|Oregon State Bar Bulletin APRIL 2007|
Guarding Against the Disclosure of Embedded Information
By Sylvia E. Stevens
metadata: noun plural but singular or plural in construction: data that provides information about other data.1
This is a relatively new word in the lexicon of lawyers. As used here, metadata is information embedded in electronic documents that describes or supplements the principal data. At its simplest, metadata describes how, when and by whom a document was created and how it is formatted. A familiar example of metadata in a different context is that which is produced by a digital camera and describes the settings used for a picture, such as exposure value or flash intensity. It is extra data that merely adds information but is not critical to the utilization of the main data (the picture).
The significance of metadata for lawyers is that the electronic documents we produce contain embedded information that can be retrieved by opposing parties or others with whom we share the document. As lawyers have become more aware of metadata, questions have arisen regarding the obligation of a lawyer who sends and receives, in the course of negotiations, due diligence review, litigation, investigations and other circumstances, documents containing embedded information. Helpful guidance on those issues is now available in ABA Formal Opinion 06-442.2
The ABA opinion begins with a reminder of the ubiquitious nature of metadata. Some of it is fairly obvious even to novice users. Most word processing programs embed information about: the date and time that a document was created, modified and last accessed; the name of the owner of the computer on which the document was created and the name of the person who last saved it; and "redline" changes and reviewer comments. All of this information can be easily revealed with the click of a mouse. Computer forensics also permit the retrieval of metadata that the creator (or other provider) of the document didn’t realize existed or thought had been deleted.
A considerable amount of embedded information is likely to be of little consequence. It will be the rare case where the identity of the document’s author or the date and time it was created is material to a matter. However, establishing "who knew what when" may be crucial in some situations; similarly, redlined information and comments in a document may be revealing of the opposing party’s settlement posture or assessment of their case.
No ABA model rule3 bears directly on the propriety of a lawyer reviewing or using metadata in electronic documents, although Rule 4.4(b) addresses the responsibility of a lawyer who receives a document that the lawyer knows or reasonably should know was inadvertently sent. Even if the sending of metadata is presumed to be inadvertent, Rule 4.4(b) provides no guidance on the receiving lawyer’s review or use of the information. It requires only that the receiving lawyer promptly notify the sender. Comment  notes that the purpose of notice in the rule is to permit the sending lawyer to take appropriate protective measures, but whether the receiving lawyer is required to take additional steps is a matter of law beyond the scope of the rules. Comment  indicates that, in the absence of a legal requirement to return the document unread, a lawyer may do so voluntarily, but the decision to return or use is a matter of professional judgment reserved to the lawyer.
The ABA opinion rejects the view of some authorities4 that a lawyer’s search for and use of metadata is dishonest. This is based on the relatively recent5 addition of Rule 4.4(b) to the model rules and its sole requirement of notice to the sender, which the committee concludes is evidence of the drafters’ intention to impose no other restrictions on the receiving lawyer’s conduct. Whether the receiving lawyer "knows or reasonably should know" that the sender’s delivery of an electronic document containing metadata was "inadvertent" is a subject outside the scope of the rules and the opinion, although it is suggested in a footnote that a relevant factor is whether the metadata was a privileged communication. (The opinion also presumes that the receiving lawyer did not obtain the documents in a manner that was criminal, fraudulent, deceitful or otherwise improper in violation of Rule 4.1(a).)
Interestingly, the ABA opinion is essentially silent about the ethical obligations of the lawyer sending or producing an electronic document containing metadata. The opinion comments at some length on methods the sending lawyer might use to avoid the creation or retention of metadata in documents, ranging from the use of technology to confidentiality agreements or protective orders. Not mentioned, however, is whether a lawyer who is aware of the fact of metadata but fails to take any precautions to prevent the transmission of it has violated the duty of confidentiality under RPC 1.6.
By comparison, early ethics opinions and articles on the risks of electronic communication focused almost exclusively on the obligations of the lawyer who risked using cell phones or e-mail, because of the ease with which such communications could be compromised. Over time, some of the concern about the propriety of such communication methods has eased, based in part on the fact that interception of electronic communications violates state and federal law, supporting the view that persons using such methods have a reasonable expectation of privacy. Most authorities now agree that it is not per se improper for lawyers to use unencrypted e-mail or to communicate by cell phone.
The only state bar opinion to address the issue of sending metadata concludes that to comply with the duty to protect information relating to the representation of a client, lawyers must "take reasonable steps to protect confidential information in all types of documents and information that leave the lawyers’ offices, including electronic documents and electronic communications with other lawyers and third parties."6 Unlike cell phone and e-mail users, senders of documents with embedded information enjoy no protection from laws prohibiting the extraction and use of metadata. Accordingly, the lawyers who are most at risk because of the fact of metadata are those who send documents without taking reasonable steps to protect the transmission of the embedded information. Recipients of the metadata, however, as explained in the ABA opinion, are generally free to review and use metadata transmitted inadvertently in documents.
The ABA opinion stands as an important reminder that it behooves lawyers to learn and understand technological advances that are integral to their practice so that they do not inadvertently send information that they might later wish they had not.
1. Merriam-Webster Online Dictionary.
2. ABA Opinions can be purchased from the ABA’s online store for $7.50 each.
3. The Oregon Rule of Professional Responsibility closely follow the ABA Model Rules, and the Model Rules discussed in ABA Op. No. 06-442 are identical to their Oregon counterparts.
4. New York State Bar Ass’n Comm. On Prof’l Ethics Op. 749 (2001) (a lawyer may not intentionally use computer technology to surreptitiously obtain privileged or otherwise confidential information of an opposing party); Florida Bar Prof’l Ethics Committee Adv. Op. 06-2 (2006).
5. Model Rule 4.4(b) was added to the ABA Model Rules in 2002 on the recommendation of the Ethics 2000 Commission in an effort to provide black-letter guidance in this area.
6. Florida Bar Prof’l Ethics Committee Adv. Op. 06-2 (2006).
ABOUT THE AUTHOR
Sylvia Stevens is general counsel of the Oregon State Bar. She can be reached at (503) 620-0222 or (800) 452-8260, ext. 359, or by e-mail at email@example.com.
© 2007 Sylvia Stevens