Legal Hold Notice Template twelve sections that turn blank-page drafting into a counsel-issued, FRCP 37(e)-defensible preservation artefact
A free, copy-ready legal hold notice template for in-house counsel, GRC and compliance teams, privacy officers, CISOs, security operations leaders, incident response leads, SOC managers, vulnerability management teams, AppSec teams, security engineering teams, and IT preservation owners. Twelve structured sections covering matter header and counsel authority and version control, named recipient set with acknowledgement requirement, matter scope and trigger and preservation duty awareness anchor, preservation scope and source classes across email and chat and SaaS and code repositories and security telemetry and finding records and backup tiers and devices, preservation actions and prohibited actions written in operational language, system-side preservation steps with named owners and target completion timestamps, exceptions and ordinary-course carve-outs and privileged-evidence treatment and the cross-border GDPR Article 6 and Chapter V transfer block, questions and counsel contact with privilege-treated channel, acknowledgement and certification capture, periodic reissue and refresher cadence with named triggers, release of hold pathway with named conditions and ordinary-course retention resumption, and cross-references and matter record cross-references to the matter-management system, the incident engagement record, the audit-evidence retention policy, the regulator-engagement protocol, and the cyber-insurance notice-of-claim. Aligned with Federal Rule of Civil Procedure 37(e) reasonable-steps discipline and the line of cases including Zubulake v. UBS Warburg and Pension Committee v. Banc of America Securities, ISO/IEC 27001:2022 Annex A 5.33 protection of records, A 5.34 privacy and protection of personally identifiable information, A 7.10 storage media, A 8.10 information deletion, SOC 2 CC1.4 and CC2.1 evidence integrity, NIST SP 800-53 AU-11 audit record retention and MP-6 media sanitization and CM-3 configuration change control, PCI DSS Requirement 10.5 and 10.7 audit trail protection and retention, HIPAA Security Rule 164.316(b)(2) documentation retention, DORA Article 28 ICT third-party risk, GDPR Article 6 lawful basis and Chapter V transfer mechanisms for European personal data preservation and cross-border evidence transfer, and UK Data Protection Act 2018 corresponding obligations.
Run legal hold preservation on the live engagement record, not on forwarded emails
SecPortal opens a matter engagement at the moment the duty-to-preserve trigger fires so the named matter scope, the named recipient set, the named in-scope finding records, the named scanner-output preservation, the named activity-log CSV export, the named exception register entries under hold, the named cross-border block, the named reissue version chain, and the named release-of-hold pathway live on one workspace with a named-actor activity log. Free plan available.
No credit card required. Free plan available forever.
Twelve sections that turn a legal hold notice from a blank-page draft into a counsel-issued, audit-defensible artefact
A legal hold notice is the structured written instruction in-house counsel or external counsel issues to named data custodians inside an organisation, directing them to preserve specific categories of records, communications, devices, accounts, log sources, and security evidence in connection with reasonably anticipated litigation, a regulatory inquiry, a government investigation, an internal investigation, a cyber-insurance claim, or a contractual dispute. The notice is not legal advice and does not replace counsel: it is the operational instruction that counsel issues so that ordinary-course deletion, archiving, retention, and disposition do not run against the named in-scope evidence while the matter is open. The duty to preserve attaches as soon as the organisation reasonably anticipates litigation under Federal Rule of Civil Procedure 37(e) and the line of cases including Zubulake v. UBS Warburg and Pension Committee v. Banc of America Securities, and the hold notice is the operational artefact through which the organisation discharges that duty.
The legal hold notice template is the preservation-instruction companion to the incident response runbook template (the procedural document responders read during active containment), to the security incident severity classification template (the multi-dimensional rubric that decides which severity band the response runs against), to the data breach notification letter template (the outbound formal correspondence to regulators, individuals, customers, and insurers under named regulator clocks), to the audit evidence retention policy template (the standing programme policy the hold overrides for the named in-scope evidence for the duration of the named matter), to the audit evidence retention and disposal workflow (the engagement-record discipline that holds the retention chain on one trail), and to the data subject access request form template (the inbound right-of-access response artefact that reads the named matter scope as a retention override when a DSAR lands during an open hold). Copy each section, replace the variable placeholders from the live matter record, and issue under counsel authority.
Copy the full legal hold notice template (all twelve sections) as one block.
1. Matter header and counsel authority
Open the notice with the matter identifier (cross-referenced from the matter-management system or the incident engagement record), the named effective date, the named in-house counsel author, the named outside counsel firm where applicable, and the named matter classification (litigation, regulatory inquiry, government investigation, internal investigation, cyber-insurance claim, contractual dispute). A reviewer should be able to read in the first lines which matter this is, who issued the hold, when it became effective, and where it sits inside the matter portfolio. The block carries the privileged-communication treatment statement so the notice itself is not treated as ordinary correspondence by the recipient inbox.
Matter identifier (cross-referenced from the matter-management system or the incident engagement record): {{MATTER_IDENTIFIER}}
Matter classification (one of: civil litigation, regulatory inquiry, government investigation, internal investigation, cyber-insurance claim, contractual dispute, securities-class-action, employment dispute, named-other): {{MATTER_CLASSIFICATION}}
Notice version: v{{NOTICE_VERSION}}
Notice effective date: {{NOTICE_EFFECTIVE_DATE}}
Notice issuance date: {{NOTICE_ISSUANCE_DATE}}
Preservation duty trigger event: {{DUTY_TRIGGER_EVENT}}
Preservation duty awareness anchor (the moment the organisation became aware of the duty): {{DUTY_AWARENESS_ANCHOR}}
Named in-house counsel author:
- Role: {{IN_HOUSE_COUNSEL_ROLE}}
- Named person at time of issuance: {{IN_HOUSE_COUNSEL_NAME}}
- Email: {{IN_HOUSE_COUNSEL_EMAIL}}
Named outside counsel firm (where applicable):
- Firm: {{OUTSIDE_COUNSEL_FIRM}}
- Named lead lawyer: {{OUTSIDE_COUNSEL_NAME}}
- Engagement letter reference: {{OUTSIDE_COUNSEL_ENGAGEMENT_LETTER_REFERENCE}}
Named additional supporting counsel (privacy counsel, securities counsel, employment counsel, sector regulatory counsel): {{ADDITIONAL_COUNSEL_NAMES}}
Privileged-communication treatment statement:
This notice is issued under the authority of the named counsel above and constitutes a privileged and confidential communication for the named recipients in connection with the named matter. Treat this notice and any related response, clarification, or acknowledgement as privileged. Do not forward the notice to recipients outside the named recipient list without counsel approval. Direct clarifying questions to the named counsel contact in Section 8.
Cross-references on the matter record:
- Incident engagement record reference (where the matter relates to an active incident): {{ENGAGEMENT_RECORD_REFERENCE}}
- Audit-evidence retention policy version overridden by this notice for in-scope evidence: {{AUDIT_RETENTION_POLICY_VERSION}}
- Regulator-engagement protocol reference (where the matter relates to an active regulator inquiry): {{REGULATOR_ENGAGEMENT_PROTOCOL_REFERENCE}}
- Cyber-insurance notice-of-claim reference (where the matter relates to an active insurance claim): {{INSURER_NOTICE_OF_CLAIM_REFERENCE}}
- Litigation-support vendor record reference: {{LITIGATION_SUPPORT_VENDOR_REFERENCE}}
Revision history (each entry: notice version, effective date, trigger, author, counsel reviewer, signed-off-by):
- v{{PRIOR_VERSION_1}} effective {{PRIOR_DATE_1}}, trigger {{PRIOR_TRIGGER_1}}, author {{PRIOR_AUTHOR_1}}, counsel {{PRIOR_COUNSEL_1}}, signed {{PRIOR_SIGNATORY_1}}
- v{{PRIOR_VERSION_2}} effective {{PRIOR_DATE_2}}, trigger {{PRIOR_TRIGGER_2}}, author {{PRIOR_AUTHOR_2}}, counsel {{PRIOR_COUNSEL_2}}, signed {{PRIOR_SIGNATORY_2}}
2. Named recipients and acknowledgement requirement
Name the recipient set explicitly by role, individual, team, function, and external service provider. Each named recipient is required to acknowledge the notice within the named acknowledgement window so the matter record can prove receipt and reading. Where a recipient is a team or a function rather than an individual, the named lead is responsible for confirming named-individual acknowledgement across the team. The recipient list is refreshed when the matter scope expands or contracts.
Named individual custodians (each entry: role, named person at time of issuance, work email, work phone, employment status, location):
- {{CUSTODIAN_1_ROLE}} | {{CUSTODIAN_1_NAME}} | {{CUSTODIAN_1_EMAIL}} | {{CUSTODIAN_1_PHONE}} | {{CUSTODIAN_1_STATUS}} | {{CUSTODIAN_1_LOCATION}}
- {{CUSTODIAN_2_ROLE}} | {{CUSTODIAN_2_NAME}} | {{CUSTODIAN_2_EMAIL}} | {{CUSTODIAN_2_PHONE}} | {{CUSTODIAN_2_STATUS}} | {{CUSTODIAN_2_LOCATION}}
- {{CUSTODIAN_3_ROLE}} | {{CUSTODIAN_3_NAME}} | {{CUSTODIAN_3_EMAIL}} | {{CUSTODIAN_3_PHONE}} | {{CUSTODIAN_3_STATUS}} | {{CUSTODIAN_3_LOCATION}}
Named teams and functions (each entry: function, named team lead, scope of representation):
- {{TEAM_1_FUNCTION}} | Named lead: {{TEAM_1_LEAD_NAME}} | Scope: {{TEAM_1_SCOPE}}
- {{TEAM_2_FUNCTION}} | Named lead: {{TEAM_2_LEAD_NAME}} | Scope: {{TEAM_2_SCOPE}}
- {{TEAM_3_FUNCTION}} | Named lead: {{TEAM_3_LEAD_NAME}} | Scope: {{TEAM_3_SCOPE}}
Named IT and security functions (each entry: function, named function lead, named preservation responsibility):
- IT operations: Named lead {{IT_OPS_LEAD_NAME}} | Named preservation responsibility {{IT_OPS_PRESERVATION_SCOPE}}
- Identity and access management: Named lead {{IAM_LEAD_NAME}} | Named preservation responsibility {{IAM_PRESERVATION_SCOPE}}
- Endpoint management: Named lead {{ENDPOINT_LEAD_NAME}} | Named preservation responsibility {{ENDPOINT_PRESERVATION_SCOPE}}
- Email and chat administration: Named lead {{EMAIL_CHAT_LEAD_NAME}} | Named preservation responsibility {{EMAIL_CHAT_PRESERVATION_SCOPE}}
- SaaS administration: Named lead {{SAAS_LEAD_NAME}} | Named preservation responsibility {{SAAS_PRESERVATION_SCOPE}}
- Backup and archive operations: Named lead {{BACKUP_LEAD_NAME}} | Named preservation responsibility {{BACKUP_PRESERVATION_SCOPE}}
- Security operations (SOC): Named lead {{SOC_LEAD_NAME}} | Named preservation responsibility {{SOC_PRESERVATION_SCOPE}}
- Vulnerability management and AppSec: Named lead {{VULN_APPSEC_LEAD_NAME}} | Named preservation responsibility {{VULN_APPSEC_PRESERVATION_SCOPE}}
- GRC and compliance: Named lead {{GRC_LEAD_NAME}} | Named preservation responsibility {{GRC_PRESERVATION_SCOPE}}
Named external service providers and vendor relationships (each entry: vendor, contract reference, named single point of contact, named preservation responsibility):
- {{VENDOR_1_NAME}} | Contract {{VENDOR_1_CONTRACT_REFERENCE}} | Named SPOC {{VENDOR_1_SPOC_NAME}} | Named preservation responsibility {{VENDOR_1_PRESERVATION_SCOPE}}
- {{VENDOR_2_NAME}} | Contract {{VENDOR_2_CONTRACT_REFERENCE}} | Named SPOC {{VENDOR_2_SPOC_NAME}} | Named preservation responsibility {{VENDOR_2_PRESERVATION_SCOPE}}
- {{VENDOR_3_NAME}} | Contract {{VENDOR_3_CONTRACT_REFERENCE}} | Named SPOC {{VENDOR_3_SPOC_NAME}} | Named preservation responsibility {{VENDOR_3_PRESERVATION_SCOPE}}
Acknowledgement requirement:
Each named recipient is required to acknowledge this notice within {{ACKNOWLEDGEMENT_WINDOW_HOURS}} hours of receipt. Acknowledgement is captured via {{ACKNOWLEDGEMENT_CHANNEL}} and recorded on the matter record under acknowledgement tracking. A named team lead acknowledges on behalf of the team scope identified above and is responsible for confirming named-individual acknowledgement across the named team scope within {{TEAM_LEAD_ROLLUP_DAYS}} business days. Departing or transitioning recipients require named-successor acknowledgement before role transition.
Recipient-set scope changes will be issued as named reissue under Section 10. The named matter record reflects the canonical recipient set as of the most recent reissue.
3. Matter scope and trigger
State the matter scope without privileged narrative: the named subject matter, the named in-scope date range, the named jurisdictions and regulators in scope, and the named triggering event that started the preservation clock. The block does not include the privileged litigation strategy. The block is read by the recipient to understand what the preservation duty is anchored against, not how the matter is being litigated.
Named matter subject matter (counsel-approved summary suitable for the named recipient set, without privileged narrative): {{MATTER_SUBJECT_MATTER_SUMMARY}}
Named in-scope date range:
- Start date of in-scope period: {{IN_SCOPE_START_DATE}}
- End date of in-scope period (or "present"): {{IN_SCOPE_END_DATE}}
Named in-scope jurisdictions (each entry: jurisdiction, named local counsel relationship, named local data-protection considerations):
- {{JURISDICTION_1_NAME}} | Named local counsel {{JURISDICTION_1_LOCAL_COUNSEL}} | Named local data-protection considerations {{JURISDICTION_1_DATA_PROTECTION_NOTES}}
- {{JURISDICTION_2_NAME}} | Named local counsel {{JURISDICTION_2_LOCAL_COUNSEL}} | Named local data-protection considerations {{JURISDICTION_2_DATA_PROTECTION_NOTES}}
- {{JURISDICTION_3_NAME}} | Named local counsel {{JURISDICTION_3_LOCAL_COUNSEL}} | Named local data-protection considerations {{JURISDICTION_3_DATA_PROTECTION_NOTES}}
Named in-scope regulators or courts (each entry: regulator or court, named file or case reference where assigned, named regulator-engagement-protocol reference):
- {{REGULATOR_1_NAME}} | File reference {{REGULATOR_1_FILE_REFERENCE}} | Engagement protocol reference {{REGULATOR_1_ENGAGEMENT_PROTOCOL_REFERENCE}}
- {{REGULATOR_2_NAME}} | File reference {{REGULATOR_2_FILE_REFERENCE}} | Engagement protocol reference {{REGULATOR_2_ENGAGEMENT_PROTOCOL_REFERENCE}}
Named triggering event:
- Trigger event class (one of: third-party threat letter or demand letter, regulator inquiry or examination, subpoena or civil investigative demand, government investigation notice, internal investigation activation, confirmed data breach with likely litigation follow-on, cyber-insurance claim opening, contractual-dispute escalation, employment-dispute escalation, securities-class-action filing or threat, named-other): {{TRIGGER_EVENT_CLASS}}
- Trigger event date: {{TRIGGER_EVENT_DATE}}
- Trigger event identifier (named correspondence reference, named subpoena reference, named regulator letter reference, named internal-investigation-activation memo reference): {{TRIGGER_EVENT_IDENTIFIER}}
- Awareness anchor (the moment the organisation reasonably anticipated litigation or regulatory inquiry; FRCP 37(e) reasonable-anticipation reference for United States civil litigation): {{AWARENESS_ANCHOR_TIMESTAMP}}
- Awareness anchor authorising role: {{AWARENESS_ANCHOR_AUTHORISING_ROLE}}
- Awareness anchor authorising named person: {{AWARENESS_ANCHOR_AUTHORISING_NAME}}
Statement of preservation duty:
The named matter requires the named recipients to preserve the named evidence in Section 4 from the named effective date in Section 1 until counsel issues an explicit release-of-hold notice under Section 11. Ordinary-course retention, deletion, archiving, disposition, and ordinary-course evidence treatment do not apply to the named in-scope evidence for the duration of this notice.
4. Preservation scope and source classes
Enumerate the in-scope evidence categories explicitly so the recipient cannot interpret an omission as an exclusion and the preservation cost does not balloon to everything everywhere. Each category is named in-scope or named out-of-scope with the named source surface, the named date range, the named custodian set, the named retention override duration, and the named preservation owner. The checklist forces the drafter to address each surface rather than gloss over it.
Email and email metadata:
- In-scope email mailboxes (named custodians from Section 2): {{EMAIL_CUSTODIANS_IN_SCOPE}}
- In-scope email date range: {{EMAIL_DATE_RANGE}}
- In-scope shared-mailbox or distribution-list traffic: {{EMAIL_SHARED_MAILBOX_LIST}}
- In-scope archived mail tier: {{EMAIL_ARCHIVE_TIER}}
- In-scope email metadata (headers, recipient lists, send timestamps, read receipts): {{EMAIL_METADATA_SCOPE}}
- Named preservation owner: {{EMAIL_PRESERVATION_OWNER}}
Chat and instant-messaging communications:
- In-scope chat platforms (named: Slack, Microsoft Teams, Google Chat, named-other): {{CHAT_PLATFORMS_IN_SCOPE}}
- In-scope channels (named direct messages, named group channels, named private channels): {{CHAT_CHANNELS_IN_SCOPE}}
- In-scope chat date range: {{CHAT_DATE_RANGE}}
- In-scope custodians: {{CHAT_CUSTODIANS_IN_SCOPE}}
- Named preservation owner: {{CHAT_PRESERVATION_OWNER}}
Recorded voice, video, and conference communications:
- In-scope conference platforms (named: Zoom, Microsoft Teams meetings, Google Meet, named-other): {{CONFERENCE_PLATFORMS_IN_SCOPE}}
- In-scope recordings or transcripts: {{CONFERENCE_RECORDINGS_IN_SCOPE}}
- In-scope voicemail mailboxes: {{VOICEMAIL_IN_SCOPE}}
- In-scope call-recording systems: {{CALL_RECORDING_IN_SCOPE}}
- Named preservation owner: {{CONFERENCE_PRESERVATION_OWNER}}
SMS and mobile-messaging surfaces:
- In-scope SMS history on named corporate-issued devices: {{SMS_CORPORATE_DEVICES}}
- In-scope mobile-messaging surfaces (named: WhatsApp business accounts, Signal, iMessage on corporate devices, named-other): {{MOBILE_MESSAGING_IN_SCOPE}}
- Named preservation owner: {{MOBILE_MESSAGING_PRESERVATION_OWNER}}
Document repositories:
- In-scope SharePoint sites, Google Drive shared drives, OneDrive personal drives, Box folders, Dropbox folders, named on-prem file shares: {{DOCUMENT_REPOSITORIES_IN_SCOPE}}
- In-scope date range and version history retention: {{DOCUMENT_REPOSITORIES_DATE_RANGE}}
- Named preservation owner: {{DOCUMENT_REPOSITORIES_PRESERVATION_OWNER}}
Ticketing and project-management surfaces:
- In-scope ticketing platforms (named: Jira, Asana, Linear, ServiceNow, GitHub Issues, GitLab Issues, named-other): {{TICKETING_IN_SCOPE}}
- In-scope projects, boards, queues: {{TICKETING_BOARDS_IN_SCOPE}}
- Named preservation owner: {{TICKETING_PRESERVATION_OWNER}}
Source-code repositories and commit history:
- In-scope code repositories (named: GitHub, GitLab, Bitbucket, named on-prem Git): {{CODE_REPOSITORIES_IN_SCOPE}}
- In-scope branches, named tags, named release artefacts: {{CODE_BRANCHES_IN_SCOPE}}
- Named preservation owner: {{CODE_PRESERVATION_OWNER}}
Build, deployment, and registry systems:
- In-scope CI/CD logs and deploy logs: {{CICD_LOGS_IN_SCOPE}}
- In-scope container-image registries and image tags: {{CONTAINER_REGISTRY_IN_SCOPE}}
- Named preservation owner: {{CICD_PRESERVATION_OWNER}}
Security telemetry and audit logs:
- In-scope SIEM logs: {{SIEM_LOGS_IN_SCOPE}}
- In-scope EDR telemetry: {{EDR_TELEMETRY_IN_SCOPE}}
- In-scope NDR telemetry: {{NDR_TELEMETRY_IN_SCOPE}}
- In-scope identity-provider audit logs (named: Okta, Entra ID, Google Workspace, named-other): {{IDP_AUDIT_LOGS_IN_SCOPE}}
- In-scope cloud-provider audit logs (named: AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs, named-other): {{CLOUD_AUDIT_LOGS_IN_SCOPE}}
- Named preservation owner: {{SECURITY_TELEMETRY_PRESERVATION_OWNER}}
Vulnerability and security finding records:
- In-scope scanner outputs (named: vulnerability scanner exports, SAST exports, SCA exports, named third-party-pentest reports): {{SCANNER_OUTPUTS_IN_SCOPE}}
- In-scope internal-vulnerability-disclosure intake records: {{IVDR_RECORDS_IN_SCOPE}}
- In-scope workspace finding records (named platform: SecPortal or named-other): {{WORKSPACE_FINDING_RECORDS_IN_SCOPE}}
- In-scope finding-comments, finding-state-change history, retest records, exception register entries: {{FINDING_AUDIT_TRAIL_IN_SCOPE}}
- Named preservation owner: {{FINDING_RECORDS_PRESERVATION_OWNER}}
Backup and archive tiers:
- In-scope backup software and named retention period override: {{BACKUP_SOFTWARE_AND_OVERRIDE}}
- In-scope archive tier and named retention period override: {{ARCHIVE_TIER_AND_OVERRIDE}}
- Named preservation owner: {{BACKUP_ARCHIVE_PRESERVATION_OWNER}}
Personal and BYOD devices in scope:
- Named BYOD devices in scope (named imaging procedure required at named effective date): {{BYOD_IN_SCOPE}}
- Named corporate-issued devices in scope (named imaging or named in-place hold method): {{CORP_DEVICES_IN_SCOPE}}
- Named preservation owner: {{DEVICE_PRESERVATION_OWNER}}
Financial, HR, and named third-party records:
- In-scope financial records (named accounting records, named invoice records, named expense reports): {{FINANCIAL_RECORDS_IN_SCOPE}}
- In-scope HR records (named personnel files, named compensation records, named performance records): {{HR_RECORDS_IN_SCOPE}}
- In-scope third-party records (named vendor SOWs, named contracts, named third-party correspondence): {{THIRD_PARTY_RECORDS_IN_SCOPE}}
- Named preservation owner per category: {{NON_TECH_PRESERVATION_OWNERS}}
Categories explicitly out of scope (each entry: category, named reason for exclusion):
- {{OUT_OF_SCOPE_CATEGORY_1}} | Reason {{OUT_OF_SCOPE_REASON_1}}
- {{OUT_OF_SCOPE_CATEGORY_2}} | Reason {{OUT_OF_SCOPE_REASON_2}}
- {{OUT_OF_SCOPE_CATEGORY_3}} | Reason {{OUT_OF_SCOPE_REASON_3}}
5. Preservation actions and prohibited actions
Name the actions custodians must take and the actions custodians must not take. The do-not-do block is the half that recipients forget and the spoliation cases turn on: ordinary-course deletion habits, mailbox auto-clean rules, chat retention defaults, drive trashing, ticket archiving, repository garbage collection, and device wipe-on-departure are all routine activities that have to suspend for the in-scope evidence. The block is written in operational language a non-lawyer recipient can act on.
Custodians must take the following actions:
1. Read and understand this notice and confirm acknowledgement under Section 2 within the named acknowledgement window.
2. Suspend ordinary-course deletion of the in-scope evidence categories from Section 4 within your control. Do not empty mailbox trash, chat trash, drive trash, document trash, ticket trash, repository trash, or local device trash for in-scope evidence.
3. Disable any auto-clean, auto-archive, auto-delete, or auto-expiry rules you have configured against in-scope mailboxes, chat channels, drives, calendars, or named other surfaces. If a system-level auto-expiry rule applies that you cannot disable, notify the named IT preservation owner under Section 6 and the named counsel contact under Section 8.
4. Preserve all draft documents, draft emails, and draft messages relating to the named matter scope. Drafts are evidence and must not be deleted or overwritten.
5. Preserve all in-scope evidence on personal-device surfaces where corporate evidence flows through BYOD devices in scope. Coordinate with named endpoint management under Section 6 for imaging or in-place hold procedures.
6. Notify the named counsel contact under Section 8 within 24 hours if you become aware of in-scope evidence on a system not listed under Section 4 or held by a person not listed under Section 2.
7. Notify the named counsel contact under Section 8 within 24 hours if you receive any inbound correspondence (subpoena, regulator inquiry, third-party request, customer notice, vendor notice) relating to the named matter scope.
8. Continue ordinary business activity on systems not named in scope; this notice does not direct you to stop work generally.
Custodians must not take the following actions:
1. Do not delete, archive, dispose, modify, redact, or alter in-scope evidence under any circumstance, including in the ordinary course of work, including under pressure from external parties, including under deadlines, and including under storage-quota constraints. If a storage-quota constraint becomes operationally pressing, notify the named IT preservation owner under Section 6 and the named counsel contact under Section 8.
2. Do not forward this notice to recipients outside the named recipient set under Section 2 without counsel approval under Section 8.
3. Do not discuss the named matter scope with parties outside the named recipient set, including with named third parties, named vendors, named family members, and named social-media or named public-forum audiences. Privilege treatment depends on the controlled scope of communication.
4. Do not respond to inbound correspondence about the named matter scope without coordination with the named counsel contact under Section 8.
5. Do not destroy, overwrite, or re-image any device, account, or system surface in scope under Section 4 without coordination with the named IT preservation owner under Section 6.
6. Do not configure new auto-clean, auto-archive, auto-delete, or auto-expiry rules against in-scope evidence categories for the duration of this notice.
7. Do not leave the organisation, transition roles, or hand over named in-scope evidence without coordination with the named counsel contact under Section 8 and named-successor acknowledgement under Section 2.
Where in-scope evidence has already been deleted, overwritten, or disposed of between the duty awareness anchor in Section 3 and the issuance of this notice, notify the named counsel contact under Section 8 within 24 hours. Recovery from backup tiers, archive tiers, and named other recovery sources will be coordinated under counsel direction.
6. System-side preservation steps
The IT, security, and SaaS-administration functions execute the technical preservation that the user-side instructions cannot. Each system has its own legal-hold flag, retention override, audit-log export, and imaging procedure. The block names the action, the responsible role, the named target completion timestamp, and the named verification record on the matter system.
Email and chat preservation actions (named IT and email-chat administration owners):
- Enable legal-hold flag on named in-scope mailboxes by {{EMAIL_HOLD_DEADLINE}}: named owner {{EMAIL_HOLD_OWNER}}; verification record on matter system identifier {{EMAIL_HOLD_VERIFICATION_RECORD}}
- Enable retention override on named chat platforms (per platform) by {{CHAT_HOLD_DEADLINE}}: named owner {{CHAT_HOLD_OWNER}}; verification record {{CHAT_HOLD_VERIFICATION_RECORD}}
- Disable retention auto-expiry on shared mailboxes and distribution-list traffic by {{SHARED_MAILBOX_HOLD_DEADLINE}}: named owner {{SHARED_MAILBOX_HOLD_OWNER}}
Document repository preservation actions (named SaaS-administration owners):
- Enable named legal-hold flag on named SharePoint sites, Google Drive shared drives, OneDrive personal drives, Box folders, Dropbox folders, and named on-prem file shares by {{DOCUMENT_HOLD_DEADLINE}}: named owner {{DOCUMENT_HOLD_OWNER}}; verification record {{DOCUMENT_HOLD_VERIFICATION_RECORD}}
- Confirm version-history retention is not pruned for in-scope documents by {{DOCUMENT_VERSION_HOLD_DEADLINE}}: named owner {{DOCUMENT_VERSION_HOLD_OWNER}}
Ticketing, source-code, and CI/CD preservation actions (named owners):
- Suspend ticketing-archive disposition on in-scope projects, boards, and queues by {{TICKETING_HOLD_DEADLINE}}: named owner {{TICKETING_HOLD_OWNER}}
- Suspend repository garbage collection and force-push protections on in-scope branches by {{CODE_HOLD_DEADLINE}}: named owner {{CODE_HOLD_OWNER}}
- Extend CI/CD log retention and container-image-tag retention for in-scope projects by {{CICD_HOLD_DEADLINE}}: named owner {{CICD_HOLD_OWNER}}
Security telemetry preservation actions (named SOC and security-operations owners):
- Extend SIEM log retention for in-scope log sources by {{SIEM_HOLD_DEADLINE}}: named owner {{SIEM_HOLD_OWNER}}; named retention override duration {{SIEM_HOLD_DURATION}}
- Extend EDR telemetry retention for in-scope endpoints by {{EDR_HOLD_DEADLINE}}: named owner {{EDR_HOLD_OWNER}}
- Extend NDR telemetry retention for in-scope network segments by {{NDR_HOLD_DEADLINE}}: named owner {{NDR_HOLD_OWNER}}
- Export identity-provider audit logs and cloud-provider audit logs for in-scope date range to immutable storage by {{IDP_CLOUD_AUDIT_EXPORT_DEADLINE}}: named owner {{IDP_CLOUD_AUDIT_EXPORT_OWNER}}; named storage location and named chain-of-custody record {{IDP_CLOUD_AUDIT_EXPORT_CHAIN_OF_CUSTODY_RECORD}}
Vulnerability and security finding record preservation actions (named vulnerability management, AppSec, and GRC owners):
- Suspend ordinary-course closure of in-scope finding records by {{FINDING_HOLD_DEADLINE}}: named owner {{FINDING_HOLD_OWNER}}; the suspension preserves the open or accepted state without inferring substantive determination
- Preserve named scanner outputs (vulnerability scanner exports, SAST exports, SCA exports, named third-party-pentest reports) for the in-scope matter scope by {{SCANNER_OUTPUT_HOLD_DEADLINE}}: named owner {{SCANNER_OUTPUT_HOLD_OWNER}}
- Preserve internal-vulnerability-disclosure intake records and named bug-bounty intake records for the in-scope matter scope by {{IVDR_HOLD_DEADLINE}}: named owner {{IVDR_HOLD_OWNER}}
- Export activity log for the in-scope engagement records, finding records, scan records, and document records to CSV with named chain-of-custody by {{ACTIVITY_LOG_EXPORT_DEADLINE}}: named owner {{ACTIVITY_LOG_EXPORT_OWNER}}; named storage location {{ACTIVITY_LOG_EXPORT_STORAGE_LOCATION}}
- Preserve compliance-tracking records and framework-mapping records for in-scope finding records by {{COMPLIANCE_TRACKING_HOLD_DEADLINE}}: named owner {{COMPLIANCE_TRACKING_HOLD_OWNER}}
Backup and archive tier preservation actions (named IT operations and backup owners):
- Extend backup tier retention for in-scope systems by {{BACKUP_HOLD_DEADLINE}}: named owner {{BACKUP_HOLD_OWNER}}; named retention override duration {{BACKUP_HOLD_DURATION}}
- Extend archive tier retention for in-scope systems by {{ARCHIVE_HOLD_DEADLINE}}: named owner {{ARCHIVE_HOLD_OWNER}}; named retention override duration {{ARCHIVE_HOLD_DURATION}}
Device preservation actions (named endpoint management and identity-and-access owners):
- Image named in-scope corporate-issued devices by {{DEVICE_IMAGING_DEADLINE}}: named owner {{DEVICE_IMAGING_OWNER}}; named imaging procedure {{DEVICE_IMAGING_PROCEDURE}}; named storage location for images {{DEVICE_IMAGE_STORAGE_LOCATION}}
- Suspend wipe-on-departure for named in-scope user accounts by {{ACCOUNT_WIPE_HOLD_DEADLINE}}: named owner {{ACCOUNT_WIPE_HOLD_OWNER}}
- Coordinate BYOD-device named in-place hold or named imaging procedure by {{BYOD_HOLD_DEADLINE}}: named owner {{BYOD_HOLD_OWNER}}
External-service-provider coordination actions (named vendor SPOCs from Section 2):
- Notify each named external service provider of the named preservation responsibility by {{VENDOR_NOTIFY_DEADLINE}}: named owner {{VENDOR_NOTIFY_OWNER}}; named acknowledgement record from each vendor SPOC required
- Verify each named external service provider has executed named platform-level legal-hold actions by {{VENDOR_VERIFY_DEADLINE}}: named owner {{VENDOR_VERIFY_OWNER}}
Verification record:
The named matter record captures each system-side action with the named owner, the named action timestamp, the named verification artefact, and the named chain-of-custody where applicable. Counsel reviews the verification record at the named reissue cadence under Section 10.
7. Exceptions and ordinary-course carve-outs
Name the systems and the retention rules that continue to apply outside the in-scope evidence. Without an explicit carve-out, recipients over-preserve everything everywhere, preservation cost balloons, and audit defensibility for the broader retention programme suffers. The block names privileged-evidence treatment separately so the privileged-communication channel does not commingle with the general preservation chain.
Systems explicitly out of scope (each entry: system, named reason for exclusion):
- {{OUT_OF_SCOPE_SYSTEM_1}} | Reason {{OUT_OF_SCOPE_SYSTEM_1_REASON}}
- {{OUT_OF_SCOPE_SYSTEM_2}} | Reason {{OUT_OF_SCOPE_SYSTEM_2_REASON}}
- {{OUT_OF_SCOPE_SYSTEM_3}} | Reason {{OUT_OF_SCOPE_SYSTEM_3_REASON}}
Retention rules that continue to apply outside the in-scope evidence (each entry: rule, named applicable scope, named policy reference):
- {{ONGOING_RETENTION_RULE_1}} | Applicable scope {{ONGOING_SCOPE_1}} | Policy reference {{ONGOING_POLICY_REFERENCE_1}}
- {{ONGOING_RETENTION_RULE_2}} | Applicable scope {{ONGOING_SCOPE_2}} | Policy reference {{ONGOING_POLICY_REFERENCE_2}}
- {{ONGOING_RETENTION_RULE_3}} | Applicable scope {{ONGOING_SCOPE_3}} | Policy reference {{ONGOING_POLICY_REFERENCE_3}}
Privileged-evidence treatment block:
- Communications between counsel and named recipients about the named matter scope are privileged attorney-client communications. Preserve such communications under counsel-directed handling.
- Work-product material prepared in anticipation of litigation is protected under the work-product doctrine. Preserve such material under counsel-directed handling separate from the operational evidence preservation under Section 6.
- Forensic investigation reports, e-discovery vendor work, and counsel-directed expert work are privileged. Do not commingle them with operational evidence repositories. Named storage location for privileged-evidence repository: {{PRIVILEGED_EVIDENCE_REPOSITORY_LOCATION}}; named access control to privileged-evidence repository: {{PRIVILEGED_EVIDENCE_ACCESS_CONTROL}}; named counsel approver for access: {{PRIVILEGED_EVIDENCE_COUNSEL_APPROVER}}
Cross-border data transfer block (where the matter scope reaches evidence held in jurisdictions outside the United States):
- Named in-scope jurisdictions outside the United States: {{NON_US_JURISDICTIONS_IN_SCOPE}}
- Named GDPR Article 6 lawful basis applied for legal-hold processing in European Economic Area jurisdictions: {{GDPR_ARTICLE_6_LAWFUL_BASIS}}
- Named GDPR Chapter V transfer mechanism applied for cross-border evidence transfer: {{GDPR_CHAPTER_V_MECHANISM}} (one of: Standard Contractual Clauses, Binding Corporate Rules, adequacy decision, Article 49 derogations for specific litigation purposes)
- Named records-of-processing-activity update reference: {{ROPA_UPDATE_REFERENCE}}
- Named data-protection-impact-assessment consideration reference: {{DPIA_CONSIDERATION_REFERENCE}}
- Named works-council notification or co-determination obligation reference (where applicable in Germany, France, Netherlands, Italy, named-other works-council jurisdictions): {{WORKS_COUNCIL_REFERENCE}}
- Named UK GDPR equivalent transfer mechanism reference: {{UK_GDPR_TRANSFER_REFERENCE}}
- Named other-jurisdiction data-protection mechanism references (LGPD, PIPEDA, named-other): {{OTHER_JURISDICTION_MECHANISMS}}
Operational-continuity exceptions:
- Where operational-continuity demands a deviation from the named preservation actions (named example: named system migration that cannot be deferred, named regulatory filing deadline that requires named evidence movement, named security incident response that requires named active modification), notify the named counsel contact under Section 8 in advance, document the deviation reason on the named matter record, and execute the deviation only under named counsel approval.
Personal-data minimisation note:
- This notice does not direct collection of additional personal data beyond what is already held under ordinary business operation. Preservation under this notice does not authorise expanded surveillance, expanded monitoring, or expanded data collection on named recipients or named in-scope individuals. Counsel-directed forensic investigation work, if any, runs under separate counsel-issued authorisation.
8. Questions and counsel contact
Direct all clarifying questions and operational concerns to a single named counsel contact with a named SLA and a named privileged-communication treatment statement. Without a named contact, recipients route questions through unrestricted channels (general all-hands chat, helpdesk tickets, social channels) and the privilege treatment weakens.
Named primary counsel contact for clarifying questions:
- Named person at time of issuance: {{COUNSEL_CONTACT_NAME}}
- Role: {{COUNSEL_CONTACT_ROLE}}
- Email (privileged): {{COUNSEL_CONTACT_EMAIL}}
- Direct phone: {{COUNSEL_CONTACT_PHONE}}
- Named privilege-treated channel reference: {{COUNSEL_CONTACT_PRIVILEGED_CHANNEL_REFERENCE}}
Named secondary counsel contact (in case the named primary is unavailable):
- Named person: {{COUNSEL_SECONDARY_NAME}}
- Role: {{COUNSEL_SECONDARY_ROLE}}
- Email: {{COUNSEL_SECONDARY_EMAIL}}
- Direct phone: {{COUNSEL_SECONDARY_PHONE}}
Named after-hours and weekend contact pathway: {{COUNSEL_AFTER_HOURS_PATHWAY}}
Named SLA for counsel response to a clarifying question:
- During business hours: {{COUNSEL_SLA_BUSINESS_HOURS}}
- After hours and weekends: {{COUNSEL_SLA_AFTER_HOURS}}
- Where the question relates to an active spoliation risk (named in-flight deletion, named ordinary-course disposition about to fire): {{COUNSEL_SLA_SPOLIATION_RISK}}
Privilege treatment for clarifying questions:
Clarifying questions to the named counsel contact about the named matter scope are privileged attorney-client communications. Send such questions only to the named privilege-treated channels above. Do not raise such questions on general team chat, general all-hands meetings, general helpdesk ticketing, general social channels, or with parties outside the named recipient set under Section 2.
What to do if you receive inbound third-party correspondence about the named matter:
- Notify the named counsel contact within 24 hours, attach the inbound correspondence, do not respond on your own.
- Examples: a subpoena, a regulator inquiry, a customer demand letter, a vendor demand letter, a press inquiry, a social-media inquiry, a recruiter inquiry, a contractual-partner inquiry, named-other.
What to do if you become aware of in-scope evidence in a system or held by a person not listed under Sections 2 and 4:
- Notify the named counsel contact within 24 hours, name the system or person, do not modify or disclose the evidence yourself.
9. Acknowledgement and certification
Capture acknowledgement on a per-recipient basis with a named text the recipient affirms, a named return-by deadline, and a named record on the matter system. Without an acknowledgement record, the FRCP 37(e) reasonable-steps defence weakens; with one, the defence has a verifiable evidentiary backbone.
Acknowledgement text for each named recipient:
I, the named recipient identified below, acknowledge that I have read this legal hold notice for the named matter {{MATTER_IDENTIFIER}} dated {{NOTICE_EFFECTIVE_DATE}} (version v{{NOTICE_VERSION}}). I understand the named preservation duty in Section 3, the named preservation scope and source classes in Section 4, the named preservation actions and prohibited actions in Section 5, and the named privileged-communication treatment for clarifying questions in Section 8. I will preserve the named in-scope evidence within my control, I will suspend ordinary-course deletion and ordinary-course retention of the named in-scope evidence, and I will not discuss the named matter scope with parties outside the named recipient set without coordination with the named counsel contact. I will notify the named counsel contact within 24 hours if I become aware of in-scope evidence held outside the named systems and persons listed, if I receive inbound correspondence about the named matter scope, or if I become aware that in-scope evidence has already been deleted or modified.
Acknowledgement metadata captured on the matter record:
- Recipient role: {{ACKNOWLEDGEMENT_RECIPIENT_ROLE}}
- Recipient named person at time of acknowledgement: {{ACKNOWLEDGEMENT_RECIPIENT_NAME}}
- Acknowledgement timestamp: {{ACKNOWLEDGEMENT_TIMESTAMP}}
- Acknowledgement channel (named email confirmation, named in-platform attestation, named portal sign-off): {{ACKNOWLEDGEMENT_CHANNEL_RECORD}}
- Named acknowledgement record reference on matter system: {{ACKNOWLEDGEMENT_RECORD_REFERENCE}}
Team-lead rollup record (where a named team lead acknowledges on behalf of the team scope identified under Section 2):
- Team function: {{TEAM_LEAD_ROLLUP_FUNCTION}}
- Team-lead named person: {{TEAM_LEAD_ROLLUP_NAME}}
- Team-lead acknowledgement timestamp: {{TEAM_LEAD_ACKNOWLEDGEMENT_TIMESTAMP}}
- Named individual confirmations under the team scope: {{TEAM_INDIVIDUAL_CONFIRMATION_LIST}}
- Team-lead rollup completion deadline target: {{TEAM_LEAD_ROLLUP_DEADLINE}}
- Actual team-lead rollup completion timestamp: {{TEAM_LEAD_ROLLUP_ACTUAL}}
Acknowledgement-gap escalation:
- Named acknowledgement-gap escalation owner: {{ACKNOWLEDGEMENT_GAP_ESCALATION_OWNER}}
- Named target hours-to-escalation after the acknowledgement deadline passes: {{ACKNOWLEDGEMENT_GAP_HOURS_TO_ESCALATION}}
- Named escalation pathway for unacknowledged recipients: {{ACKNOWLEDGEMENT_GAP_PATHWAY}}
Certification at programme level:
The named acknowledgement record is preserved on the named matter system as part of the FRCP 37(e) reasonable-steps record and as part of the regulator-engagement evidence record where the matter is regulator-noticed.
10. Periodic reissue and refresher cadence
The hold remains in force as long as the matter remains open. Reissue is a defensibility discipline: counsel reissues the notice on a named cadence and on named triggers, captures fresh acknowledgements, and records the named version chain on the matter system. Without periodic reissue, role changes break recipient continuity, technology migration breaks system-side preservation, and the FRCP 37(e) reasonable-steps record degrades.
Named periodic reissue cadence:
- Named reissue cadence (recommended: at least annually for matters longer than a year; more frequently where the named recipient set has high turnover): {{REISSUE_CADENCE}}
- Named next scheduled reissue date: {{NEXT_REISSUE_DATE}}
- Named reissue owner: {{REISSUE_OWNER}}
Named reissue triggers (each trigger fires a reissue independent of the named cadence):
- Named scope expansion (named additional custodians added or named additional evidence categories added): {{SCOPE_EXPANSION_TRIGGER_DEFINITION}}
- Named scope contraction (named custodians released): {{SCOPE_CONTRACTION_TRIGGER_DEFINITION}}
- Named matter classification change (named promotion of an internal investigation to a regulator-noticed matter): {{MATTER_CLASSIFICATION_CHANGE_TRIGGER_DEFINITION}}
- Named recipient turnover (named recipient role changes, named recipient departure, named recipient role transition with handover to named successor): {{RECIPIENT_TURNOVER_TRIGGER_DEFINITION}}
- Named technology change (named migration to a new email or chat or SaaS platform that requires re-articulation of the preservation scope on the new system): {{TECHNOLOGY_CHANGE_TRIGGER_DEFINITION}}
- Named regulator development (named subpoena, named civil investigative demand, named regulator inquiry expansion): {{REGULATOR_DEVELOPMENT_TRIGGER_DEFINITION}}
- Named counsel determination that the matter requires refresher communication: {{COUNSEL_DISCRETION_TRIGGER_DEFINITION}}
Named refresher training cadence (a structured walk-through of the preservation discipline for the named recipient set):
- Named refresher training cadence: {{REFRESHER_TRAINING_CADENCE}}
- Named refresher training owner: {{REFRESHER_TRAINING_OWNER}}
- Named refresher training format (named live session, named recorded session, named scenario-based exercise): {{REFRESHER_TRAINING_FORMAT}}
- Named refresher training attendance record reference: {{REFRESHER_TRAINING_ATTENDANCE_RECORD_REFERENCE}}
Reissue version chain on the matter system:
- Initial issuance: v1 effective {{INITIAL_ISSUANCE_DATE}}, recipient set v1, system-side actions v1
- Reissue version chain (each entry: version, effective date, named trigger, named recipient-set change, named system-side action change, named owner): {{REISSUE_VERSION_CHAIN}}
Acknowledgement renewal at each reissue:
Each reissue triggers a fresh acknowledgement from each named recipient under the acknowledgement text in Section 9. The acknowledgement renewal record is preserved on the named matter system as part of the reasonable-steps record. Unacknowledged reissues fire the acknowledgement-gap escalation pathway under Section 9.
11. Release of hold pathway
A legal hold does not lapse on a calendar schedule or auto-release on resolution of the underlying complaint. It is released only by explicit written release-of-hold notice from counsel that identifies the matter, names the prior recipients, names the released evidence categories, and dates the release. The release notice is preserved on the matter record alongside the original hold notice and any reissues.
Conditions under which counsel may consider release of the named hold:
- Final resolution of the underlying litigation including the expiration of the appeal window: {{LITIGATION_RESOLUTION_CONDITION}}
- Settlement with broad-form release language covering the named claim categories: {{SETTLEMENT_CONDITION}}
- Dismissal with prejudice: {{DISMISSAL_CONDITION}}
- Formal closure of a regulator investigation with named regulator confirmation: {{REGULATOR_CLOSURE_CONDITION}}
- Expiration of the statute of limitations on related claims that the matter could give rise to: {{STATUTE_OF_LIMITATIONS_CONDITION}}
- Counsel determination that the matter scope no longer reaches the named evidence categories: {{COUNSEL_DETERMINATION_CONDITION}}
Release-of-hold notice content:
- Matter identifier: {{RELEASE_MATTER_IDENTIFIER}}
- Released-hold notice version reference (the most recent reissue at time of release): v{{RELEASED_NOTICE_VERSION}}
- Named release effective date: {{RELEASE_EFFECTIVE_DATE}}
- Named in-house counsel signatory authorising release: {{RELEASE_COUNSEL_NAME}}
- Named outside counsel concurring (where applicable): {{RELEASE_OUTSIDE_COUNSEL_CONCURRENCE}}
- Statement of release: The named hold for matter {{RELEASE_MATTER_IDENTIFIER}} is released effective {{RELEASE_EFFECTIVE_DATE}}. The named recipients identified in Section 2 of the released notice are no longer subject to the preservation discipline set out in Sections 4 through 6 for the named scope, subject to the named carve-outs below.
- Named carve-outs that remain in force despite the release (each entry: carve-out category, named reason, named retention period): {{RELEASE_CARVE_OUTS}}
- Named ordinary-course retention schedule that resumes for the released evidence categories: {{RESUME_RETENTION_SCHEDULE_REFERENCE}}
- Named system-side action schedule for resumption (named removal of named legal-hold flags, named restoration of named auto-clean rules, named return of named imaged-device storage to ordinary disposition): {{RELEASE_SYSTEM_SIDE_ACTIONS}}
Release-acknowledgement requirement:
Each named recipient acknowledges receipt of the release-of-hold notice within {{RELEASE_ACKNOWLEDGEMENT_WINDOW_HOURS}} hours, confirming understanding that the preservation discipline under the prior notice is no longer in force for the named scope. The release acknowledgement is captured on the named matter system.
Post-release retention disposition:
- Named ordinary-course retention disposition schedule resumes for released evidence categories: {{POST_RELEASE_DISPOSITION_SCHEDULE_REFERENCE}}
- Named owner of post-release disposition execution: {{POST_RELEASE_DISPOSITION_OWNER}}
- Named target completion date for post-release backlog disposition: {{POST_RELEASE_BACKLOG_TARGET}}
Note: Where the same evidence is in scope of more than one open hold, release of one hold does not release the evidence; ordinary-course disposition resumes only when all overlapping holds release the evidence categories.
12. Cross-references and matter record
Close the notice with the named cross-references that anchor the hold inside the broader matter and programme records: the matter-management record, the incident engagement record where applicable, the audit-evidence retention policy, the regulator-engagement protocol, and the named cyber-insurance notice-of-claim. The block makes the hold readable as one artefact in a chain rather than as a standalone document.
Named matter-management record reference: {{MATTER_MANAGEMENT_RECORD_REFERENCE}}
Named related artefacts on the matter record:
- Audit-evidence retention policy version overridden by this notice: {{AUDIT_RETENTION_POLICY_VERSION_OVERRIDE}}
- Incident engagement record (where the matter relates to an active incident): {{INCIDENT_ENGAGEMENT_RECORD_REFERENCE}}
- Incident response runbook applied (where the matter relates to an active incident): {{INCIDENT_RUNBOOK_REFERENCE}}
- Security incident severity classification record applied: {{INCIDENT_SEVERITY_RECORD_REFERENCE}}
- Regulator-engagement protocol reference: {{REGULATOR_ENGAGEMENT_PROTOCOL_REFERENCE_FINAL}}
- Data breach notification letter reference (where the matter relates to a notifiable breach): {{BREACH_NOTIFICATION_LETTER_REFERENCE}}
- Cyber-insurance notice-of-claim record: {{CYBER_INSURANCE_NOTICE_REFERENCE}}
- Litigation-support vendor record: {{LITIGATION_SUPPORT_VENDOR_RECORD_REFERENCE}}
- E-discovery vendor record (where applicable): {{EDISCOVERY_VENDOR_RECORD_REFERENCE}}
- Records-of-processing-activity update reference (where European personal data is in scope): {{ROPA_UPDATE_REFERENCE_FINAL}}
Named programme-level cross-references:
- Vulnerability disclosure policy version applied (where named workspace finding records are in scope): {{VULNERABILITY_DISCLOSURE_POLICY_VERSION}}
- Vulnerability management policy version applied (where named finding records are in scope): {{VULNERABILITY_MANAGEMENT_POLICY_VERSION}}
- Audit evidence retention policy version applied to non-overridden categories: {{AUDIT_EVIDENCE_RETENTION_POLICY_VERSION}}
- Security exception register reference for in-scope finding records under hold: {{SECURITY_EXCEPTION_REGISTER_REFERENCE}}
- Named compliance-tracking framework records relevant to the named matter scope: {{COMPLIANCE_TRACKING_FRAMEWORKS_LIST}}
Named framework expectations evidenced by the hold notice operating on the workspace:
- SOC 2 CC1.4 (Demonstrates Commitment to Integrity and Ethical Values), CC2.1 (Information and Communication), and CC8.1 (Change Management) read on the documented hold and version-chain discipline.
- ISO/IEC 27001:2022 Annex A 5.33 (Protection of Records), A 5.34 (Privacy and Protection of Personally Identifiable Information), A 7.10 (Storage Media), and A 8.10 (Information Deletion) read on the matter-scoped retention override and the cross-border treatment.
- NIST SP 800-53 AU-11 (Audit Record Retention), MP-6 (Media Sanitization), and CM-3 (Configuration Change Control) read on the audit log preservation and the system-side preservation chain.
- PCI DSS 10.5 (Audit Trail Files Protection) and 10.7 (Audit Trail History Retention) read on the SIEM and audit log preservation scope.
- HIPAA Security Rule 164.316(b)(2) (Documentation Retention) reads on the six-year named retention floor where in scope.
- DORA Article 28 (ICT third-party risk) reads on the named external service provider preservation block.
- FRCP 37(e) (Failure to Preserve Electronically Stored Information) reads on the reasonable-steps record across acknowledgement, reissue, system-side action, and release-of-hold version chain.
Twelve failure modes the legal hold notice has to design against
Legal hold programmes fail under matter pressure in recognisable patterns. Each failure has a structural counter that the template above is designed to enforce. Read this list before customising the template so the customisation does not weaken the discipline that makes the hold defensible across deposition, sanctions briefing, regulator inquiry, and audit-committee read.
Late issuance after the duty-to-preserve trigger fires
The duty-to-preserve trigger fires (threat letter received, regulator inquiry opened, internal investigation activated) and the hold notice goes out days or weeks later. Ordinary-course deletion runs during the gap and named in-scope evidence is destroyed. The structural counter is a documented trigger-watch protocol with named ownership and a target hours-to-issue commitment so the issuance lag does not become the spoliation argument.
Over-broad scope that the recipient cannot operate on
The notice names every system in the organisation as in-scope. Preservation cost balloons, custodians ignore the notice as overstated noise, and the matter record cannot prove the named recipients actually preserved the named evidence. The counter is matter-scoped categories with named in-scope and named out-of-scope discipline at Section 4 so the recipient understands what is actually being preserved and the verification record reflects discrete actions rather than blanket commitments.
Under-broad scope that omits the named in-scope chat, SaaS, or vendor surface
The notice covers email and shared drives but omits the named chat platform, the named ticketing surface, the named SaaS application, or the named external-service-provider relationship that holds the relevant evidence. The named in-scope evidence is destroyed under ordinary-course retention on the unaddressed surface. The counter is the named-category checklist at Section 4 that forces the drafter to address every surface explicitly as named in-scope or named out-of-scope.
Missing acknowledgement records on the matter system
Recipients receive the notice but do not acknowledge it, and the matter record cannot prove receipt and reading. Under deposition the recipient claims they never saw the notice and the FRCP 37(e) reasonable-steps defence weakens. The counter is named acknowledgement requirement at Section 9 with a named tracker, a named team-lead rollup record, and a named acknowledgement-gap escalation pathway.
No reissue cadence and no refresher training
The notice issues once and is never refreshed. Role changes break recipient continuity, technology migration breaks system-side preservation, and the matter ages while the preservation drifts. Under deposition years later, the team cannot demonstrate the hold remained operationally in force. The counter is named reissue cadence at Section 10 with named triggers and named refresher training cadence captured on the matter record.
No release-of-hold pathway
The matter closes but no formal release-of-hold notice issues, the hold remains in force indefinitely, ordinary-course retention does not resume, and evidence accumulates that should have been disposed of under standing policy. The counter is the named release pathway at Section 11 with the named approver, the named carve-outs, and the named ordinary-course retention schedule that resumes.
Ad-hoc oral instruction in place of a written notice
A counsel-side or security-side stakeholder verbally instructs custodians to preserve evidence but no written notice issues. There is no recipient record, no acknowledgement record, and no system-side action record. Under FRCP 37(e) sanctions briefing the reasonable-steps defence has no documentation. The counter is written notice issued under named counsel authority with a named matter record at Section 1.
Vendor and third-party omission from the recipient set
The notice names internal custodians but does not extend to the named external service providers, managed-service providers, e-discovery vendors, payroll providers, or named cloud providers that hold relevant evidence. Third-party-held evidence is destroyed under the vendor ordinary-course retention. The counter is the named external service provider block at Section 2 with named SPOC, named contract reference, and named preservation responsibility.
Cross-border omission of the GDPR, UK GDPR, and works-council block
The notice issues to European custodians without addressing GDPR Article 6 lawful basis for the extended retention, the Chapter V transfer mechanism for evidence transfer to United States e-discovery infrastructure, the records-of-processing-activity update, the data-protection-impact-assessment consideration, or the works-council notification obligation. The cross-border preservation is technically unlawful or operationally challenged. The counter is the named cross-border block at Section 7 with the named GDPR Article 6 basis, the named transfer mechanism, and the named works-council reference.
System-side gap between the user-side instruction and the technical preservation
Recipients understand the hold but the named IT, security, and SaaS-administration technical preservation steps are not executed: legal-hold flags are not enabled, retention overrides are not configured, audit logs are not exported to immutable storage, devices are not imaged. The user-side discipline cannot compensate for the system-side gap. The counter is the named system-side preservation steps block at Section 6 with named owners, named target completion timestamps, and named verification records.
Privilege leakage on clarifying questions
Clarifying questions to counsel flow through unrestricted channels (general all-hands chat, helpdesk tickets, social channels) and become discoverable. The privilege treatment weakens and the privileged-communication chain commingles with operational evidence. The counter is the named counsel contact at Section 8 with the named privilege-treated channel reference and the named privilege treatment statement at Section 1.
Inconsistent reissue across the recipient set
Some recipients are reissued; others are not. The matter record cannot prove the hold remained in force for the silent recipients, and under deposition years later the silent-recipient cohort becomes the argument that the preservation discipline lapsed. The counter is the named reissue-tracking record at Section 10 with the named version chain, the named recipient-set change record per version, and the named acknowledgement renewal at each reissue.
Ten questions a quarterly legal-hold programme review has to answer
Per-matter post-hold review keeps each notice current. Programme-wide review answers the cumulative question: is the preservation capability durably audit-ready, is the programme on top of the FRCP 37(e) reasonable-steps record, the cross-border block, the reissue cadence, the vendor-side coordination, and the release-of-hold discipline. Run these ten questions at every quarterly programme review and capture the answers in the programme-level summary record on the matter-management system.
1.How many active legal holds did the programme operate during the period, broken out by matter classification (civil litigation, regulatory inquiry, government investigation, internal investigation, cyber-insurance claim, contractual dispute, employment dispute, securities-class-action), and how many of those holds were issued within the named hours-to-issue commitment after the duty-to-preserve trigger fired.
2.How many named recipients across all active holds acknowledged the notice within the named acknowledgement window, and how many entered the acknowledgement-gap escalation pathway under Section 9 before acknowledging.
3.How many active holds had a named reissue executed during the period under the named cadence at Section 10, and how many reissues were triggered by a named recipient turnover, a named technology change, a named scope expansion, or a named regulator development.
4.How many active holds executed the named system-side preservation steps at Section 6 within the named target completion timestamps, and how many had named verification records preserved on the matter system.
5.How many active holds had a named cross-border block at Section 7 with a named GDPR Article 6 lawful basis, a named Chapter V transfer mechanism, a named records-of-processing-activity update reference, and a named works-council reference where applicable.
6.How many active holds had named external service provider notification under Section 2, named vendor SPOC acknowledgement, and named vendor-side platform-level legal-hold actions verified during the period.
7.How many holds released during the period, named release-of-hold notices issued under Section 11, named release acknowledgements captured, and named ordinary-course retention disposition resumed for the released evidence categories.
8.How many spoliation arguments or sanctions motions were raised against the organisation during the period under FRCP 37(e) or equivalent jurisdictional analogue, what was the disposition of each, and what programme remediation followed.
9.How many holds had an unnoticed gap in the recipient set discovered during the matter (named in-scope evidence held by a person not on the recipient list, named in-scope evidence held in a system not in the preservation scope), and how many of those gaps were notified to the named counsel contact under Section 8 within 24 hours of discovery.
10.How many holds had the audit-evidence-tracker, the activity-log CSV export, the named scanner-output preservation, and the named workspace finding records preserved through the matter on the live workspace rather than through ad-hoc downloads.
How the legal hold notice pairs with SecPortal
The template above is copy-ready as a standalone artefact and does not require any platform to operate. If the security, vulnerability management, AppSec, and GRC functions already run finding records, engagement records, evidence intake, exception management, retest records, and audit-evidence packaging on a workspace, the hold notice becomes one of several artefacts attached to a matter engagement record rather than a separate document lifecycle. SecPortal opens a matter or incident engagement at the moment the duty-to-preserve trigger fires through engagement management so the named matter scope, the named recipient set, the named in-scope finding records, and the named in-scope evidence package all live on one workspace record from the first hour rather than being reconstructed weeks later when the matter discipline tightens.
The findings management feature captures the named in-scope finding records under the unified finding schema with CVSS 3.1 calibration, severity band, named owner, named scope capture, named evidence pointer, and named retest pointer, so the named matter-scope preservation reads against a structured backlog rather than a chat transcript. The finding overrides feature carries the eight-field exception decision chain (named scope, named approver, named rationale, named effective period, named review cadence, named framework reference, named acceptance method, named justification) so the named compensating-control and the named acceptance posture for residual conditions in scope of the matter stays on the live record under the hold rather than on a side spreadsheet that nobody renews.
The document management feature stores the executed hold notice, the named reissue records, the named acknowledgement records, the named release-of-hold notice, and the named privileged-evidence retention overlay as versioned artefacts. The activity log captures named-actor status transitions on every entity (finding state change, exception decision, retest closure, evidence attachment) by named user and timestamp with CSV export, so the audit chain of preservation discipline is reconstructable from the workspace rather than from forwarded emails or chat archives that depositions cannot read.
The compliance tracking feature maps the framework expectations the hold engages (SOC 2 CC1.4 and CC2.1 evidence integrity, ISO 27001 Annex A 5.33 protection of records, A 5.34 privacy and protection of personally identifiable information, A 8.10 information deletion, NIST 800-53 AU-11 audit record retention, PCI DSS 10.5 audit log retention, HIPAA 164.316 documentation retention) so the parallel preservation posture is visible on one record. The team management feature carries the role-based access control with the named role grants (owner, admin, member, viewer, billing) so matter-scoped access can be narrowed to counsel-approved roles rather than left wide-open. The multi-factor authentication enforcement gates workspace access so the access record reads as a documented control rather than as a hope. The retesting workflows feature pairs each retest to the original finding so the in-scope finding chain stays on one record under the hold rather than fracturing into new records that lose the preservation linkage. The encrypted credential storage feature carries the AES-256-GCM encrypted credential records scoped to verified domains for authenticated scanning, which are themselves frequent subjects of preservation under matters that touch authenticated-DAST evidence. The AI report generation workflow can draft the leadership read of the named matter posture across reporting cadences from the same engagement data so the disclosure committee, the audit committee, and the cyber-insurance claim review read against the same underlying evidence rather than against three reconstructed narratives.
Honest scope: SecPortal does not provide legal counsel, does not draft the legal hold notice on the customer platform side, does not enforce preservation at the underlying operating-system or SaaS layer, does not execute legal-hold flags on third-party platforms, does not file with courts, does not push to named e-discovery platforms (Microsoft Purview, Google Vault, Relativity, Logikcull, DISCO, Everlaw, Reveal, OpenText, named-other), does not deliver named-vendor litigation-hold platform integrations, does not ship native push connectors into Jira, ServiceNow, OneTrust, Vanta, Drata, SecureFrame, Whistic, LogicGate, Archer, MetricStream, RSA Archer, AuditBoard, Resolver, ServiceNow IRM, or any GRC platform, does not provide enterprise SSO or SCIM, does not automate approval routing, and does not automate hold issuance. Customer-side counsel, the named litigation-support function, the named e-discovery vendor, the named IT preservation team, the named security operations team, and the named GRC function continue to own the substantive preservation work; the platform carries the consolidated finding-and-engagement operating record those experts read into.
Who reads the legal hold notice artefact
CISOs, security directors, and security programme owners
CISOs, security directors, security programme owners, and audit-committee chairs read the legal hold notice template as the named operational artefact that lets the security organisation respond to inbound preservation instructions from counsel with a structured matter record rather than ad-hoc downloads from chat archives. Pair the template with the CISOs persona page and the security leadership reporting workflow.
GRC, compliance, and privacy teams
GRC and compliance teams, privacy officers, and data protection officers read the template as the bridge between in-house counsel preservation instruction and the standing audit-evidence retention policy the GRC function operates. The Section 7 cross-border block, the Section 12 framework expectations block, and the Section 11 release-of-hold pathway directly inform how the standing retention disposition schedule resumes after the matter closes. Pair the template with the GRC and compliance teams persona page and the audit evidence retention and disposal workflow.
SOC, vulnerability management, AppSec, and security engineering teams
SOC analysts, vulnerability management leads, AppSec engineers, security engineering leads, and incident response leads read the template as the formal preservation instruction that overlays a matter-specific retention override on the SIEM telemetry, the EDR telemetry, the scanner outputs, the named workspace finding records, and the activity-log evidence the team operates. Pair the template with the vulnerability management teams persona page, the security incident evidence handover workflow, and the scanner-to-ticket handoff governance use case.
Internal security teams and incident response leads
Internal security teams and incident response leads read the template as the artefact the response will reach for in the post-incident phase when counsel-issued preservation instructions land on the team that operates the named log sources, the named SIEM, the named EDR, and the named workspace finding records. Pair the template with the internal security teams persona page and the cyber insurance security evidence workflow.