eDiscovery Daily Blog
eDiscovery Trends: Metadata Mining Ethics
Years ago, I put together a CLE course about metadata awareness and how hidden data (such as tracked changes and comments) can cause embarrassment or even inadvertent disclosures in eDiscovery. The production of metadata with ESI continues to be a big issue in eDiscovery and organizations need to consider how to handle that metadata (especially if it’s hidden), to avoid issues.
For those who don’t know, metadata can be simply defined as “data about data”, which is to say it’s the data that describes each file and includes information such as when it was created, when it was last modified and who last modified it. Metadata can often be used in identifying responsive files based on time frame (of creation or last editing) or other criteria.
Many types of files can contain other hidden metadata, such as a record the changes made to a file, who made those changes, and any comments that those parties may have also added (for example, Microsoft Word has Tracked Changes and Comments that aid in collaboration to obtain feedback from one or multiple parties regarding the content of the document). Embedded objects can also be hidden, for example, depending on how you embed an Excel table into a Word document; the entire Excel file may be accessible within the document, even though only a small part of it is displayed.
Last fall, the American Bar Association published an article with a look at metadata ethics opinions, which was also recently referenced in this article. The opinions issued to date have focused on three topics with regard to metadata production:
- The sender's responsibility when transmitting or producing electronic files;
- The recipient's right to examine (or "mine") files for metadata; and
- The recipient's duty to notify the sender if sensitive data is discovered.
Sender’s Responsibility
Jurisdictions agree that an attorney sending or producing ESI has a duty to exercise caution to avoid inadvertently disclosing confidential information, though the level of caution required may vary depending upon the jurisdiction and situation. In SBA Ethics Opinion 07-03, the State Bar of Arizona's Ethics Committee indicated that level of caution may depend upon "the sensitivity of the information, the potential consequences of its inadvertent disclosure, whether further disclosure is restricted by statute, protective order, or confidentiality agreement, and any special instructions given by the client."
Ignorance of technology is no excuse. The Colorado Bar Association Ethics Committee states that attorneys cannot limit their duty "by remaining ignorant of technology relating to metadata or failing to obtain competent computer support." (CBA Ethics Opinion 119).
Recipient’s Right to Examine
There is less jurisdictional agreement here. Colorado, Washington D.C. and West Virginia allow metadata mining unless the recipient is aware that the data was sent unintentionally. On the other hand, New York and Maine prohibit metadata mining – the New York State Bar Association's Committee on Professional Ethics based its decision in part on the "strong public policy in favor of protecting attorney-client confidentiality." (NYSBA Opinion 749). Minnesota and Pennsylvania have not set a bright-line rule, stating that the decision to allow or prohibit metadata mining should depend on the case.
Recipient’s Duty to Notify
Most jurisdictions rely on their local variation of ABA Model Rule of Professional Conduct 4.4(b), which indicates that an attorney who receives confidential data inadvertently sent is obligated to notify the sender. Maryland is one exception to that position, stating that "the receiving attorney can, and probably should, communicate with his or her client concerning the pros and cons of whether to notify the sending attorney." (MSBA Ethics Docket 2007-09).
Bottom Line
You may not be able to control what a recipient can do with your inadvertently produced metadata, but you can take steps to avoid the inadvertent production in the first place. Office 2007 and greater has a built in Document Inspector that eliminates the hidden metadata in Office files, while publishing files to PDF will remove some metadata (the amount of metadata removed depends on the settings). You can also use a metadata “scrubber” application such as Workshare Protect or Metadata Assistant to remove the metadata – most of these will even integrate with email so that you have the option to “scrub” the file before sending.
So, what do you think? Have you been “stung” by hidden metadata? Please share any comments you might have or if you’d like to know more about a particular topic.