Mastering Data Retention and Legal Hold Management in a Regulatory Maze

In the face of tightening data privacy laws, surging data volumes fueled by AI and rising litigation risks, the new year will bring a renewed focus on regulatory compliance, operational efficiency and legal preparedness. To navigate this evolving terrain, organizations must connect the dots between proactive data retention and legal hold in their data governance programs. 

Privacy regulations meet exploding data volumes

In 2025, the regulatory landscape will become more complex as state-by-state data privacy laws establish rights for consumers and responsibilities for the companies that process their data. At the same time, the sheer volume of data, fueled in large part by AI and modern productivity tools, will keep on expanding.

While the most stringent state-level consumer privacy laws, such as the California Consumer Privacy Act (CCPA), push for stricter timelines for data deletion, consent requirements for data storage and clearer guidelines for data usage, some states have enacted more lenient rules that lean more in favor of businesses.

This patchwork presents a major compliance challenge, regardless of where a company operates, since corporations are required to handle employee and customer data based on the local regulations governing each individual. For instance, the CCPA applies to any organization that processes the personal data of Californian residents. A company in Wisconsin — which lacks a comprehensive data privacy law — must still treat the data of a California website visitor in accordance with CCPA regulations.

This growing complexity in state regulation has fueled calls for a federal data privacy standard like the EU’s GDPR; however, national regulation is unlikely in 2025.

While companies can anticipate less regulatory enforcement at the federal level under the new administration — given President Donald Trump’s  historically limited appetite for enforcement and newly appointed FTC Chair Andrew Ferguson’s open criticism of the agency’s previous privacy enforcement — organizations must still prepare for stricter enforcement at the state level.

The backdrop of all of this is the exponential growth of data volumes, fueled by modern productivity tools and AI. Emails, messaging apps, video conferencing and prompt data or generative AI (GenAI) outputs create vast, fragmented data stores. A single Zoom meeting now typically generates recordings, transcripts, summaries and action items. Even ChatGPT histories are increasingly relevant for data retention and legal hold.

At its core, data retention is about data deletion. It requires striking a balance between the risks of discarding data and the risks of retaining it. While preserving information can foster innovation, enhance knowledge retention and boost productivity, unchecked data accumulation introduces substantial hazards.

Cybersecurity

Inside Regulators’ View of ‘Reasonable Security’

by Ryan Smyth and Joe Bruemmer

January 21, 2025

Consent orders and AVCs set standards for testing, training and incident response

Read moreDetails

Risk vs. benefits

Historically, organizations erred on the side of preserving information, opting to invest in additional storage solutions on the chance that archived data might prove useful in the future. However, as data volumes continue to grow exponentially, so does risk, and those associated risks now far outweigh the benefits of retaining hypothetically valuable information.

The paradigm is shifting in 2025: If data can be legally and compliantly deleted, it should be. For legal teams and compliance teams, effective data governance will center on implementing strategic data deletion strategies to mitigate critical risks in several key areas:

• Privacy and compliance risks: With the proliferation of state-level privacy laws mandating data deletion, over-collecting and over-retaining data poses increasing compliance challenges. Failing to edit retention processes to meet these regulations could lead to significant penalties.
• Increased storage costs: As data volumes grow, companies must invest in both on-premises and cloud storage solutions to accommodate diverse data types. The associated infrastructure costs — spanning hardware, software and cloud services — can skyrocket if outdated or unnecessary data is retained.
• Heightened security threats: Companies routinely handle sensitive information like personally identifiable information (PII) and HIPAA-regulated data (think: HR systems). Due to advancements in AI, cyber attacks are expected to rise in 2025, which means that excessive, prolonged data retention increases the risk of exposing sensitive information.

Legal hold challenges

Litigation is projected to surge in 2025  across regulated and unregulated industries, alongside a rise in internal investigations spurred by high-profile corporate fraud cases. As companies prepare to integrate litigation and investigations into routine operations, they must adopt a more proactive approach to legal hold management — a historically reactive process.

A critical component of this shift is ensuring that ongoing data retention policies actively support legal hold processes, minimizing risk at every stage. Again, that means effective data retention in 2025 will not simply be about bare minimum compliance with state-level regulations; it will also entail strategically and defensibly deleting data to reduce exposure during litigation and investigations.

Accidentally disclosing sensitive information during an investigation, even if it is unrelated to the matter at hand, can trigger additional lawsuits, heightened regulatory scrutiny or damaging public scandals (e.g., if an executive’s messages contain nefarious activity). To mitigate these threats heading into the new year, organizations must ensure that data retention and legal hold function as interdependent components of a unified risk management strategy.

Under the Federal Rules of Civil Procedure (FRCP) Rule 37, organizations must take “reasonable actions” to preserve relevant information when litigation is anticipated. Legal hold processes include:

• Identifying relevant data: Mapping critical data — from emails to AI-generated summaries — and ensuring it can be retrieved.
• Custodian compliance: Notifying employees (custodians) of preservation requirements and ensuring they follow through.
• Monitoring and documentation: Tracking and maintaining detailed records of legal hold actions to demonstrate adherence if challenged.

Proactive data governance

To address these data retention and legal hold challenges in 2025, proactive companies must adopt a targeted “less is more” strategy for legal holds to minimize technical costs, cyber threats and compliance risks –– and a sound data governance program that prioritizes strategic, precise data deletion is the cornerstone of such a program.

Less volume for greater efficiency

With well-executed data retention policies, organizations can significantly reduce the volume of discoverable data, making legal hold processes faster, easier and more compliant. This approach also minimizes risks associated with retaining unnecessary information, including those related to emerging state privacy laws, leaving less sensitive data to preserve and protect.

Reduced data silos and fragmentation to streamline processes

Fragmented systems make it challenging for custodians and compliance officers alike to locate and preserve information. Clear information governance policies on approved platforms and channels ensure data collection for legal hold remains efficient and focused.

Removing barriers to improve custodian compliance

With less relevant data dispersed across fewer sources, organizations can address one of the most persistent legal hold challenges: unresponsive custodians. Companies can achieve greater cooperation and efficiency in legal hold operations by simplifying the process and reducing burdens.