State Compliance · Virginia

ITAD in Virginia: The Disposal Law and the Breach Rules

Virginia requires computer manufacturers to run recovery programs but sets no landfill ban, putting disposal responsibility on the generator. Its breach law requires Attorney General notice and adds a separate rule for medical data. Here's what that means for retiring IT equipment.

By Brian Boynton Updated 6 min read

TL;DR

Virginia's Computer Recovery and Recycling Act puts recovery on manufacturers but sets no landfill ban, so the disposal duty falls to the organization plus federal rules. Its breach law requires Attorney General notice, with a separate provision for medical information.

  • Virginia's Computer Recovery and Recycling Act requires manufacturer recovery for computers — but sets no statewide landfill ban.
  • Disposal responsibility falls on the generator, with federal RCRA, HIPAA, and GLBA duties on top.
  • A breach requires notice without unreasonable delay and Attorney General notice, with a separate rule when medical information is involved.
  • A serialized certificate of destruction is the record that closes the loop.

01 / THE DISPOSAL LAWVirginia's recovery act

Virginia's Computer Recovery and Recycling Act requires computer manufacturers to implement recovery and recycling programs available to the state's residents. It is narrower than the comprehensive programs — centered on computers — and Virginia sets no statewide landfill ban on covered electronics.

That means disposal responsibility falls largely on the generator. Business IT equipment with hazardous components is governed by federal RCRA, and data-bearing devices carry HIPAA and GLBA duties. Bottom line: in Virginia the practical obligation is to route retired equipment to a compliant recycler and document it — the state leaves the responsibility with you.

02 / THE BREACH LAWAG notice, plus a medical-data rule

Virginia's breach-notification statute (Va. Code § 18.2-186.6) requires notifying affected residents without unreasonable delay and notifying the Office of the Attorney General. A separate provision addresses breaches involving medical information, bringing in the AG and the state Commissioner of Health. Consumer reporting agencies are notified when notice goes to more than 1,000 residents.

A lost or stolen unsanitized drive holding residents' personal or medical information can trigger these duties. Bottom line: media destroyed to NIST 800-88 with documentation is not exposed data — the cleanest way to keep a retirement event out of the AG's inbox.

03 / WHAT IT MEANSOne certified process satisfies both

Read together, Virginia's rules point the same direction. An organization retiring IT equipment in Virginia has to handle the device lawfully (no statewide landfill ban, so the duty falls on the generator) and be able to prove the data on it is gone under the state's breach-notification law. Handled separately, those are two compliance tracks. Handled as one certified IT asset disposition process, they collapse into a single workflow: compliant recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.

That combined standard is what an R2v3, NAID AAA, and RIOS-certified provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across Virginia and all 50 states with on-site and facility-based destruction and documented recycling.

04 / SOURCESWhere this comes from

  • Virginia breach law (Va. Code § 18.2-186.6); see IAPP state breach-notification chart — source
  • Virginia Computer Recovery and Recycling Act — ERI state e-waste legislation overview — source

This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.

05 / FAQFrequently asked questions

Does Virginia ban electronics from landfills?
No. Virginia's Computer Recovery and Recycling Act requires manufacturer recovery for computers but sets no statewide landfill ban; federal RCRA rules still govern much business IT equipment.

Who is responsible for IT disposal in Virginia?
With no landfill ban, disposal responsibility falls largely on the organization generating the equipment, plus federal hazardous-waste and data-protection duties.

When must a Virginia organization report a data breach?
Without unreasonable delay to affected residents and to the Attorney General, with a separate rule for breaches involving medical information.

Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.