Businesses in North Dakota face evolving requirements for securing, destroying, and disposing of digital data and electronic assets. This guide breaks down what you must know about North Dakota data security laws, digital media destruction, and e-waste compliance so your organization can mitigate risk and stay fully compliant in 2025.

North Dakota Data Security Laws: What Every Business Must Know

North Dakota does not have a comprehensive consumer data privacy law. However, the state enforces strict breach notification statutes and has adopted specialized security and notification programs for financial and insurance sectors:

General Breach Notification Law (N.D. Century Code § 51-30):

Any business or government entity that owns or licenses computerized personal information of North Dakota residents must notify affected individuals of a breach “in the most expedient time possible and without unreasonable delay.” If more than 250 residents are impacted, the North Dakota Attorney General must also be notified. There is no harm threshold, and substitute notification (media release) is allowed for large-scale incidents. Third-party data maintainers must promptly alert data owners. Full law text: ND Century Code Chapter 51-30 PDF.

Financial Institutions (H.B. 1127/§ 13-01.2, Effective August 1, 2025):

Non-bank financial services companies must maintain comprehensive information security programs that include risk assessments, encryption, access controls, incident response, annual board reports, and employee training. Data breaches impacting 500+ customers require notification to the Department of Financial Institutions within 45 days. H.B. 1127 text at LegiScan.

Insurance Companies (S.B. 2075):

Insurers must comply with cybersecurity requirements, including information security governance and breach notification to the Insurance Commissioner within three business days. They must certify compliance annually. Details: ND Insurance Dept. Cybersecurity Guidance.

State Agencies and K-12 Schools:

North Dakota’s Information Technology Department requires executive branch agencies to conduct risk assessments, implement IT security controls, and report cyber incidents (NDIT Cybersecurity). K-12 cybersecurity standards are educational, not regulatory, but reinforce the importance of digital data hygiene.

Federal Compliance Crosswalk:

Entities regulated under HIPAA, the Gramm-Leach-Bliley Act, or similar federal rules are considered compliant with state data security and notification requirements.

Hard Drive & Digital Media Disposal: Legal and Practical Requirements

North Dakota does not specify particular methods for digital data destruction, but state law requires that data breach risks be eliminated by preventing unauthorized access to personal information on retired, discarded, or recycled IT assets. This places the full burden of secure disposal squarely on asset owners, especially in sectors subject to federal regulation or servicing large volumes of sensitive data.

Key Points:

Proper Data Destruction Is Mandatory:

Merely deleting files or throwing drives away is not compliant. You must render data irretrievable before disposal or resale.

Sector-Specific Mandates:

Financial and insurance entities must maintain auditable data destruction and asset disposal practices as a core part of their information security programs. Non-compliance can result in loss of licensure.

Regulatory Harmonization:

Use of standards such as NIST SP 800-88 is best practice and provides solid defense if audited or investigated after a data breach. The NIST approach requires either digital erasure (“purge”) or physical destruction (“destroy”) of hard drives and digital media.

Practical Steps for Hard Drive Disposal:

Inventory and chain of custody tracking: Document each device from retirement to destruction or recycling.
Data sanitization: For HDDs, this may mean degaussing or data wiping. For SSDs and flash, use physical destruction.
Certificate of destruction: Obtain legally-defensible documentation listing serial numbers, method, and witness details for destroyed assets (key for regulated sectors).
Outsource to certified providers: Use a NAID AAA certified vendor to ensure proper protocols are followed.

Electronic Waste Recycling Rules in North Dakota

North Dakota does not have a mandatory statewide e-waste recycling law for electronics (computers, hard drives, servers, etc.). However, several rules and guidelines apply:

No Landfill Ban for Most E-Waste:

Households may dispose of electronics in landfills, but disposal is discouraged, especially for business electronics, due to data risk and environmental harm. Municipalities may have stricter rules.

Landfill Prohibitions for Hazards:

Appliances containing refrigerants, lead-acid batteries, and other hazardous materials are banned from landfills under Solid Waste Management Chapter 23.1-08; e-waste with hazardous components (e.g., CRTs, batteries) may be considered hazardous waste and require special handling.

Voluntary and Local Recycling:

The North Dakota DEQ promotes e-waste recycling via local drop-off events and retail collection points (list here). Some cities offer free electronics recycling at landfills (see Bismarck Recycling, Minot Hazardous Waste).

Universal Waste & Federal Rules:

Universal waste rules apply to batteries and mercury from electronics. When handling significant e-waste volumes, businesses and organizations must comply with hazardous waste regulations (ND Hazardous Waste Program).

Best Practices for Secure IT Asset Disposition

Even without blanket e-waste or destruction mandates, North Dakota organizations expose themselves to civil penalties, regulatory action, and catastrophic data breach costs if end-of-life media is mishandled. The IBM Cost of a Data Breach Report shows breach costs trending ever higher (IBM report). Follow these best practices:

Adopt NIST SP 800-88 media sanitization standards to ensure data is irretrievable before asset recycling, resale, or disposal (NIST guidelines).
Implement chain of custody for all retired assets—track location, handling, and destruction status; insist on a certificate of destruction that documents compliance.
Choose a NAID AAA Certified vendor for hard drive shredding, degaussing, or secure data wiping.
Separate electronic waste from regular scrap and hazardous materials; follow DEQ metal appliance and scrap metal recycling guidelines for asset demanufacturing.
Confirm your provider’s environmental and regulatory compliance (e.g., R2v3 responsible recycling standards), especially for business or public-sector assets.

Why North Dakota Organizations Choose Data Destruction, Inc.

When regulatory frameworks are fragmented, the burden on risk management and compliance is even higher. Data Destruction, Inc. is the proven partner for secure digital data destruction and IT asset disposition in North Dakota:

Full NIST SP 800-88 alignment: Our sanitization and destruction methods meet or exceed the gold standard, ensuring compliance with state, federal, and industry regulations.
NAID AAA Certification: Our facilities and processes are subject to rigorous third-party auditing (NAID Certified Hard Drive Destruction).
Defensible documentation: Receive detailed Certificates of Destruction, clear chain of custody, and audit trails—essential for regulatory or legal defense.
On-site and off-site options: We offer secure mobile hard drive shredding statewide, including witnessed destruction at your facility.
End-to-end environmental compliance: Our disposal partners recycle electronic waste responsibly per EPA and R2v3 guidelines.
Expert compliance guidance: Lean on our decades of experience serving financial institutions, healthcare providers, public agencies, and enterprises across North Dakota.

Move beyond minimum compliance—secure your reputation and eliminate data risk with Data Destruction, Inc.

Frequently Asked Questions

What is required by North Dakota law for digital data destruction?

The law mandates entities to prevent unauthorized access to personal data by ensuring data is irretrievable before disposal. Specific methods are not prescribed, but standards like NIST SP 800-88 are recognized best practice.

Can I throw away old hard drives in North Dakota?

Households may landfill electronics, but it carries significant data and environmental risk. Businesses should never landfill hard drives without secure data destruction and should use a certified provider.

Does North Dakota require e-waste recycling?

No. There is no mandatory e-waste recycling law for most electronics. However, some items—like appliances and certain hazardous components—are banned from landfills. Voluntary recycling is strongly encouraged.

How do notification requirements differ for financial institutions?

Regulated non-bank financial companies must report breaches exceeding 500 customers within 45 days and operate comprehensive security programs per H.B. 1127. Insurers must notify breaches within three business days.

What documentation do I need for secure data destruction?

Maintain chain of custody records and obtain a certificate of destruction with device serial numbers, date, method, and witness details.

Are there local restrictions on e-waste disposal in North Dakota?

Some cities (e.g., Bismarck, Minot) operate electronics recycling programs and may have stricter landfill policies for e-waste.

Which data destruction method is best for hard drives and SSDs?

For traditional HDDs, data wiping or degaussing is compliant, but for SSDs and flash memory, physical shredding is the only NIST-validated method.

What penalties apply for non-compliance with North Dakota security and breach laws?

Violations are enforced as deceptive trade practices, subject to civil penalties and loss of licensure for regulated entities.

How should businesses manage IT asset disposition and e-waste under hazardous waste rules?

Businesses generating significant e-waste volumes are regulated as hazardous waste generators and must follow ND hazardous waste program storage, transport, and disposal requirements.

Does compliance with federal laws like HIPAA or GLBA satisfy North Dakota requirements?

Yes, regulated entities that follow federal breach and data protection rules are considered compliant with state requirements, but must still meet all notification timelines.