Sample Legal Hold Standards:
Document History
Version | Date | Revised By | Description |
<Version number> | <Current date> | <Owners's name> | This version replaces any prior version. |
Document Certification
Description | Date Parameters |
Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
Next document recertification date: | <Future date> |
Sample Legal Hold Standard
The <Your Company Name> (the "Company") Sample Asset Management Standard defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.
This Legal Hold Standard builds on the objectives established in the Sample Asset Management Standard, and provides specific instructions and requirements for establishing and maintaining legal evidence retention and protection standards for Company physical and electronic data stores, network devices, servers, and desktops.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Legal Retention Management refers to a collection of related processes pertaining to the collection, handling, and preservation of Company information stores that include sources such as hardware devices and software applications; standard computing environments; archival systems; and periodic auditing and compliance checking.
Records are defined as Company information assets both in electronic and physical manifestations. Company information assets are defined in the Asset Identification and Classification Standard.
Information assets are defined in the Sample Asset Identification and Classification Policy.
II. Requirements
It is the policy of the Company to comply with all applicable legal, regulatory, or other requirements for the retention of Records, subject to litigation or other legal holds, and to comply with the directives given by the <Your Company Name> Board of Directors.
These policies and procedures are developed as a means of implementing company policy of compliance with all required litigation or other legal holds and with the directives of the <Your Company Name> Board. Please refer to the Sample Information Handling Standard for specific guidelines.
III. Responsibilities
The Chief Information Security Officer (CISO) and the Record Hold/Discovery Sub-Committee of the <Your Company Name> Steering Committee jointly approves the Legal Hold Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Legal Hold Standard. The CISO will initiate the collection and preservation of all electronic data requested by <Your Company Name> General Counsel or other designated Counsel.
Company management, including senior management and department managers, is accountable for ensuring that the Legal Hold Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Legal Hold Standard.
Record Retention Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Legal Hold Standard; coordinating with the Information Security Department to ensure that Company protection standards are properly established and maintained; and ensuring that accurate and updated information on network devices and servers; data storage devices issued by the company; and record handling systems in the production environment is retained. The Owner is responsible for identifying the various permeations that employees store and save information (i.e., some employees may save documents to a hard drive while others to a network file share).
Record Custodians (Custodians) are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; coordinating with the Information Security Department to ensure that Company record protection standards are properly established and maintained in accordance with established Company record hold standards.
Users are the individuals, groups, or organizations authorized by the Owner to prepare retention request data records. Users are responsible for familiarizing and complying with the Legal Hold Standard and associated guidelines; following Company-approved processes and procedures and maintaining the confidentiality, integrity and availability of information accessed, prepared, and preserved consistent with the Owner's approved safeguards while under the User's control.
Information Security will complete the information analysis of the electronic information is question relevant to the pending significant defensive litigation and or material threat of litigation. Information Security shall maintain all electronic or other information obtained via legal hold, and share this information with the <Your Company Name> General Counsel or his designee, at their request.
IV. Enforcement and Exception Handling
Failure to comply with the Legal Hold Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
A Case Request Form may be obtained by contacting Information Security. Upon receipt of notice of significant defensive litigation and or material threat of litigation, the Chair of the Record Hold/Discovery Subcommittee shall direct the appropriate Company employee or employees to proceed with suspension of routine destruction of all relevant documents, to include, but not be limited to, email, communications, or other electronically stored data documents created by Company employees.
The <Your Company Name> General Counsel and or its designee shall notify employees of the Company identified as likely to have relevant information to the significant defensive litigation and or material threat of litigation of the need for the litigation or other legal hold and of their obligations to suspend routine record and other electronic document or physical document destruction.
Requests for exceptions to the Legal Hold Standard should be submitted to the CISO in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Legal Hold Standard.
V. Review and Revision
The Legal Hold Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Recommended: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Officer
- Chief Information Officer