01 / THE DISPOSAL LAWNew York's disposal ban
New York's Electronic Equipment Recycling and Reuse Act requires manufacturers to provide free, convenient recycling for covered electronics — computers, televisions, monitors, keyboards, mice, and printers — and since January 1, 2015 bans the disposal of those devices in landfills or regular trash. The ban applies to consumers and businesses alike.
Enforcement has teeth for organizations: improper business disposal can draw civil penalties plus cleanup costs. Federal RCRA, HIPAA, and GLBA duties apply on top. Bottom line: in New York, covered electronics cannot lawfully be landfilled — you need a recycler that handles them and documents it.
02 / THE BREACH LAWThe SHIELD Act's three-agency rule
New York's breach-notification law (Gen. Bus. Law § 899-aa), strengthened by the SHIELD Act, requires notifying affected residents within 30 days (a firm deadline added by a December 2024 amendment) and notifying three state bodies — the Attorney General, the Department of State, and the State Police — regardless of the number affected (financial entities regulated by NYDFS must also notify that agency). The SHIELD Act broadened "private information" to include biometric data and account credentials, and imposes reasonable-security obligations.
An unsanitized drive that leaves the building with residents' private information can trigger all of it. Bottom line: media destroyed to NIST 800-88 with documentation is not exposed data — the cleanest way to avoid a three-agency notification.
03 / WHAT IT MEANSOne certified process satisfies both
Read together, New York's rules point the same direction. An organization retiring IT equipment in New York has to handle the device lawfully — covered electronics are banned from disposal — and be able to prove the data on it is gone under the state's breach-notification law. Handled separately, those are two compliance tracks. Handled as one certified IT asset disposition process, they collapse into a single workflow: compliant recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.
That combined standard is what an R2v3, NAID AAA, and RIOS-certified provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across New York and all 50 states with on-site and facility-based destruction and documented recycling.
04 / SOURCESWhere this comes from
- New York breach law (Gen. Bus. Law § 899-aa) & SHIELD Act; see IAPP state breach-notification chart — source
- New York Electronic Equipment Recycling and Reuse Act — ERI state e-waste legislation overview — source
This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.
05 / FAQFrequently asked questions
Can a New York business throw old computers in the trash?
No. Since January 1, 2015, the Electronic Equipment Recycling and Reuse Act bans disposal of covered electronics. Improper business disposal can draw civil penalties plus cleanup.
Who pays for electronics recycling in New York?
Manufacturers must provide free, convenient recycling for covered devices; businesses must still route equipment to compliant recyclers.
When must a New York organization report a data breach?
Affected residents must be notified within 30 days, and the Attorney General, Department of State, and State Police must all be notified, regardless of the number affected.
Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.