Legal Hold Procedure (OP-PROC-005)
1. Purpose
To outline the steps for issuing, tracking, and releasing a legal hold on information that is relevant to reasonably anticipated or actual litigation, government investigation, or audit.
2. Scope
This procedure applies to all employees and systems where company data is stored. It covers all forms of information, including electronic documents, emails, databases, and physical records.
3. Overview
This procedure ensures that all potentially relevant information is preserved and protected from destruction or modification when the company is notified of a legal action. It details the formal process managed by the Legal team to suspend normal data retention and disposal schedules for the duration of the legal matter.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Legal Team | Identifies the need for a legal hold based on notification of a lawsuit, investigation, or other legal dispute. |
| 2 | Legal Team | Issues a formal Legal Hold Notice to all relevant employees (custodians) and system administrators. The notice specifies the subject matter and the scope of the data to be preserved. |
| 3 | IT Team | Upon receipt of the notice, suspends all automated deletion and data disposal processes for the identified data and systems. |
| 4 | Custodians | Acknowledge receipt of the hold notice and take necessary steps to preserve all relevant information under their control. |
| 5 | Legal Team | Maintains an inventory of all data subject to the hold and sends periodic reminders to custodians to ensure ongoing compliance. |
| 6 | Legal Team | When the legal matter is fully resolved, issues a formal Hold Release Notice to all custodians and the IT team, authorizing the resumption of normal data retention policies. |
5. Standards Compliance
This section maps the procedure steps to specific controls from relevant information security standards.
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-6 | SOC 2 | CC2.1 |
6. Artifact(s)
- A formal Legal Hold Notice, including a list of custodians.
- A formal Hold Release Notice.
- Acknowledgement receipts from custodians.
7. Definitions
Legal Hold: A process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated.
Custodian: An individual who has possession, custody, or control of potentially relevant information.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Legal Team | Responsible for identifying the need for a legal hold, issuing notices, tracking compliance, and releasing the hold. |
| IT Team | Responsible for implementing the technical measures required to suspend data disposal for the information on hold. |
| Custodians | Responsible for preserving all information relevant to the legal hold notice. |