Preservation. Legal hold issued and acknowledged.
The duty to preserve arises the moment litigation, an investigation or a regulator's involvement is reasonably in contemplation. Meeting it takes more than an email.
- Phase
- 02 of 06
- Discipline
- Preservation
- Standard
- ACPO · ISO 27001
Plate · PreservationMaking the duty to preserve visible.
Preservation converts identified sources into a locked state. Mailbox auto-deletion is disabled, retention policies are suspended for named accounts, backup rotations are held, ephemeral chat channels are captured or paused, and departing-custodian offboarding is halted for accounts on hold. Each measure is logged, timestamped and reversible only under authorisation.
Preservation is the phase where a legal obligation becomes an evidenced act. A hold that is issued but not acknowledged, or issued but not enforced by system controls, is worth very little when the completeness of disclosure is later challenged.
Our approach is to combine an instrument that custodians can understand and sign, with in-place technical measures that stop routine deletion at source. Both belong on the same file. Either alone is exposure.
How preservation runs on our matters.
- 01
Legal hold notice
A plain-English hold drafted with counsel, tailored to each custodian population, delivered with tracked acknowledgment and a working help line for questions.
- 02
In-place holds
Litigation hold on M365 mailboxes and OneDrive, retention holds on SharePoint sites and Teams channels, equivalent controls on Google Workspace, Slack and Box, applied by service account and logged.
- 03
Backup & archive freeze
Backup rotations paused for the relevant systems and dates. Archived accounts and journaled email preserved. Nothing decommissioned without written release.
- 04
Endpoint & mobile preservation
For high-risk custodians, endpoints and handsets are imaged early rather than left in production. Standard for departing employees and for investigations subjects.
- 05
Third-party notices
Cloud vendors, payroll providers, HR platforms and any third party holding relevant data receive their own written preservation instruction with a receipted response.
- 06
Compliance monitoring
Acknowledgments tracked to completion. Non-responders escalated. Periodic re-issue for long-running matters and for new joiners to the custodian population.
What preservation produces.
What arrives at the end of the phase, in a form the next phase, or a court, can rely on.
- Signed and acknowledged legal hold notices for every custodian
- System-side hold report showing measures applied per source
- Backup and retention-policy suspension records
- Third-party preservation letters and their receipts
- Chain-of-custody entry for every endpoint or handset held
- Ongoing compliance log for the life of the matter
Where preservation goes wrong.
The failures we see cluster around two themes. First, the hold is treated as an email rather than a workflow, so acknowledgments are not tracked, new joiners are missed and departing custodians walk out with active accounts still in scope. Second, the technical controls are not aligned with the notice, so a user is told to preserve while retention policy quietly deletes their mail in the background. We close both gaps by running notice and control as a single, audited exercise.
Continue through the workflow.
Bring us in early.
Defensibility is built, not retrofitted.
Whether you are responding to a regulator, preparing for disclosure, or scoping an internal investigation, start the chain of custody with a short, confidential conversation.
