What is the purpose of a Legal Hold in incident response?

Preserving evidence for potential legal action or regulatory investigation is the purpose of a Legal Hold. When a legal or regulatory process might require review of what happened, you pause automatic data deletion and ensure relevant data—emails, chat logs, system and security logs, backups, and other records—are preserved in their original state. This maintains the integrity and chain of custody of evidence so it can be examined in court or by investigators if needed. It’s not about fixing the incident or stopping the breach; those are remediation and containment steps. Patch workarounds, disabling user accounts, or actively containing the incident are separate parts of incident response, whereas a Legal Hold focuses on maintaining the completeness and admissibility of potentially relevant data.