How Long to Keep Security Camera Footage Retention Periods, Policy, and Requirements by Industry
Most US businesses keep security camera footage for 30 to 90 days. The right number depends on your industry and the risks you carry. Banks often hold 90 days to six months, PCI sensitive areas need at least three months, and cannabis retailers follow state rules that run from 45 days to a year or more.
There Is No Single Number, but 30 to 90 Days Is the Baseline
For a general business with no specific regulatory mandate, 30 to 90 days of retention is the practical standard. Thirty days covers most short-term disputes and incidents that surface quickly. Sixty to ninety days gives you room for claims, theft, and HR matters that come to light weeks after they happen, which is the more common pattern.
Many camera systems ship with a 30-day default, and a recorder set to loop recording will overwrite the oldest footage once the drive fills, sometimes in as little as a week if you run many high-resolution cameras. That default is a hardware limit, not a policy decision, and it is usually the first thing to fix. The question worth answering is not what your system does today, but how long you actually need to be able to look back, and then sizing storage to match.
Three forces set the right number: the law or regulation that applies to your industry, the window in which incidents and claims tend to reach you, and what it costs to store the footage at the resolution and frame rate you need. The rest of this guide works through each one.
Figures are common practice and typical regulatory ranges. Confirm the exact rule with your regulator or counsel.
Security Camera Footage Retention Requirements by Industry
Where a regulation exists it sets a floor, not a ceiling. Many businesses keep footage longer than the minimum because claims and investigations rarely arrive on schedule.
| Sector | Typical Retention | What Drives It |
|---|---|---|
| General business and office | 30 to 90 days | Disputes, theft, and HR incidents that surface over weeks |
| Retail and loss prevention | 30 to 90 days | Shrink investigations, return fraud, slip-and-fall claims |
| Banks and financial | 90 days to 6 months | Fraud investigations and long claim windows |
| PCI DSS sensitive areas | At least 3 months | Req 9 physical access to areas housing cardholder data |
| Healthcare and HIPAA | 30 to 90 days (varies) | State law plus incident and claim timelines, not HIPAA itself |
| Cannabis retail and grow | 45 days to 1 year or more | State and municipal licensing rules, which vary widely |
| Casinos and gaming | 7 to 30+ days | Gaming commission rules; suspicious-activity clips held longer |
| Data centers and server rooms | 90 days+ | PCI, SOC 2, and customer audit requirements |
Ranges reflect common practice and typical regulatory minimums in the United States at the time of writing. Requirements change and vary by state and municipality, so confirm your exact obligation with the relevant regulator or your legal counsel before setting a policy.
What PCI DSS Actually Requires
PCI DSS does not set a retention rule for your store cameras in general. Requirement 9 calls for monitoring physical access to sensitive areas, the data centers and server rooms that house systems handling cardholder data, and the common reading is to keep that footage for at least three months unless local law restricts it. If you process card payments, the three-month figure applies to those sensitive areas, not to every camera on the property. Our PCI DSS video security page covers how to scope this.
Why HIPAA Does Not Set a Footage Window
HIPAA governs protected health information, not camera retention, so there is no federal rule that says hold video for X days. In practice, healthcare providers land on 30 to 90 days driven by state law, incident review, and the window for injury or liability claims. Placement matters more than duration here: cameras belong in public and access areas, never where patients are examined. See HIPAA video security for the placement and access controls that keep a system compliant.
What Determines How Long Footage Is Stored
Once you know the duration you need, retention becomes a storage problem. Five variables decide how many days a given amount of storage holds.
Number of Cameras
Every camera writes its own stream. Doubling the camera count roughly halves the days a fixed drive can hold, which is why retention quietly drops as a site adds coverage without adding storage.
Resolution
A 4K camera can use four times the storage of a 1080p one. Higher resolution gives you usable detail like faces and plates, but it shortens retention fast unless you plan storage around it.
Frame Rate
Recording at 30 frames per second captures smooth motion and consumes far more space than 10 to 15 fps. Many sites run lower frame rates on low-traffic cameras to stretch retention where motion detail matters less.
Continuous vs. Motion
Continuous recording captures everything and fills storage predictably. Motion-only recording can multiply retention several times over in quiet areas, at the risk of missing context around an event if tuning is off.
Compression
Modern codecs such as H.265 cut file sizes meaningfully over older H.264 at the same quality, so the same drive holds noticeably more days when cameras and recorder support the newer standard.
Where Footage Lives
Local recorders are capped by the drives installed. Cloud and hybrid storage let you set a retention period and pay for the days you actually need, instead of overwriting early when a drive fills.
Local Storage, Cloud, or Hybrid
A traditional DVR or NVR is limited by the hard drives inside it, so retention is whatever those drives can hold before loop recording overwrites the oldest video. Adding days means adding drives, and a failed drive can take its footage with it. That is fine for many sites, but it ties your retention to a box on the wall.
With cloud video surveillance you set the retention period you want and the storage scales to match, with footage held off site so a stolen or damaged recorder does not erase your evidence. A hybrid setup keeps recent video on local storage for fast access while archiving to the cloud for the longer window, which is a common choice for teams that want both speed and durability. Either way, retention becomes a setting you choose rather than a limit the hardware imposes. Our total cost of ownership guide helps you compare the long-run cost of each approach.
How to Set a Security Camera Retention Policy
A written retention policy keeps you consistent, defensible, and out of trouble for keeping footage either too briefly or too long.
Find Your Floor
Identify any regulation that applies to your industry, state, and city, and treat its minimum as the floor. If none applies, start from the 30 to 90 day baseline and adjust for your risk.
Match Your Risk Window
Look at how long incidents actually take to reach you. If theft, claims, or HR issues commonly surface a month or two later, set retention to cover that lag rather than the bare minimum.
Size Storage to the Number
Pick resolution, frame rate, and recording mode per camera, then size local or cloud storage to hold the chosen days. Cloud or hybrid lets you set the period directly instead of guessing at drives.
Write It Down and Preserve Exceptions
Document the retention period, who can access footage, and how you place a legal hold so relevant clips are exported and preserved beyond the normal window when an incident or lawsuit requires it.
The Legal Side: Routine Retention vs. Litigation Hold
You cannot keep every frame forever, and you are not expected to. The accepted approach is a consistent retention period for routine footage plus a process to preserve specific clips when they matter. The moment an incident occurs or you reasonably anticipate a claim, the relevant video should be exported and held separately so loop recording does not overwrite it. Deleting footage on your normal schedule is ordinary business. Deleting footage you knew was relevant to a dispute is a different and far more serious problem.
This is where investigation tools earn their place. When something happens, you need to find the right clips quickly, before the window closes. Video forensics and search tools let you pull, review, and export the footage that matters in minutes, so the evidence is preserved while the rest of the schedule runs as normal. A modern video management system makes both the routine retention and the export workflow something you manage from one place.
Common Questions About Footage Retention
How long do security cameras keep footage?
Most business security cameras keep footage for 30 to 90 days. The exact period depends on storage capacity, how many cameras you run, and the resolution and frame rate you record at. Systems set to loop recording overwrite the oldest footage once the drive fills, so retention can be shorter than expected on busy, high-resolution sites.
How long should a business keep security camera footage?
A general business should keep security camera footage for 30 to 90 days unless a regulation requires more. Thirty days covers fast-moving disputes, while 60 to 90 days catches incidents and claims that surface weeks later. Regulated sectors like banking, payment card environments, and cannabis often need longer, so check the rule that applies to you.
What is the default security camera retention period?
Many camera systems ship with a 30-day default, but that is a hardware limit rather than a recommended policy. A recorder using loop recording overwrites the oldest video once its drives are full, which on a site with many 4K cameras can happen in a week or two. Sizing storage to a chosen period is what sets retention deliberately.
How long do banks keep security camera footage?
Banks and financial institutions commonly keep security camera footage for 90 days to six months, and sometimes longer. Fraud and account disputes often surface well after the fact, so financial institutions retain footage long enough to support investigations. The exact period varies by institution policy and applicable regulation, so confirm your own requirement.
How long is security camera footage stored before it is overwritten?
On a local DVR or NVR using loop recording, footage is stored until the drives fill, then the oldest video is overwritten automatically. That window can range from a few days to several months depending on camera count, resolution, frame rate, and drive size. Cloud and hybrid storage avoid early overwriting by letting you set a fixed retention period.
Can security camera footage be recovered after it is deleted?
Once a loop-recording system overwrites footage, it is generally gone and not recoverable, which is why preserving important clips quickly matters. If a drive failed rather than overwriting, recovery is sometimes possible with specialist tools, but you should not rely on it. The safe practice is to export relevant footage to separate storage as soon as an incident occurs.
Does PCI DSS require 90 days of video footage?
PCI DSS does not require 90 days for general store cameras. Requirement 9 covers monitoring physical access to sensitive areas that house cardholder data systems, and the common reading is to retain that footage for at least three months unless local law restricts it. The three-month figure applies to those sensitive areas, not to every camera on site.
Related Solutions and Guides
Cloud Video Surveillance
Set the retention period you want, stored off site.
PCI DSS Video Security
Monitor sensitive areas and meet Requirement 9.
HIPAA Video Security
Compliant placement and access for healthcare.
Video Analytics for Banks
Branch and ATM security with long retention.
Video Forensics Software
Find and export the right clips before they age out.
Total Cost of Ownership
Compare the long-run cost of each storage model.
Make Retention a Setting, Not a Hardware Limit
Surveillant connects to the cameras you already own and lets you choose how long footage is kept, in the cloud or hybrid, with AI search and forensics to find and preserve the clips that matter. Start a free 14-day trial and set the retention window your business actually needs.