Home β€Ί D2: Asset Security β€Ί Destruction, Retention & Legal Hold
Domain 2 Β· Lesson 4 of 5

Data Destruction, Retention & Legal Hold

TiΓͺu hủy, LΖ°u giα»― Dα»― liệu & Lệnh BαΊ£o quαΊ£n

Theory

Data Destruction Methods β€” NIST SP 800-88

NIST SP 800-88 (Guidelines for Media Sanitization) defines the standard framework for data destruction. Method selection depends on the media type, classification level, and intended next use of the media.

MethodHow It WorksUse CaseMediaSecurity Level
Clearing Overwrite all addressable storage locations with non-sensitive data (zeros, ones, or random) Reuse within the organization; lower classification data HDD, USB Low–Medium
Purging (Degaussing) Apply a strong magnetic field to destroy the magnetic alignment storing data; or use hardware-level cryptographic erase Reuse outside the organization; higher classification data HDD, Tape (magnetic only) Medium–High
Destroying Physical destruction: shredding, incineration, disintegration, pulverization Disposal of media containing highest-classified data Any media type Highest

SSD Warning β€” Overwriting Is Unreliable

SSDs use wear leveling β€” a firmware technique that distributes writes across cells to extend drive life. This means overwrite commands may not reach all physical storage locations. Data may persist in cells the wear-leveling algorithm has redirected away from. For SSDs, use: cryptographic erasure (delete the encryption key if the data was encrypted) or physical destruction.

Data Remanence

Data remanence is the residual representation of data that remains after deletion attempts. This is why simple "delete" operations are insufficient for sensitive data β€” the OS marks the space as available but the data persists until overwritten. Even degaussed HDDs can sometimes have residual signals detectable by lab-grade equipment.

Data Retention Policies

Retention policies define how long each data type must be kept before it can be destroyed. Retaining data beyond the required period increases breach impact and regulatory exposure (especially under GDPR "storage limitation" principle).

Data TypeTypical RetentionRegulatory Driver
Financial / banking records7 yearsVarious financial regulations (VN: Circular 09, PH: BSP guidelines)
PCI-DSS audit logsMinimum 12 months (3 months immediately available online)PCI-DSS Requirement 10.7
Healthcare records5–10 years (jurisdiction-dependent)Local health regulations
Personal data (GDPR/DPA basis)Only as long as necessary for original purposeGDPR Art. 5(1)(e), DPA 2012 (PH)
Loan application data (TS)Duration of loan + 7 yearsBSP (PH), SBV (VN) guidelines

Legal Hold (Litigation Hold)

A legal hold is a directive to suspend all routine deletion and retention schedule enforcement for data that is relevant to anticipated or active litigation, regulatory investigation, or audit.

  • Must be applied immediately upon notice β€” even anticipation of litigation is sufficient
  • Overrides all retention schedules β€” you cannot delete data under legal hold even if the retention period has expired
  • Failure to preserve data under legal hold = spoliation

Spoliation

Spoliation is the intentional or negligent destruction, alteration, or concealment of evidence under a legal hold. Consequences include:

  • Criminal charges (obstruction of justice)
  • Civil sanctions (adverse inference β€” court assumes destroyed evidence was harmful)
  • Regulatory penalties

Legal Hold vs GDPR Right to Erasure β€” Conflict Resolution

A data subject may exercise their GDPR/DPA right to erasure at any time. However, if a legal hold is in place for that individual's data, the legal obligation to preserve evidence overrides the erasure right. The organization must deny the erasure request for the duration of the legal hold and document the reason. Once the legal hold is lifted, the erasure request can be processed.

Key Terms

Clearing β€” overwriting; sufficient for internal reuse of lower-classification media
Purging β€” degaussing or hardware erase; required for external reuse or higher-classification media
Degaussing β€” using magnetic field to destroy data on magnetic media; does NOT work on SSDs
Destroying β€” physical destruction; only truly irreversible method; required for disposal of highest-classification media
Data Remanence β€” residual data remaining after deletion; reason simple delete is insufficient
Cryptographic Erasure β€” destroy the encryption key, rendering encrypted data permanently unreadable; preferred method for SSDs
Legal Hold β€” directive to suspend all deletion for data relevant to litigation or investigation
Litigation Hold β€” synonym for legal hold; must be applied immediately upon anticipation of litigation
Spoliation β€” destruction of evidence under legal hold; criminal offense with serious civil consequences
Retention Schedule β€” formal policy defining how long each data type must be retained before authorized destruction
NIST SP 800-88 β€” NIST standard: Guidelines for Media Sanitization; defines Clearing, Purging, and Destroying

Exam Tips

Tip 1 β€” SSD: Overwriting Unreliable; Use Cryptographic Erasure or Destroy This is a high-frequency exam question. SSDs have wear-leveling firmware that redirects writes β€” overwriting commands cannot guarantee all physical cells are reached. For encrypted SSDs, cryptographic erasure (deleting the encryption key) is the preferred method. For unencrypted SSDs, physical destruction is required.
Tip 2 β€” Degaussing Does NOT Work on SSDs Degaussing works by disrupting magnetic alignment β€” SSDs store data as electrical charges in NAND flash cells, not magnetic domains. Degaussing an SSD has zero effect on the data. Exam questions will try to trick you into choosing degaussing for SSD destruction.
Tip 3 β€” Legal Hold Overrides Everything Legal hold supersedes retention schedules, GDPR erasure rights, and normal deletion procedures. Once a hold is issued, no data covered by it can be deleted β€” period. The hold must be documented and communicated to all relevant teams (including the automated deletion job that runs nightly).
Tip 4 β€” Clearing vs Purging vs Destroying Clearing = internal reuse (lower risk); Purging = external reuse or higher classification (higher risk tolerance); Destroying = disposal with no reuse. Always match the method to the data classification and next-use scenario.
Tip 5 β€” Spoliation = Serious Legal Consequence Destroying evidence under legal hold (even accidentally by running an automated deletion job) can result in criminal charges and adverse inference β€” the court may assume the destroyed evidence was unfavorable to you. This makes legal hold management a critical operational control.

Work Application β€” FinTech Company X

Action Item β€” Platform B 30-Day Soft-Delete Audit After the 30-day soft-delete window expires, verify that deletion covers ALL data stores β€” not just the primary database:
Data StoreDeletion Action RequiredRisk if Missed
MariaDB / PostgreSQLOverwrite PII fields with null/anonymous values; delete or anonymize the recordPII persists in primary store β€” DPA 2012 / Decree 13 violation
Redis cacheEnsure TTL has expired; explicitly evict keys if TTL longer than 30 daysCustomer PII accessible via cache after account deletion
Kafka topicsKafka is append-only β€” cannot delete records. Anonymize payload via stream processor (e.g., Kafka Streams / Flink)PII in event log indefinitely β€” serious GDPR/DPA violation
Elasticsearch indexDelete document by ID or anonymize indexed fieldsPII searchable in audit/log index after deletion
GCS (signed PDFs)Delete GCS object; verify no backup copies in archive bucketsSigned loan documents with PII accessible in storage
eKYC Vendor biometricsCall eKYC Vendor deletion API per DPA terms; get confirmation receiptBiometric template persists at processor β€” DPA 2012 violation; biometrics cannot be reissued
Legal Hold Protocol: If any FinTech Company X loan records become subject to litigation, investigation, or regulatory inquiry β€” IMMEDIATELY issue a written legal hold notice to the engineering team and disable the 30-day deletion job for affected accounts. Do NOT run automated deletion on accounts under legal hold. Document the hold issuance with a timestamp.

Practice Questions

Q1. A decommissioned Partner A loan processing server has SSD drives that stored customer PII classified as Restricted. The drives will be physically disposed of (not reused). What is the most appropriate destruction method?

A) Overwriting (7-pass)   B) Degaussing   C) Physical destruction (shredding)   D) Clearing and reassigning to another team

βœ“ C) Physical destruction (shredding)
For SSDs being disposed of (not reused), physical destruction is the correct answer. Overwriting is unreliable on SSDs due to wear leveling. Degaussing has no effect on SSDs (no magnetic properties). Since the drives are being disposed of and contain Restricted data, physical shredding ensures complete irreversibility. If the SSDs were encrypted, cryptographic erasure would also be acceptable, but physical destruction is the safest answer for disposal scenarios.

Q2. A legal hold is issued for a specific customer's loan account. The 30-day Platform B deletion job runs that evening. When should the legal hold have been applied relative to the job run?

A) Immediately upon issuance of the hold β€” before the deletion job ran   B) After the current deletion cycle completes   C) Only after litigation is formally filed in court   D) At the end of the standard retention period

βœ“ A) Immediately upon issuance β€” before the deletion job ran
A legal hold must be applied immediately upon notice β€” even the anticipation of litigation is sufficient to trigger the hold. Waiting for formal court filing is too late. If the deletion job ran after the hold was issued, the resulting data destruction would constitute spoliation. The hold must be communicated to all teams (including DevOps/engineering running automated jobs) the moment it is issued.

Q3. A FinTech Company X engineer proposes degaussing old SSD drives before reselling them to a third-party recycler. What should you tell them?

A) Degaussing is sufficient for SSDs at any classification level   B) Degaussing only works on magnetic media β€” SSDs are NAND flash and will not be sanitized by degaussing   C) Degaussing should be combined with a 3-pass overwrite for SSDs   D) Degaussing is approved for Confidential data but not Restricted

βœ“ B) Degaussing only works on magnetic media β€” SSDs are NAND flash
SSDs store data as electrical charges in NAND flash memory cells β€” there is no magnetic medium to degauss. Applying a magnetic field to an SSD has zero effect on the stored data. For SSDs being sold externally: use cryptographic erasure (if the drives were encrypted β€” delete the key) followed by verification, or physically destroy the drives. Overwriting is unreliable due to wear leveling. Never degauss an SSD.

Q4. A Philippine Partner C customer submits a GDPR-equivalent erasure request under DPA 2012. Their account is currently under investigation by BSP (Bangko Sentral ng Pilipinas). What should FinTech Company X do?

A) Honor the erasure request immediately β€” data subject rights are absolute   B) Deny the erasure and issue a legal hold; legal obligation overrides the erasure right during investigation   C) Partially delete data not relevant to the investigation   D) Escalate to the NPC (National Privacy Commission) before taking action

βœ“ B) Deny the erasure and issue a legal hold
The right to erasure under DPA 2012 (and GDPR) has statutory exceptions β€” one of which is when retention is required to comply with a legal obligation or for the establishment, exercise, or defense of legal claims. A BSP regulatory investigation creates a legal obligation to preserve records. The erasure request should be formally denied (with documentation), a legal hold issued, and the customer informed that the request cannot be honored during the investigation. Once the investigation concludes, the erasure request can be reassessed.

Q5. What is "spoliation" and what legal consequence can result from it?

A) Deletion of outdated data per retention schedule β€” standard practice with no legal risk   B) Intentional or negligent destruction of evidence under legal hold β€” can result in criminal charges and adverse inference   C) Unauthorized access to data β€” triggers a breach notification requirement   D) Over-retention of personal data β€” triggers GDPR fines only

βœ“ B) Destruction of evidence under legal hold β€” criminal charges and adverse inference
Spoliation is the destruction, alteration, or concealment of evidence that a party knows or should know is relevant to litigation. Key consequences: (1) Adverse inference β€” the court may instruct the jury to assume the destroyed evidence was unfavorable to the spoliating party; (2) Criminal charges for obstruction of justice; (3) Civil sanctions including striking pleadings or entering default judgment. This is why legal holds must be immediately communicated to all teams, including engineers running automated deletion jobs.
← 03 Data Lifecycle & States 05 Privacy Controls β†’