01 / THE DISPOSAL LAWVirginia's recovery act
Virginia's Computer Recovery and Recycling Act requires computer manufacturers to implement recovery and recycling programs available to the state's residents. It is narrower than the comprehensive programs — centered on computers — and Virginia sets no statewide landfill ban on covered electronics.
That means disposal responsibility falls largely on the generator. Business IT equipment with hazardous components is governed by federal RCRA, and data-bearing devices carry HIPAA and GLBA duties. Bottom line: in Virginia the practical obligation is to route retired equipment to a compliant recycler and document it — the state leaves the responsibility with you.
02 / THE BREACH LAWAG notice, plus a medical-data rule
Virginia's breach-notification statute (Va. Code § 18.2-186.6) requires notifying affected residents without unreasonable delay and notifying the Office of the Attorney General. A separate provision addresses breaches involving medical information, bringing in the AG and the state Commissioner of Health. Consumer reporting agencies are notified when notice goes to more than 1,000 residents.
A lost or stolen unsanitized drive holding residents' personal or medical information can trigger these duties. Bottom line: media destroyed to NIST 800-88 with documentation is not exposed data — the cleanest way to keep a retirement event out of the AG's inbox.
03 / WHAT IT MEANSOne certified process satisfies both
Read together, Virginia's rules point the same direction. An organization retiring IT equipment in Virginia has to handle the device lawfully (no statewide landfill ban, so the duty falls on the generator) and be able to prove the data on it is gone under the state's breach-notification law. Handled separately, those are two compliance tracks. Handled as one certified IT asset disposition process, they collapse into a single workflow: compliant recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.
That combined standard is what an R2v3, NAID AAA, and RIOS-certified provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across Virginia and all 50 states with on-site and facility-based destruction and documented recycling.
04 / SOURCESWhere this comes from
- Virginia breach law (Va. Code § 18.2-186.6); see IAPP state breach-notification chart — source
- Virginia Computer Recovery and Recycling Act — ERI state e-waste legislation overview — source
This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.
05 / FAQFrequently asked questions
Does Virginia ban electronics from landfills?
No. Virginia's Computer Recovery and Recycling Act requires manufacturer recovery for computers but sets no statewide landfill ban; federal RCRA rules still govern much business IT equipment.
Who is responsible for IT disposal in Virginia?
With no landfill ban, disposal responsibility falls largely on the organization generating the equipment, plus federal hazardous-waste and data-protection duties.
When must a Virginia organization report a data breach?
Without unreasonable delay to affected residents and to the Attorney General, with a separate rule for breaches involving medical information.
Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.