Massachusetts Data Destruction Compliance Guide for Businesses

Why hardware disposal is a compliance issue

Most businesses think about data security in terms of cybersecurity — firewalls, passwords, encryption. What they underestimate is the risk sitting in the IT closet: old laptops, retired servers, replaced desktops, and decommissioned copiers that still contain years of sensitive business data.

Simply deleting files doesn't remove data. Reformatting a drive doesn't remove data. Even donating equipment to charity with a "factory reset" doesn't reliably remove data. With widely available forensic recovery tools, data on improperly wiped drives can be recovered in minutes.

That's not a theoretical risk. It's the mechanism behind a significant share of real-world data breaches — and under Massachusetts law, it's your legal responsibility to prevent it.

Massachusetts 201 CMR 17.00 — what it requires

Massachusetts 201 CMR 17.00, the Standards for the Protection of Personal Information of Residents of the Commonwealth, applies to any business — regardless of size or location — that owns, licenses, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents.

"Personal information" under 201 CMR 17.00 means a Massachusetts resident's first name (or first initial) and last name, combined with any of the following:

• Social Security number
• Driver's license or state ID number
• Financial account number, credit card number, or debit card number

If your business handles any combination of this information — and virtually every business with employees or customers does — you are covered.

What 201 CMR 17.00 says about disposal

The regulation explicitly requires that businesses properly dispose of records containing personal information. For physical records, this means shredding or other destruction. For electronic records — including data stored on hard drives, SSDs, flash drives, copiers, and any other digital media — it means permanent, irreversible destruction of the data.

The regulation does not specify a particular technical method, but it requires that disposal be done in a way that makes data unreadable and unrecoverable. NIST Special Publication 800-88 is the federal standard that defines what "unreadable and unrecoverable" means in practice — and it is the benchmark that auditors, regulators, and courts reference.

Written Information Security Programs (WISP)

One of the most significant requirements of 201 CMR 17.00 is that covered businesses must develop, implement, and maintain a comprehensive Written Information Security Program — commonly called a WISP.

A WISP must, among other things, address the disposal of personal information. Specifically, it must include procedures for the secure disposal or destruction of paper and electronic records containing personal information when those records are no longer needed.

What your WISP should say about hardware disposal

At minimum, your WISP's hardware disposal section should document:

• The types of devices that may contain personal information (laptops, desktops, servers, copiers, phones, USB drives, etc.)
• The approved method of data destruction for each device type
• Who is responsible for coordinating and overseeing hardware disposal
• The documentation you retain as proof of compliant disposal
• The vendor or service you use for data destruction, and their qualifications

A Certificate of Destruction from a qualified vendor — documenting the date, method, and devices destroyed — is the standard form of proof that your WISP disposal procedures were followed. Keep these records.

Federal frameworks that apply to Massachusetts businesses

In addition to 201 CMR 17.00, Massachusetts businesses in regulated industries are subject to one or more federal frameworks that carry their own hardware disposal requirements. Here's how the major ones apply:

What NIST 800-88 compliant destruction actually means

NIST Special Publication 800-88, Guidelines for Media Sanitization, defines three levels of data destruction. Understanding which level applies to your situation is important — and the answer depends on the sensitivity of the data and whether the device will be reused.

Clear

Software-based overwriting using standard write commands. Suitable for devices leaving an organization but remaining within a trusted environment — for example, a laptop being reassigned to a different department. Not appropriate for devices leaving your organization permanently.

Purge

More intensive techniques — cryptographic erasure, block erase, or overwrite methods that render data recovery infeasible even with advanced laboratory tools. Appropriate for most devices being retired and sent off-site for recycling or resale.

Destroy

Physical destruction of the media — shredding, disintegration, incineration, or pulverization. Used when the device cannot be reused, when the data sensitivity demands it, or when there is no reliable way to verify that Purge was successful (as is the case with some SSD and flash storage architectures).

Industry-specific requirements in Massachusetts

Healthcare and medical offices

HIPAA requires covered entities and Business Associates to implement policies and procedures for the final disposition of electronic protected health information (ePHI) and the hardware or electronic media on which it is stored. This means every device that ever touched patient data — computers, servers, tablets, phones, even copiers — must be properly sanitized or destroyed before disposal. A Certificate of Destruction is your evidence of compliance. Learn more about secure electronics recycling in Greater Boston.

Financial services and accounting firms

The FTC's updated GLBA Safeguards Rule, which took full effect in 2023, requires covered financial institutions to implement a comprehensive information security program that includes proper disposal of customer information. This applies to the physical devices on which that information is stored — not just the data itself. Accountants and tax preparers are explicitly covered.

Law firms

The Massachusetts Rules of Professional Conduct require attorneys to make reasonable efforts to prevent the unauthorized disclosure of client information. The Massachusetts Bar Association has issued guidance making clear that this obligation extends to electronic data and hardware. Improper disposal of a device containing client files is a potential disciplinary issue — not just a technical oversight. Our data destruction service provides the documented chain of custody that law firms need.

Schools and educational institutions

FERPA requires educational institutions to protect the privacy of student education records. When devices containing those records are retired, they must be properly sanitized. Many Massachusetts school districts and universities also maintain their own data governance policies that exceed FERPA's baseline requirements.

Compliance checklist for hardware disposal

Use this checklist when retiring IT equipment at your Massachusetts business. Print it, save it, or add it to your WISP as your standard hardware disposal procedure.

• Inventory all devices to be retired — Document make, model, serial number, and assigned user for every device.
• Identify all data-bearing components — Hard drives, SSDs, USB drives, SD cards, copier drives, and phone storage all count.
• Determine appropriate destruction method — Purge for most devices; Destroy (physical shredding) for high-sensitivity data or SSDs.
• Engage a qualified vendor — Use a vendor who follows NIST 800-88 and provides documentation. Verify their process before you hand over equipment.
• Obtain a signed pickup receipt — Document what was collected, when, and by whom at the time of pickup.
• Request serialized tracking if required — For high-sensitivity jobs, ask for drive-level tracking by serial number from pickup through destruction.
• Obtain a Certificate of Destruction — This is your proof of NIST 800-88 compliant disposal. File it with your WISP records.
• Update your asset inventory — Remove retired devices from your IT asset register.
• Document in your WISP — Record the disposal in your Written Information Security Program as required by 201 CMR 17.00.

What documentation you should keep

If you're ever subject to a data breach investigation, regulatory audit, or legal proceeding, your documentation of proper hardware disposal is what stands between you and liability. At minimum, keep:

• Certificate of Destruction — Issued by your vendor after destruction is complete. Specifies the date, method, and devices destroyed.
• Signed pickup receipt — Documents what was collected and when. Establishes chain of custody from the moment equipment left your facility.
• Serialized drive log — For high-sensitivity jobs, a record of every drive by serial number from pickup through destruction.
• Vendor qualifications — Documentation that your vendor follows NIST 800-88 and works with certified downstream processors.
• WISP disposal records — Your internal record that disposal procedures were followed, per 201 CMR 17.00 requirements.

How long should you keep these records? Massachusetts 201 CMR 17.00 does not specify a retention period for disposal records, but standard guidance is to retain them for a minimum of three years, and longer if your industry has specific record retention requirements (HIPAA requires six years for policies and procedures).