Retention policies that protect you.
Keeping data forever feels safe and isn't. A written retention policy cuts your breach exposure and your legal discovery costs.
Most small businesses default to keeping everything forever — old emails, old files, old clients. It feels safe. It's not. The more data you keep, the more there is to leak in a breach, the more there is to produce in a lawsuit, and the more there is to accidentally expose. A written retention policy, even a simple one, cuts all three risks.
Why "just keep it all" is expensive
Every regulated industry has retention requirements — some short, some long. "Keep it forever" isn't a compliance strategy, it's avoidance. When a lawsuit drops, e-discovery costs scale with the size of your data. When a breach hits, the notification obligations scale with the age of the records exposed. Hoarding data is a long-term liability, not a safety net.
Where hoarded data bites
“A small firm got subpoenaed over a deal from 12 years prior. Every relevant email was still on the file server.”
Red flag: E-discovery review cost six figures. A standard retention policy would have deleted most of the exposure years earlier.
“An accounting firm's breach exposed client tax returns going back 20 years.”
Red flag: Most affected clients were long gone. Notification costs and reputational damage hit disproportionately hard for data that should have been purged.
A starting-point retention schedule
- Email: 3-5 years by default, with legal hold exceptions. Most regulators accept this.
- Client project files: 7 years post-engagement unless your industry requires longer.
- HR records: per your state's rules — usually 3-7 years after termination.
- Financial records: 7 years minimum for most small businesses.
- Marketing and operational files: whatever's useful, with a 3-year archive cutoff.
We implement retention.
Microsoft 365 and Google both support automatic retention policies. A morning with us and it's set up, running, and documented.
- 1Write a one-page retention policy this quarter. Pick reasonable defaults.
- 2Configure Microsoft 365 or Google retention labels to enforce it automatically.
- 3Identify any categories with specific legal retention requirements — HIPAA, tax, HR.
- 4Add legal-hold workflow for active litigation — auto-delete must pause for those cases.
- 5Review the policy annually with your attorney.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Backup basics that actually work.
Most small businesses have backups. Far fewer have backups that actually restore. Here's the 3-2-1 rule and the test that separates real from theater.
ReadTip #22 · Data protectionEncrypt before you send.
Emailing sensitive files in the clear is still the #1 way data leaks from small businesses. Encryption takes thirty seconds and zero training.
Read