markus41/plugins/lobbi-compliance-guard/skills/data-retention

Data Retention and Deletion Policy Design

Design a complete data retention and deletion policy covering inventory, regulatory minimums, retention schedule, legal hold procedures, deletion runbook, and technical implementation guidance.

Step 1: Data Inventory

Identify and classify all data types the client holds. For each, document:

| Data Category | Subcategory | Format | Storage Location | Contains PII? | Regulatory Category | |--------------|-------------|--------|-----------------|--------------|---------------------| | Customer PII | Contact info | DB records | CRM, AMS, LOS | Yes | GLBA, state privacy | | Customer PII | SSN/Tax ID | Encrypted DB | Core system | Yes — sensitive | GLBA, FCRA | | Transactions | Policy premiums | DB records | AMS | Yes | State DOI | | Transactions | Loan origination | DB + documents | LOS + file storage | Yes | RESPA, TRID | | Communications | Email correspondence | Email archive | Exchange/O365 | Maybe | FINRA 4511, state | | Communications | Recorded calls | Audio files | Call recording platform | Maybe | State recording law | | Audit logs | System access | Log files | SIEM | Partial | SOX, SOC 2 | | Financial records | Ledger entries | DB records | Accounting system | No | SOX, tax | | Documents | Applications | PDF/scanned | Document management | Yes | Varies by type | | Documents | Policy/loan docs | PDF | Document management | Yes | State DOI, RESPA | | Documents | Adverse action notices | PDF | Document management | Yes | ECOA, FCRA | | Claims records | FNOL and adjuster notes | DB + docs | Claims system | Yes | State DOI | | Marketing | Prospect data | CRM | CRM | Yes | CCPA, CAN-SPAM | | HR | Employee records | HR system | HRIS | Yes | State labor law |

Step 2: Regulatory Minimum Retention by Data Type

Insurance

| Record Type | Minimum Retention | Clock Starts | Citation | |-------------|------------------|--------------|---------| | Policy files (all lines) | 5 years | Policy expiration | Most state DOI regulations | | Policy files (life insurance) | 6 years | Policy expiration | Many states — use most restrictive | | Claims files | 5 years | Claim closure | State DOI (varies; verify per state) | | Agent licensing records | 3 years | License termination | NAIC Producer Licensing Model Act | | Market conduct records | 5 years | Record creation | State DOI market conduct exams | | Premium tax records | 4 years | Tax filing | State DOI / state revenue dept | | Complaint records | 5 years | Complaint closure | Most state DOI regulations | | Advertising/marketing materials | 3 years | Last use | State DOI unfair trade practices | | Surplus lines affidavits | 3–5 years | Filing date | State surplus lines law (varies) |

Mortgage

| Record Type | Minimum Retention | Clock Starts | Citation | |-------------|------------------|--------------|---------| | Loan application and disclosures | 3 years | Consummation or action taken | Reg Z § 1026.25 | | TRID Loan Estimates and CDs | 3 years | Consummation | Reg Z § 1026.25(c) | | RESPA servicing records | 2 years | Date of action | Reg X § 1024.38 | | HMDA Loan Application Register | 3 years | LAR submission | Reg C § 1003.5(b) | | ECOA adverse action notices | 25 months | Date notice given | Reg B § 1002.12 | | FCRA adverse action notices | 5 years | Date notice given | FCRA § 1681p | | BSA/AML Currency Transaction Reports | 5 years | Filing date | 31 CFR 1010.430 | | BSA/AML Suspicious Activity Reports | 5 years | Filing date | 31 CFR 1020.320 | | BSA Customer Identification records | 5 years | Account closure | 31 CFR 1020.220 | | QM/ATR income/asset documentation | 3 years | Consummation | Reg Z § 1026.43(e)(4) | | MERS registration records | Life of loan + 7 years | Payoff/transfer | MERS operating procedures |

Financial Services / General

| Record Type | Minimum Retention | Clock Starts | Citation | |-------------|------------------|--------------|---------| | FINRA customer account records | 6 years | Account closure | FINRA Rule 4511 | | FINRA communications (general) | 3 years | Creation (first 2 years easily accessible) | FINRA Rule 4511 | | FINRA order tickets | 3 years | Order date | FINRA Rule 4511 | | SEC investment advisor records | 5 years | Creation | 17 CFR 275.204-2 | | SOX financial records | 7 years | Fiscal year end | SOX § 802 | | Tax records | 7 years | Tax filing | IRS general guidance | | GLBA privacy notices | 6 years | Issuance | 16 CFR Part 314 | | Employment records | 4–7 years | Employment end | State labor law (varies) |

Step 3: Retention Schedule

Build the master retention schedule combining regulatory minimums with business requirements. Apply the most restrictive applicable period.

Retention period table format:

| Data Category | Business Minimum | Regulatory Minimum | Regulatory Citation | Approved Maximum | Active Storage | Archive Storage | Delete Action | |--------------|-----------------|-------------------|---------------------|-----------------|----------------|-----------------|---------------| | [Category] | [N years] | [N years] | [Citation] | [N years] | [N years] | [N years after archive] | [Auto-delete / Manual review / Anonymize] |

Approved maximum = the point at which data must be deleted absent a legal hold. Typically regulatory minimum + 1–2 years buffer for litigation.

Step 4: Legal Hold Procedures

When litigation, regulatory investigation, or government inquiry begins, standard retention schedules are suspended for affected data.

Legal hold process:

1. Trigger identification — Litigation hold triggers: receipt of subpoena, preservation letter, or when litigation is reasonably anticipated
2. Hold notice — Legal counsel issues written hold notice to all custodians of potentially relevant data
3. System hold flags — IT sets a legal hold flag on affected records in all systems; automated deletion is blocked for flagged records
4. Custodian acknowledgment — All recipients of hold notice confirm in writing
5. Scope documentation — Hold notice specifies: data categories in scope, date range, relevant systems, custodians
6. Hold log — Maintain a log of all active legal holds: matter name, date issued, data scope, custodians, systems
7. Hold release — Legal counsel issues release notice when matter is resolved; IT removes hold flags; standard retention schedule resumes
8. Periodic review — Active holds reviewed quarterly to confirm continued necessity

Step 5: Deletion Runbook

For each data category at end of retention period:

Automated deletion (preferred for structured data):

1. Automated job runs [daily / weekly / monthly]
2. Query: SELECT records WHERE retention_expiry_date <= TODAY() AND legal_hold_flag = FALSE
3. For PII: overwrite with zeros or cryptographically erase encryption key (key deletion)
4. For non-PII: standard delete + transaction log purge
5. Generate deletion certificate: timestamp, record count, data category, deletion method, operator
6. Log deletion certificate to immutable audit log
7. Alert to compliance officer if deletion count exceeds threshold (potential pipeline issue)

Manual review deletion (for complex or high-value records):

1. System generates deletion candidate list 60 days before expiry
2. Compliance officer reviews list; approves or applies legal hold extension
3. Approved deletions executed by IT with certificate generated
4. Certificate filed in compliance records

Backup and archive purge:

• Backup media must be included in retention/deletion scope
• Backups older than retention period must be purged on the same schedule
• For tape backups: overwrite-3-pass standard (NIST SP 800-88)
• Cloud backups: confirm provider's deletion API deletes all copies including geo-redundant replicas
• Certificate of destruction issued by vendor for physical media destruction

Anonymization (alternative to deletion where operational data is needed):

• Replace PII fields with synthetic values or hash
• Anonymized records are no longer subject to privacy law retention limits
• Confirm anonymization is truly irreversible before classifying as complete

Step 6: Technical Implementation Notes

Database:

• Add retention_expiry_date column to all tables containing regulated data
• Add legal_hold_flag boolean column
• Create deletion job with idempotent design (safe to re-run)
• Index on (retention_expiry_date, legal_hold_flag) for efficient scans

Document management:

• Set document retention metadata at upload time
• Configure automated expiry notifications 90 days before deletion
• Integrate legal hold flag with document DMS (SharePoint, Laserfiche, DocuWare)

Email/communications archive:

• Configure archiving platform (O365 Compliance, Mimecast, Proofpoint) with retention policies per mailbox category
• Legal hold: O365 Litigation Hold or In-Place Hold applied at mailbox level

Cloud storage:

• S3/Azure Blob lifecycle policies for automated tiering and deletion
• Object Lock for WORM compliance where required
• Verify deletion propagates to all storage tiers (Standard → IA → Glacier → deleted)

Output Format

Deliver three artifacts:

1. Retention Schedule Table — All data categories with regulatory minimums, approved maximums, active/archive periods, and delete actions
2. Legal Hold Procedure — Step-by-step process with roles, triggers, and documentation requirements
3. Deletion Runbook — Automated and manual deletion procedures with certificate requirements and technical implementation notes