A cybersecurity analyst is part of an incident response team investigating a recent data breach. The company's standard data retention policy dictates that all server logs are purged after 30 days. On day 25 of the investigation, the company's legal department issues a legal hold notice for all data related to the compromised systems. What is the correct action for the analyst to take regarding the 25-day-old logs?
Create a backup of the logs and then purge the original files as per the retention policy.
Follow the standard data retention policy and purge the logs after 30 days.
Ensure the logs are preserved until the legal hold is lifted, overriding the 30-day retention policy.
Immediately anonymize all personally identifiable information (PII) within the logs before the hold takes effect.
When a legal hold is issued, it legally obligates an organization to preserve all potentially relevant information, overriding any existing data retention or destruction policies. Therefore, the analyst must ensure the logs are preserved and not purged according to the normal schedule. Purging the logs would violate the legal hold and could be considered spoliation of evidence, leading to severe legal penalties. Backing up the logs but still purging the originals fails to meet the preservation requirement, and modifying the logs, even for privacy, violates the principle of preserving evidence in its original state.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a legal hold notice?
Open an interactive chat with Bash
What are the consequences of failing to comply with a legal hold notice?