Control 1.9: Data Retention and Deletion Policies
Control ID: 1.9 Pillar: Security Regulatory Reference: FINRA 4511, SEC 17a-3/4, GLBA 501(b), SOX 404 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Ensure agent-related data, including conversation logs, knowledge sources, and configuration history, is retained for required regulatory periods and properly deleted when no longer needed. Proper data lifecycle management is critical for meeting requirements under FINRA 4511, SEC 17a-3/4, and SOX 404.
Why This Matters for FSI
- FINRA 4511: Retain books and records for required periods (3-6+ years)
- SEC 17a-3/4: Securities industry records retention (WORM or audit-trail alternative per October 2022 amendments)
- GLBA 501(b): Protect and retain customer NPI appropriately
- SOX 404: Internal control documentation retention
- Right to Deletion: Manage customer deletion requests within regulatory constraints
Control Description
| Capability | Description |
|---|---|
| Retention labels | Apply retention periods to agent data by classification |
| Retention policies | Automated retention for Copilot Studio and Power Platform logs |
| Disposition review | Workflow for compliance review before deletion |
| Legal hold | Preserve content for litigation regardless of retention |
| Audit trail | Immutable log of deletion events |
Key Configuration Points
- Create retention labels per record type:
- Agent conversation logs: 3 years (communications per SEC 17a-4(b)(4))
- Agent configuration: 6 years
- Audit logs: 7-10 years
- Publish labels to Exchange, SharePoint, OneDrive, and Microsoft 365 Groups
- Create retention policies targeting Dataverse and Copilot interactions
- Configure retention policies for the three AI-specific retention locations:
- Microsoft Copilot experiences — Covers M365 Copilot interactions (Word, Excel, Teams, etc.)
- Enterprise AI Apps — Covers Copilot Studio agents and enterprise-managed AI applications
- Other AI Apps — Covers third-party and unmanaged AI applications
- Configure disposition reviewers for end-of-retention workflow
- Enable legal hold procedures for litigation preservation
- Configure extended audit log retention for deletion events
- Implement storage tiering for "readily accessible" compliance
Storage Tier Requirements ("Readily/Easily Accessible")
SEC 17a-4 and FINRA 4511 require records to be "readily accessible" (SEC) or "easily accessible" (FINRA) for the first 2 years:
| Storage Tier | Access Time | Use For | Implementation |
|---|---|---|---|
| Hot Storage | Immediate | First 2 years of retention | SharePoint Online, Exchange Online |
| Cool Storage | Minutes | Years 3+ of retention | Azure Blob Cool Tier |
| Archive Storage | Hours | Long-term archive (after primary period) | Azure Blob Archive Tier |
Readily Accessible Definition
"Readily accessible" means records can be produced promptly upon regulatory request. For practical purposes:
- First 2 years: Records should be retrievable within hours
- Years 3+: Records should be retrievable within reasonable business days
Configure automated tiering to move records to Cool storage after 2 years while maintaining search/retrieval capability.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | 1-year conversation retention; automatic deletion | Minimal regulatory exposure |
| Zone 2 (Team) | 3-year retention; manager review disposition | Shared accountability |
| Zone 3 (Enterprise) | 7-10 year retention; compliance review; WORM or audit-trail alternative for broker-dealers | Maximum regulatory protection; 10 years recommended per framework |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Purview Records Manager | Retention label and policy configuration |
| Compliance Officer | Regulatory retention requirements and disposition review |
| Legal | Legal hold and litigation preservation |
| Power Platform Admin | Dataverse retention settings |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Audit log retention |
| 4.3 - SharePoint Retention | SharePoint-specific retention |
| 2.13 - Documentation | Documentation requirements |
| 1.5 - DLP and Sensitivity Labels | Sensitivity labels integration |
| 2.4 - Business Continuity | DR testing validates backup integrity (DR Testing Framework) |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- All FSI retention labels created and published
- Retention policies distributed successfully
- Test content retained (deletion blocked during retention)
- Disposition review workflow triggers at retention end
- Legal hold prevents deletion when applied
- Audit log captures deletion events
Additional Resources
- Microsoft Learn: Retention Policies and Labels Overview
- Microsoft Learn: Create Retention Labels
- Microsoft Learn: Disposition of Content
- Microsoft Learn: eDiscovery Holds
- Microsoft Learn: SEC 17a-4 Compliance
Updated: January 2026 | Version: v1.2 | UI Verification Status: Current