3.3.2. Data Retention and Legal Holds
💡 First Principle: Every piece of data your organization holds is a potential liability — for breach, for regulatory penalties, for litigation discovery. Keeping data longer than required by law or business need increases your exposure without adding value. Retention schedules exist to systematically eliminate unnecessary exposure by destroying data when the requirement for keeping it ends.
Retention schedule design:
| Data Type | Typical Regulatory Driver | Minimum Retention | Who Decides |
|---|---|---|---|
| Financial records | SOX, IRS requirements | 7 years | Legal + Finance |
| HR / Employment records | EEOC, state employment law | Varies (3–7 years) | HR + Legal |
| Healthcare records | HIPAA, state medical records law | 6+ years from creation | Compliance + Legal |
| Payment card data | PCI DSS | Cardholder data: no retention; logs: 1 year | Security + Legal |
| Security / audit logs | Varies (HIPAA requires 6 years) | 1–7 years depending on framework | Security + Compliance |
| Email (general) | No universal requirement | Business need + legal hold | Legal |
| Email (regulated industries) | SEC, FINRA, FCA | 3–7 years | Compliance + Legal |
Legal holds (litigation holds):
When litigation is reasonably anticipated, organizations must issue a legal hold — a directive to preserve all potentially relevant evidence and suspend normal retention schedules for that evidence. Destroying evidence after litigation is anticipated is spoliation — courts can impose severe sanctions:
- Adverse inference instruction (jury told to assume destroyed evidence was harmful)
- Dismissal of claims or defenses
- Monetary sanctions
- Default judgment against the spoliating party
Legal hold process:
- Counsel identifies litigation trigger (lawsuit filed, investigation opened, or litigation "reasonably anticipated")
- Legal hold notice issued to custodians of potentially relevant data
- IT systems configured to prevent auto-deletion of in-scope data
- Regular reminders sent to custodians
- Hold released only when litigation fully resolves
💡 Key Point: Legal holds override retention schedules. If a 3-year-old email would normally be deleted under your retention policy, but it falls within the scope of a legal hold, it must be preserved regardless of the normal schedule.
⚠️ Exam Trap: The obligation to implement a legal hold arises when litigation is reasonably anticipated — not only when it is filed. If a company receives a letter threatening legal action, the hold obligation exists even if no suit has been filed yet. Waiting for the lawsuit to be formally filed before implementing a hold can constitute spoliation.
Reflection Question: An employee is terminated and files a wrongful termination complaint with the EEOC. Before a lawsuit is filed, the IT department runs the monthly automated purge that deletes all terminated employee email accounts older than 90 days. The employee's email account is deleted. What legal risk has the organization created, and what process failure allowed it to happen?
