|Oregon State Bar Bulletin JUNE 2012|
Guarding (and Exploiting) Metadata
By Helen Hierschbiel
Electronic communication is as basic and integral to most lawyers’ law practices as the telephone and fax once were. It may be hard to imagine now, but the first ethics opinions that addressed the use of electronic communications prohibited lawyers from using cell phones and unencrypted email because of concerns about the risk of disclosure of client confidential information. These days, as the expectation of privacy in these modes of communication has grown, most ethics authorities agree that it is not per se improper for lawyers to use unencrypted email and cell phones in their law practices. ABA Formal Ethics Op No 99-413 states:
Email communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy… The risk of unauthorized interception and disclosure exists in every medium of communication, including email. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception and dissemination of the information is a violation of [the law].
Even so, when client information is particularly sensitive or the risk of harm in the event of disclosure particularly high, the lawyer may want to avoid email communications or implement special security measures. See ABA Model Rules Comment .
The more common danger of electronic communication is not unauthorized interception by a third party, but the lawyer’s own inadvertent disclosure to an unintended recipient. The speed and ease of email communications belie the danger of sending documents electronically without adequate aforethought. The classic horror story is when a lawyer accidentally loops opposing counsel in on what are intended to be privileged lawyer-client email communications.
Even when a lawyer intends to send a particular document, she may not intend to send its “metadata,” which is the embedded, often hidden, information within the document that provides information about the document itself, such as how, when and by whom it was created or edited. Some metadata is readily accessible by and visible to even the least technologically savvy among us. Other metadata may be accessible only with the help of a computer forensic expert or special software.
Most lawyers these days have at least heard of “metadata” but many don’t fully understand its reach or importance. Metadata exists in word processing documents, but it also exists in spreadsheets, database files, images, videos, zip files, email messages, PDFs and every other type of electronic file. It consists of path and file name, author, date and time created, document version history, comments, tracked changes, template information, network or server name, undo and redo history. This information may be largely immaterial in many cases, but could be crucial in some.
In order to assist lawyers with understanding their obligations when transmitting and receiving metadata, the OSB Board of Governors issued OSB Formal Op No 2011-187 at the end of 2011.
Two rules inform a lawyer’s duties when sending documents electronically. Oregon RPC 1.1 requires a lawyer to provide competent representation to a client, meaning the lawyer must possess the “legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.” In addition, RPC 1.6(a) requires a lawyer to “not reveal information relating to the representation of a client.” “Information relating to the representation” is a defined phrase under RPC 1.0(f) and includes both information that is subject to the attorney-client privilege and other information gained during the course of the representation that the client has asked be kept secret or the disclosure of which would be embarrassing or likely to be detrimental to the client. With these two rules as a backdrop, the OSB Legal Ethics Committee concludes that competency in relation to metadata requires a lawyer who uses electronic communications to maintain at least a basic understanding of the technology and the risks of revealing metadata or to use adequate technology support. OSB Formal Op. No. 2011-187.
This conclusion is neither new nor unique to Oregon. See OSB Formal Ethics Op No 2005-141 (lawyer must make reasonable efforts to ensure that third party document recycler does not disclose client confidential information.) Other jurisdictions have long been unanimous in expecting lawyers to exercise reasonable care to avoid the disclosure of confidential information. See, e.g., Arizona Ethics Op No 07-03 (lawyer must take “reasonable precautions” to prevent communication of metadata containing client information). Comment (16) to the ABA Model Rules states “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”1
Acting competently does not require that the lawyer be free of any and all mistakes. On the contrary, the Oregon Supreme Court has made clear that an isolated mistake does not necessarily amount to incompetence. See In re Magar, 335 Or 306 (2003)(“…incompetence and negligence are not synonymous terms. A lawyer – otherwise knowledgeable, skillful, thorough, and prepared – might commit a misstep for which he or she might have to respond in damages. That lawyer, although negligent, has not violated (RPC 1.1).”)
Instead, it simply requires that lawyers use reasonable care to avoid disclosure of client confidences. “With respect to metadata in documents, reasonable care includes taking steps to prevent the inadvertent disclosure of metadata, to limit the nature and scope of the metadata revealed, and to control to whom the document is sent.” OSB Formal Ethics Op No 2011-187. Such steps might include scrubbing the metadata from the document prior to electronic transmission or converting the document to a format (such as PDF) that does not include the metadata. What constitutes reasonable care will change as technology changes.
Lawyers who receive metadata in electronic documents also have duties. If a lawyer who receives a document knows or should have known that the document was inadvertently sent, the lawyer must notify the sender promptly. RPC 4.4(b). OSB Formal Ethics Op No 2011-187 reads this rule to apply to the inadvertent disclosure of metadata as well.
How is a lawyer expected to know that a document or its embedded information has been inadvertently sent? Factors to consider may include: whether the document was sent in its native application or was converted to PDF; the nature of the information; how easily the data may be viewed (is it readily apparent on the face of the document, or hidden beneath several layers); the standard of practice between lawyers generally and between the lawyers in a given situation. For example, lawyers who are negotiating the terms of a contract or the terms of a settlement agreement commonly send the document at issue with track changes readily visible. The Legal Ethics Committee opines that given the sender’s duty to exercise reasonable care in regard to metadata, the recipient might reasonably conclude that this metadata was intentionally left in the document. On the other hand, a lawyer who goes to the trouble of converting a document to PDF, but the document includes a comment which appears to be made by the lawyer to his client, likely has inadvertently sent that piece of metadata.
Assuming that the metadata was inadvertently sent, RPC 4.4(a) requires the recipient lawyer to promptly notify the sender in order to give the sender the opportunity to take steps to protect the confidentiality of the information after its transmission. Thus, when in doubt about the intent of sending the information, a lawyer may decide that giving notice is the most cautious approach.
The more difficult question that is not addressed by the rules of professional conduct is whether the receiving lawyer must return the document unread or comply with a request by the sender to return the document. The answer to these questions lies in the substantive law of privilege. See OSB Formal Op No 2005-150.2 If a lawyer makes a good faith argument that the substantive law supports a claim of waiver, thereby allowing him to review and use the document in question, the lawyer does not risk being disciplined even if the lawyer is wrong.
Although the lawyer may not risk discipline, the lawyer may risk disqualification, or worse yet, his reputation. Thus, lawyers should carefully consider the advantages and disadvantages before using inadvertently sent documents or metadata. Lawyers should also consult with their clients before making the decision. OSB Formal Op No 2005-187. The ultimate decision of whether to return or retain, however, is left to the lawyer’s professional judgment. Id.
1. The ABA Commission on Ethics 20/20 is proposing several amendments to the ABA Model Rules and their Comments to clarify that a lawyer has an ethical duty to take reasonable measures to protect a client’s confidential information from inadvertent disclosure and unauthorized access. Details of the most recent proposals are available here.
2. Cf. Goldsborough v. Eagle Crest Partners, Ltd., 314 Or 336 (1992) (waiver by disclosure in response to discovery request; no evidence of mistake, inadvertence or lack of client authorization); and GPL Treatment, Ltd. v. Louisiana-Pacific Corp., 133 Or App 633, 638–639 (1995), aff’d on other grounds, 323 Or 116 (1996) (no error in trial court’s exclusion of evidence on determination of no waiver by inadvertent disclosure; no awareness by sender of recipient’s intent to offer as evidence until offered at trial).
ABOUT THE AUTHOR
Helen Hierschbiel is general counsel for the Oregon State Bar. She can be reached at (503) 620-0222, or toll-free in Oregon at (800) 452-8260, ext. 361, or by email at firstname.lastname@example.org.
© 2012 Helen Hierschbiel