A formal process to preserve all relevant documents, data, and communications when litigation is anticipated or ongoing, preventing destruction or alteration of potential evidence.
Legal holds for insider threat cases require immediate implementation to preserve evidence before investigations begin. This includes suspending data retention policies, preserving user accounts and data, collecting relevant systems and communications, and notifying relevant personnel of preservation obligations. The hold must be comprehensive enough to capture all relevant evidence while being specific enough to be manageable. Failure to implement proper legal holds can result in spoliation claims, adverse inference instructions, and significant legal penalties.