Do You Ignore Metadata (at Your Own Risk)?

________________
By Stefan Stoyanov
| Technology & Privacy

Metadata

When you create an electronic file – an email, spreadsheet, document or image – you are not merely creating the content you see on the screen. Beyond what is immediately apparent to the eye, metadata is generated within the file and often contains information that could be privileged or confidential. Metadata is basically data about data – for example, the file’s context, time and place of origin and record of revisions. Mishandling metadata, especially in the context of litigation and discovery procedures, poses a range of risks.

Metadata and Professional Responsibility

The issue of metadata as it relates to professional responsibility chiefly concerns two parties: the sender and the receiver of the document. Some states have developed specific requirements regarding the treatment of sent or received metadata, while other states have not pursued such regulation. Overall, the trend is to require lawyers to act with “reasonable care” with respect to transmitted metadata. Consider the following scenarios: 

Scenario 1: A lawyer uses a master service agreement to engage new clients and often customizes that agreement to reflect negotiated aspects of a particular business deal. The formerly templated agreement is adapted several times over from previous contracts with other companies, and the lawyer sends the most recent adaptation to a potential client before deleting the metadata from previous versions.  

Scenario 2: A lawyer is a former employee of a company. The lawyer takes copies of certain electronic documents and files when leaving the job – a common practice, which the lawyer believes to be innocuous and normal. However, while the face of the documents appear unproblematic, the metadata included in the documents may contain previous transaction records and other information about the company – which could amount to a trade secret violation dispute with the lawyer’s former employer.

Scenario 3: A lawyer is working through the discovery process in a litigation case. The opposing side demands certain documents and business records. The lawyer sends electronic copies of the requested documents, unaware that the metadata embedded in the documents includes information that the lawyer does not want the opposing side to know.

In each instance, the lawyer failed to handle metadata with “reasonable care” by disclosing or mishandling – however unintentionally – proprietary data and certain confidential and privileged information in ways that may compromise both lawyer and client.

Sending Electronic Files 

With these examples in mind, what is “reasonable care” with respect to dissemination of electronic files that may contain metadata? According to the American Bar Association (ABA) Standing Committee on Ethics and Professional Responsibility, there is no bright-line rule that imposes any specific duties on the sender of the document.

Similarly, states have identified a reasonable care standard without prescribing required duties or steps. In all, 18 states have enacted or required such measures, including New York. In December 2016, Texas became the latest state to issue a metadata-related opinion, and the approach there is instructive. The State Bar of Texas indicated that, based on a lawyer’s duty of competence and confidentiality, a lawyer is required to take “reasonable measures” to avoid the potentially illegal transmission of electronic information embedded in the electronic document. Whether or not a certain measure is considered “reasonable” depends on such factors as the nature of the document, the sensitivity of the information, and the identity of the recipient. Nevertheless, the opinion recommends “scrubbing” metadata from all electronic documents before transmission.

Practically speaking, eliminating metadata from any document before sending it is relatively straightforward. A few suggested methods to accomplish this are below:

  1. If you need to send an editable version of a document for other people to make revisions, but do not want to share your old revisions, versions, personal information, and other sensitive data, use the Microsoft Office “Document Inspector.”  It works with MS Office applications, including Microsoft Word®, Excel®, and PowerPoint®. For Windows files, you can also use Windows Explorer, which lets you view and delete various embedded information. You access that functionality by right clicking on a file and selecting “Properties.”  After that, select “Details" > "Remove Properties and Personal Information" > "Create a copy with all possible properties removed."  While in the past there were multiple “document scrubber” programs, today, the Microsoft Document Inspector is the most common one. 
  2. Convert the document into a PDF file format. Much of the sensitive information from a MS Office document (e.g., tracked changes) will not be incorporated into the resulting PDF, thereby rendering it more secure. As an Adobe official blog states: “metadata doesn’t get into a PDF accidentally. You have to try really hard to put it there.” 
  3. However, PDF files may include metadata of their own (e.g., title, author, various dates, etc.), which can be viewed, edited, and removed using the Adobe Acrobat “Hidden Data” Tools or the Windows Explorer. If absolute security is paramount, you can “Flatten” PDFs – usually under the top menu, or with the Document Optimizer – which converts each page of the PDF into a TIFF (without preserving metadata) and then reconstitutes the pages into a PDF. 
  4. To remove GPS location and other EXIF information from images, popular products include Metability QuickFix and JPEG & PNG Stripper. They allow you to remove this data. 

Receiving the Document

In issuing guidance regarding the accidental receipt of metadata, the ABA has taken a relatively relaxed approach. According to the ABA’s ethics panel, the Ethics Rules do not bar a recipient of a document containing metadata from exploiting such inadvertently sent metadata, under the sole requirement that the sender be notified. Note, however, that the above opinion only addresses ethics violation; it does not permit the recipient of inadvertently disclosed metadata to actually use it against an opposing party, for example, in litigation. Court rules that govern discovery often state that inadvertently disclosed attorney-client privileged information does not lose its protection due to accidental disclosure, whether in the form of metadata or otherwise. Privileged information that is inadvertently disclosed often must be returned, and depending on the circumstances of its disclosure cannot be relied upon in litigation. 

New York, on the other hand, imposes significantly stronger protections, barring recipients of inadvertently transmitted metadata from deliberately reviewing it. Such conduct, in New York, violates the state’s disciplinary rules – and mining and reviewing accidentally transmitted metadata, when the receiving lawyer knows or has reason to know that it was inadvertently transmitted, is considered akin to surreptitiously obtaining information that is protected by the attorney-client privilege or that may otherwise constitute a “secret” for the opposing counsel. New York also requires the recipient to notify the sender of the inadvertent disclosure.

The recent opinion of the State Bar of Texas also addressed this issue. While that opinion declines to offer protections as strong as New York’s, the opinion does suggest that an attorney who has accessed metadata contained in electronic documents may not act as if he is unaware of its existence in order to protect his own interests.

Some States Still Lag Behind

While identifying metadata-related duties has been a growing trend in recent years across many state court systems and bar associations, the majority of U.S. states (including states generally considered to be important commerce centers like California and Illinois) have yet to explicitly address the subject. For example, while the California ethics rules do not squarely address the treatment of inadvertently disclosed confidential material, such as metadata, the courts have held that if a lawyer receives material that “obviously appears to be” confidential or subject to a privilege and can reasonably conclude that the disclosure was inadvertent, the receiving attorney i) may not examine the materials any more than is essential to ascertain that it is indeed privileged; ii) must immediately notify the sender; and iii) must proceed to resolve the situation.

Still, given the emerging consensus around a reasonable care standard, proceeding on that basis may be prudent for lawyers doing business within states that have not yet addressed the issue just as it is for lawyers in states with on-point opinions and/or regulations. 

Overall, the lesson and trends here are clear: before sending and reviewing electronic documents, always make sure you have considered – and then properly handled – any attendant metadata.   

You may also be interested in...
Like what you're reading?
Sign up to get updates.