What's the Meta with Metadata?

You work in a small law firm that concentrates in litigation matters. In one of the cases you're handling, you've drafted a letter to opposing counsel in which you explain your client's position with regard to ongoing settlement negotiations. Before you send the letter, you e-mail a copy to your partner and ask for comments. He e-mails the letter back to you with his comments typed into the letter, offering suggestions based on client confidences and strategies that would compromise the client's position if they were revealed to the other side. 

You review the suggested revisions, delete the confidential information, and make the appropriate revisions to the document. You are now ready to e-mail it to opposing counsel. Are there any precautions you should take before you press the "send" button?

The lawyer in the above scenario should be concerned about "metadata" - data embedded in an electronic document that is not readily visible or available to the reader. Using appropriate software, a recipient of the e-mailed document can recover this data, which may include confidential client information - information the sending lawyer thought he had deleted. 

Metadata may reveal who worked on a document, the name of the organization that created or worked on it, information about prior versions of the document, recent revisions, and comments inserted in the document during drafting or editing, the committee said. The hidden text may reflect editorial comments, strategy considerations, legal issues raised by the client or the lawyer, or legal advice provided by the lawyer...  ABA/BNA Lawyers' Manual on Professional Conduct 21 Current Rep. 39 (2004)

David Hricik and Robert Jueneman, in an article titled "The Transmission and Receipt of Invisible Confidential Information, 15 No. 1 Prof. Law 18 (2004), list the types of information that could be transmitted as metadata:

Some metadata is easily accessible through the Word user interface. Other metadata is only accessible through extraordinary means, such as by opening a document in a low-level binary file editor. The following are some examples of metadata that may be stored in your documents:

• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where you saved the document
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• The names of previous document authors
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments

Back to top

To the extent that the opposing lawyer in the above scenario is able to recover confidential client information from metadata in the transmitted letter, it is arguable that the transmitting lawyer may be viewed to have made an "inadvertent disclosure" of the information.  ABA Opinion 92-368 Inadvertent Disclosure of Confidential Materials (1992) (withdrawn, 2005) stated that a lawyer who receives an errant fax or a misdirected letter would have an obligation to refrain from examining them and should contact the sending lawyer to ask for instructions. This opinion has since been superseded by Rule 4.4 of the ABA Model Rules as amended pursuant to the ABA Ethics 2000 Commission's recommendations, and was subsequently withdrawn by Formal Opinion 05-437 (2005) [PDF]. Rule 4.4 states that once a lawyer receives a document, he has an obligation only to notify the sender that he has received it. State bar ethics opinions vary in their conclusions on this issue. Check your local rules.

Two New York State Bar opinions that have addressed metadata issues have found the inadvertent disclosure analysis to be applicable. New York State Bar Opinion 782 concludes:

...Lawyer-recipients also have an obligation not to exploit an inadvertent or unauthorized transmission of client confidences or secrets. In N.Y. State 749, we concluded that the use of computer technology to access client confidences and secrets revealed in metadata constitutes "an impermissible intrusion on the attorney-client relationship in violation of the Code." N.Y. State 749 (2003). See also N.Y. State 700 (1997) (improper for a lawyer to exploit an unauthorized communication of confidential information because doing so would constitute conduct "involving dishonesty, fraud, deceit or misrepresentation" and "prejudicial to the administration of justice" in violation of DR 1-102(A)(4) and DR 1-102(A)(5), respectively). [FN4]

A feature of the metadata inadvertent disclosure scenario that may distinguish it from the misdirected fax or erroneously produced document in response to a discovery request is that the lawyer who wants to see the metadata has to affirmatively use software to recover it as opposed to a situation where the lawyer simply receives a document that he knows or subsequently discovers to be privileged or confidential. New York State Bar Opinion 749 makes note of this distinguishing aspect, stating:

The circumstances of the present inquiry present an even more compelling case against surreptitious acquisition and use of confidential or privileged information than that presented by the "inadvertent" or "unauthorized" disclosure decisions. First, to the extent that the other lawyer has "disclosed," it is an unknowing and unwilling, rather than inadvertent or careless, disclosure. In the "inadvertent" and "unauthorized" disclosure decisions, the public policy interest in encouraging more careful conduct had to be balanced against the public policy in favor of confidentiality. No such balance need be struck here because it is a deliberate act by the receiving lawyer, not carelessness on the part of the sending lawyer that would lead to the disclosure of client confidences and secrets.

Nor need we balance the protection of confidentiality against the principles of zealous representation expressed in Canon 7. Our Code carefully circumscribes factual and legal representations a lawyer can make, people a lawyer may contact, and actions a lawyer can take on behalf of a client. Prohibiting the intentional use of computer technology to surreptitiously obtain privileged or otherwise confidential information is entirely consistent with these ethical restraints on uncontrolled advocacy.

Back to top

Many commentators urge lawyers to be extremely cautious when transmitting documents electronically, and suggest that they make full use of available software to "scrub" metadata from them before they are sent. Some suggest that a lawyer has an affirmative duty to remove metadata. Anthony E. Davis, in The Intersection of Professional Responsibility and Technology New York Law Journal, March 7, 2005, discussing New York State Bar Opinion 782, states:

...While the committee may have been concerned about seeming to exceed its jurisdiction by suggesting a hard-and-fast rule requiring lawyers either to "scrub" the offending "metadata" or use a transmission format that otherwise eliminates it from prying eyes, such a rule may make practical sense.

Similarly, it is not enough to say that it is also unethical for lawyers themselves to search for and read other parties' "metadata;" after all, as the committee also notes, clients do not operate under any such restriction or inhibition. From a risk-management point of view, it is much easier to express and then enforce a clear and absolute rule.

See Douglass R. Richmond, The Attorney-Client Privilege And Associated Confidentiality Concerns In The Post-Enron Era, 110 Penn St. L. Rev. 381 2005).

New York State Bar Opinion 782 provides some useful practice tips on how to remove metadata from electronic documents. However, there is no foolproof solution. Hricik and Jueneman state, " Finally, if you are really and truly paranoid about this stuff, you can print the document to paper and scan it in again, or even (gasp!) mail the paper document to someone."

Paragraph 17 of the Comment to Rule 1.6, which was added pursuant to the ABA Ethics 2000 Commission's recommendations to address confidentiality/security concerns when lawyers use the Internet to transmit confidential client information via e-mail or other means, may also be applicable:

[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

See Also ABA Formal Opinion 99-413.

Further information on inadvertent disclosure is located on the ETHICSearch Web site here.

ETHICSearch is an invaluable benefit of ABA membership. It offers a fast and economical way to find the right resources to help resolve your ethics questions. Operated through the ABA Center for Professional Responsibility, ETHICSearch is staffed with lawyers experienced in legal ethics research. They will cite relevant ABA rules, opinions and other ethics resources for you - typically at no charge!

Call with your ethics questions at (800) 285-2221, fax (312) 988-5491, or e-mail us at ETHICSearch@ staff.abanet.org.

Back to top