Data Retention Policy: Governance & Compliance

Many organizations conflate backup retention with data retention. They are related but distinct:

• Backup retention (see backup retention concepts) focuses on disaster recovery—how long you can restore from a specific point in time. Typical range: 30 days to 1 year.
• Data retention focuses on governance—how long you must keep accessible, searchable records for compliance, legal, and operational purposes. Typical range: 3-7+ years.

The gap: A 90-day backup retention policy protects against ransomware and accidental deletion. It does not satisfy FINRA's 3-year email requirement, HIPAA's 6-year documentation rule, or a legal firm's 7-year client file obligation.

Backups are optimized for recovery speed and point-in-time restoration. They are typically not indexed for search, not easily browsable, and often require IT intervention to retrieve specific records. Compliance and legal discovery require accessible, searchable archives—not just recoverable backups.

A complete retention strategy uses multiple mechanisms:

• Live data management: Classification, lifecycle policies, and deletion schedules for active systems.
• Email archiving: Separate retention and search for mail systems, often with 7+ year retention.
• SaaS governance: Understanding and compensating for vendor retention limitations.
• Backups: Disaster recovery and short-term protection (days to months).
• Long-term archives: Immutable storage for compliance-mandated retention (years).

Retention periods vary dramatically by industry. What suffices for a tech startup (minimal requirements) may be non-compliant for a financial services firm (heavy regulation).

Financial Services (FINRA/SEC)

Broker-dealers and investment advisors face strict books-and-records rules:

• Email and communications: Minimum 3 years, with at least 2 years in an easily accessible place (FINRA Rule 4511, SEC Rule 17a-4).
• Trade records: 3-6 years depending on record type.
• Supervision records: Often 3+ years.

Implication: Standard Microsoft 365 retention (30 days for deleted items) is insufficient. Financial firms typically need dedicated email archiving with WORM (Write Once Read Many) storage to satisfy regulatory requirements.

Healthcare (HIPAA)

HIPAA requires retention of documentation, not just patient data:

• Documentation: 6 years from creation or last effective date (whichever is later).
• Includes: Risk analyses, policies, training records, incident documentation, business associate agreements.
• State laws: May extend requirements (some states require 7-10 years for medical records).

Implication: Healthcare organizations need retention that extends beyond typical backup windows. Patient records may need 7+ years of accessibility depending on state requirements and patient age (pediatric records often have extended retention).

Legal Industry

Law firms face dual obligations: client file retention and malpractice protection:

• Client files: Typically 7 years after matter closure (varies by state and practice area).
• Some jurisdictions: May require longer retention for certain matters (estates, trusts, minors).
• Malpractice considerations: Many firms retain files for the statute of limitations on malpractice claims (often 5-7 years, sometimes longer).

Implication: Legal firms need organized, searchable archives—not just backups—because clients may request files years later, and the firm must produce them efficiently without reconstructing from backup tapes.

Government & Law Enforcement (CJIS)

Organizations accessing FBI CJIS data must follow CJIS Security Policy requirements:

• Audit logs: Typically 1+ years, with some agencies requiring longer retention.
• Security documentation: Often requires retention for the duration of system operation plus several years.
• Access records: May require extended retention depending on agency policy.

Implication: Government entities need retention aligned with their specific agency requirements, which may exceed CJIS baseline. Cloud migration requires careful assessment of vendor retention capabilities.

Education (FERPA)

FERPA does not specify exact retention periods but requires institutions to maintain records that demonstrate compliance:

• Student records: Often retained for several years after graduation.
• Financial aid documentation: May have separate federal retention requirements.
• Special education records: Often have extended retention requirements.

PCI DSS (Payment Card Industry)

PCI DSS requires retention of security-related documentation:

• Audit trail history: Minimum 1 year, with at least 3 months immediately available.
• Security policies and procedures: Updated and retained as documentation.
• Vulnerability scan reports: Retained for compliance validation.

Implication: PCI DSS emphasizes log retention over data retention, but merchants must also consider cardholder data retention—retaining CHD longer than necessary increases compliance scope and breach risk.

SOC 2 & Trust Services Criteria

SOC 2 does not prescribe specific retention periods but requires:

• Evidence retention: Sufficient to support the auditor's opinion (typically through the audit period plus some buffer).
• System documentation: Retained and updated to reflect changes.

Implication: SOC 2 organizations should define retention periods based on their own risk assessment and document the rationale. Inconsistent retention that changes year-to-year may raise auditor concerns.

SaaS adoption has outpaced retention planning. Many organizations discover too late that their cloud tools have retention policies that conflict with their compliance needs.

The SaaS retention trap

Common scenario: A law firm moves to a cloud practice management tool. The tool retains deleted matters for 30 days. The state bar requires 7-year client file retention. The firm assumes "cloud = backed up" but actually has a 30-day retention gap.

Default SaaS retention periods are typically designed for operational recovery, not compliance:

• Microsoft 365: Deleted items folder: 30 days (configurable). Litigation hold/retention policies available with higher licensing.
• Google Workspace: Trash: 30 days. Vault (separate product) provides extended retention with proper configuration.
• Slack/Teams: Message retention often configurable but may require paid plans for extended history. Free tiers may have limited retention.
• CRM systems: Vary widely—some retain deleted records indefinitely, others purge after 30-90 days.

SaaS retention assessment checklist

# SaaS Retention Assessment

For each critical SaaS application:
- [ ] What is the default retention for deleted data?
- [ ] Can retention be extended? At what cost/licensing tier?
- [ ] Is retention configurable per data type (email, files, chat, etc.)?
- [ ] Does the vendor offer legal hold capabilities?
- [ ] Can data be exported for offline retention if needed?
- [ ] What happens to data when an account is deleted?
- [ ] Does the vendor's retention satisfy your industry requirements?
- [ ] If not, what compensating controls exist (backups, archiving, exports)?

Compensating for SaaS gaps

When SaaS retention does not meet compliance needs:

• Email archiving with journaling: N2CON's SEAS (Secure Email Archiving Service) captures all inbound and outbound email via journaling—creating an independent, tamper-proof archive with 7+ year retention, searchable indexes, and eDiscovery capabilities. Unlike backups, journaling captures email in real-time before users can delete it, ensuring complete coverage for FINRA, HIPAA, and legal requirements.
• Third-party SaaS backups: Products exist to backup Microsoft 365, Google Workspace, Salesforce, and other SaaS platforms with extended retention.
• Regular exports: For critical data, schedule automated exports to organization-controlled storage with appropriate retention.
• Vendor negotiations: Enterprise agreements sometimes include custom retention terms or data escrow arrangements.

Related: Secure Email Archiving Service (SEAS), SaaS sprawl governance, and evaluating hosted app providers.

Email is simultaneously the most regulated and most problematic data type. It contains business records, client communications, contracts, and evidence. Yet it is also ephemeral and easy to delete.

Why email retention is critical

• Legal discovery: Email is the most frequently requested data type in litigation.
• Regulatory compliance: Many industries have specific email retention mandates.
• Institutional knowledge: Email often contains the only record of decisions and agreements.
• BEC investigation: Business email compromise analysis requires email history.

Email retention architecture

A robust email retention strategy has layers:

• Live mail system: Operational retention (30-90 days for deleted items) with recovery for recent mistakes.
• Email archive: Long-term retention (3-7+ years) with search, eDiscovery capabilities, and tamper-proof storage.
• Backup: Disaster recovery point-in-time copies (not a substitute for archiving).

Warning: Relying on backups for email retention is risky. Backups are point-in-time, not continuously updated. Restoring a 2-year-old email from backup may require restoring an entire mail database from that date—impractical and disruptive.

Related: Secure Email Archiving Service (SEAS) guide.

Normal retention schedules assume stable operations. Litigation changes everything. A legal hold (litigation hold) suspends deletion of potentially relevant data when litigation is anticipated or pending.

When legal holds apply

• Anticipated litigation: When you reasonably expect litigation (threat, complaint, incident that may lead to suit).
• Pending litigation: After a complaint is filed or you are served.
• Regulatory investigation: When a government agency investigation is likely or underway.
• Audit disputes: In some contexts, tax or financial audits trigger hold requirements.

The spoliation risk

"Spoliation of evidence" is the destruction or material alteration of evidence that is relevant to pending or anticipated litigation. Consequences include:

• Sanctions: Courts may impose monetary penalties or adverse inference (the jury may be instructed to assume the destroyed evidence was unfavorable).
• Case dismissal or default: In extreme cases, courts may dismiss claims or enter default judgment.
• Criminal liability: Willful destruction of evidence may be prosecuted.

Implementing legal holds

# Legal Hold Process Outline

1. TRIGGER: Identify litigation risk or notice
   - Who receives legal notices? (General counsel, executives, IT)
   - How are IT and relevant custodians notified?

2. SCOPE: Determine what to preserve
   - Which custodians (employees)?
   - Which systems (email, files, chat, databases)?
   - What time period?
   - What subject matter?

3. PRESERVATION: Suspend normal deletion
   - Disable auto-deletion for affected mailboxes
   - Suspend data lifecycle policies for affected systems
   - Preserve logs and system metadata
   - Document preservation actions

4. COMMUNICATION: Notify affected employees
   - Provide clear instructions on what to preserve
   - Prohibit deletion of relevant materials
   - Document the hold notification

5. MONITORING: Ensure compliance
   - Audit that holds are technically effective
   - Track changes to custodian status (hires, departures)
   - Maintain hold log

6. RELEASE: End hold when appropriate
   - Document when litigation concludes
   - Resume normal retention schedules
   - Document the release

GDPR creates a unique tension for retention. While industry regulations often mandate minimum retention periods, GDPR imposes maximums—the storage limitation principle requires that personal data be kept no longer than necessary.

The conflict

• HIPAA requires 6 years of documentation retention.
• FINRA requires 3 years of email retention.
• GDPR requires deletion of personal data when the purpose expires.

If that documentation or email contains personal data, you have a potential conflict. The resolution: document the legal basis for retention.

GDPR-compliant retention documentation

For each data type containing personal data, document:

• Purpose: Why was the data collected?
• Legal basis: What allows retention (legal obligation, contract, legitimate interest)?
• Retention period: Specific timeframe with justification.
• Review trigger: What event starts the deletion countdown (contract end, matter closure, etc.)?
• Technical implementation: How will deletion be executed (automated, manual, anonymization)?

When industry requirements mandate longer retention than GDPR would otherwise allow, the legal obligation basis typically prevails—but you must document this rationale in your retention policy and privacy notices.

# Data Retention Program Checklist

## 1. Inventory and classification
- [ ] List all data types (email, documents, databases, chat, etc.)
- [ ] Identify which contain personal or sensitive data
- [ ] Document current storage locations (on-prem, cloud, SaaS)
- [ ] Classify by business criticality and compliance sensitivity

## 2. Requirement mapping
- [ ] Identify applicable regulations (HIPAA, FINRA, state laws, etc.)
- [ ] Document minimum retention requirements per regulation
- [ ] Identify maximum retention requirements (GDPR)
- [ ] Note any special requirements (immutable, WORM, searchable)
- [ ] Engage legal counsel to confirm requirements

## 3. Policy development
- [ ] Write retention schedule with specific periods per data type
- [ ] Include legal hold procedures
- [ ] Define roles and responsibilities
- [ ] Establish review and approval process
- [ ] Document legal basis for each retention period

## 4. Technical implementation
- [ ] Configure mail system retention (operational)
- [ ] Implement email archiving solution (compliance)
- [ ] Configure backup retention (disaster recovery)
- [ ] Address SaaS retention gaps (exports, third-party backups)
- [ ] Implement legal hold technical controls

## 5. Documentation and training
- [ ] Publish retention policy
- [ ] Train employees on their obligations
- [ ] Train IT on technical implementation
- [ ] Train legal/executives on hold procedures

## 6. Monitoring and maintenance
- [ ] Audit retention compliance quarterly
- [ ] Review policy annually or when regulations change
- [ ] Test legal hold process
- [ ] Update when new systems or data types are introduced

• Backups ≠ retention policy. Backups handle disaster recovery (days to months). Retention governs compliance and legal requirements (often years).
• Industry requirements vary dramatically. A 90-day backup policy works for general disaster recovery but fails FINRA (3 years), HIPAA (6 years), or legal (7+ years) requirements.
• SaaS sprawl creates retention gaps. Default cloud retention is designed for operational recovery, not compliance. Audit your SaaS tools' retention capabilities.
• Email requires dedicated archiving. Do not rely on backups for long-term email retention—recovery is impractical and search is impossible.
• Legal holds override normal retention. Have a process to suspend deletion when litigation is anticipated. Spoliation sanctions are severe.
• GDPR adds maximum retention limits. Document your legal basis for retention periods that extend beyond what GDPR would otherwise permit.
• Retention is governance, not just IT. Legal, compliance, and business stakeholders must be involved in retention policy decisions.