not a blanket landfill ban — but its breach-notification law is unusually strict, requiring notice to the Attorney General before you notify affected residents. Here's what that means for retiring IT equipment.

By Brian Boynton Updated 6 min read

TL;DR

Maryland channels covered-electronics recycling through a manufacturer-funded program, and businesses must route retired equipment to compliant recyclers rather than landfill it. Its Personal Information Protection Act then requires notifying the Attorney General before affected residents — so documented destruction is the cleaner path.

  • Maryland's Statewide Computer Recycling Program funds covered-electronics recycling through manufacturer registration and fees.
  • There is no blanket consumer landfill ban, but federal RCRA, HIPAA, and GLBA disposal duties apply to business equipment.
  • The Personal Information Protection Act requires notifying the Attorney General before affected residents, within 45 days.
  • A serialized certificate of destruction keeps a retirement event from becoming a notification event.

01 / THE DISPOSAL LAWMaryland's recycling program

Maryland addresses electronics through the Statewide Computer Recycling Program, a producer-responsibility model in which manufacturers of covered electronic devices register with the Maryland Department of the Environment and pay annual fees that fund county collection and recycling. Unlike Pennsylvania, Maryland does not impose a single statewide landfill ban on all covered electronics — but that is not a license to dumpster old equipment.

Business IT equipment routinely contains components regulated as hazardous waste, and improper disposal is enforceable under federal RCRA rules regardless of state e-waste specifics. For any organization, the practical obligation is the same: route retired covered electronics to a compliant recycler and keep documentation. Bottom line: Maryland makes recycling the funded default; data-bearing business equipment should never reach a landfill.

02 / THE BREACH LAWMaryland's notify-the-AG-first rule

Maryland's Personal Information Protection Act (Md. Code, Com. Law § 14-3504) is stricter than most. A business that experiences a breach of Maryland residents' personal information must notify affected individuals within 45 days — and must notify the Office of the Attorney General before it notifies those individuals. Consumer reporting agencies must be told when more than 1,000 residents are affected.

Maryland has also expanded "personal information" to reach health and medical information and biometric data, so retired healthcare and access-control equipment is squarely in scope. A lost or stolen unsanitized drive can be the breach. Bottom line: data sanitized to NIST 800-88 with documentation is not exposed data — the cleanest way to stay out of the AG-notification path.

03 / WHAT IT MEANSOne certified process satisfies both

Read together, Maryland's rules point the same direction. An organization retiring IT equipment in Maryland has to handle the device lawfully (recycling is the funded default, and federal hazardous-waste rules apply) and be able to prove the data on it is gone under the state's breach-notification law. Handled separately, those are two compliance tracks. Handled as one certified IT asset disposition process, they collapse into a single workflow: compliant recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.

That combined standard is what an R2v3, NAID AAA, and RIOS-certified provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across Maryland and all 50 states with on-site and facility-based destruction and documented recycling.

04 / SOURCESWhere this comes from

  • Maryland breach law — PIPA (Md. Code, Com. Law § 14-3504); see IAPP state breach-notification chart — source
  • Maryland & state e-waste programs — ERI state e-waste legislation overview — source

This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.

05 / FAQFrequently asked questions

Can a Maryland business throw old computers in the trash?
Covered electronics should be recycled through compliant programs, not landfilled. Even without a single statewide ban, federal RCRA hazardous-waste rules and data-protection duties make dumpster disposal of business IT equipment a serious risk.

How does Maryland fund electronics recycling?
Through the Statewide Computer Recycling Program, a producer-responsibility model where manufacturers register and pay fees that fund county collection and recycling.

When must a Maryland organization report a data breach?
Within 45 days to affected residents, and to the Attorney General before notifying those residents. Consumer reporting agencies are notified when more than 1,000 residents are affected.

Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.