By Judy Broom

Pssssst. Hey, buddy, your metadata is showing!

Consider the soldier who unknowingly released classified military information last year when he posted to the Internet a PDF document, with secret portions of a report carefully blacked out, only to discover that a relatively unsophisticated Web surfer was easily able to remove the “redactions” and post the document in full. The world learned all about the military investigation into the death of an Italian civilian at a Baghdad roadblock. Embarrassed? Yes. Court-martialed? Perhaps.

Or consider the team of attorneys for the software company SCO who in 2004 drafted a complaint first naming the Bank of America, but decided a few days before filing to sue Daimler-Chrysler instead. Do you suppose they were surprised to learn that if you don’t get rid of the redlining in a Word document, the recipient can see everything you have deleted? No doubt they were surprised, embarrassed and, worse, guilty of putting their client at a serious legal disadvantage.

Closer to home, consider a transactional lawyer whose client might learn, at the click of a mouse, the source of the agreement, supposedly drafted to meet the client’s unique needs, but in fact copied from a competitor’s document. Problem? Maybe and maybe not.

Consider yourself warned

Web and news accounts of high-profile metadata blunders abound. The risks posed to the everyday legal practitioner are becoming well known, and bar associations, ethics boards and the courts are responding with concern.

“Metadata” probably didn’t exist when you started law school. The word made it into Merriam-Webster’s Collegiate Dictionary just last year with this definition: “data that provide information about other data.”

The profile that Word (or WordPerfect) automatically makes when you save a document contains information about who created the document and when -- plus much, much more. See for yourself next time you are looking at a document in Word: click on “file,” then, from the dropdown menu, on “properties.”

Metadata exists in virtually all electronic documents and can include prior versions of documents, tracked changes, e-mail routing information, “hidden” notes and formulas in Excel documents, to name just a few. Yes, even Adobe’s PDF files contain metadata.

The problems posed by metadata ignorance for lawyers, their staff and their clients are many and serious. Take the SCO attorneys referred to earlier. They inadvertently disclosed a good deal about their legal strategy.

Lawyers who are unaware of what is behind the scenes may be apt to disclose client confidences, privileged information, work product, trade secrets and protected medical information. Similarly, clients who do not know what metadata exists in the document you provide may pass along information to their own detriment.

Failing to make a specific discovery request for metadata where appropriate or not asking a party to produce electronic files in “native” format, i.e., with metadata intact, could jeopardize a case. Failing to object if your client’s hard drive, loaded with privileged material, is requested for examination could be equally grave -- and expensive. Forensic examination and analysis of a single computer hard drive can easily cost $5,000.

The ethical implications under existing Rules of Professional Conduct relate most clearly to violating the prohibition against revealing client confidences or secrets. At this writing, neither the Washington State Bar Association nor the American Bar Association had issued a formal ethics opinion relating specifically to metadata.1 Nonetheless, there are signs that ethical standards are beginning to emerge.

In 2001, the New York State Bar Ethics Committee observed that modern computer technology allows sophisticated users to “get behind” what is visible on a computer screen and indicated that such behavior, when counsel plainly does not intend a recipient to have this information, violates ethical principles.2 Three years later, the same committee found that counsel who made an inadvertent electronic disclosure, specifically by sending by e-mail a document containing metadata, fell short of ethical standards, stating that “a lawyer who uses technology to communicate with clients must use reasonable care with respect to such communication, and therefore must assess the risks attendant to the use of that technology and determine if the mode of transmission is appropriate under the circumstances.”3

At the same time, the committee reinforced the recipient attorney’s “obligation not to exploit an inadvertent or unauthorized transmission of client confidences or secrets.” But as set forth in the 2001 opinion, the committee holds the sending attorney to a slightly higher standard.

How does an attorney protect himself or herself and clients? As suggested by the 2004 New York ethics opinion, lawyers may have a responsibility to learn about what metadata is, how to deal with it and take steps accordingly. A review of the two opinions cited above is a worthwhile and easy exercise. They are available on the Web at the New York Bar Association Web site, http://www.nysba.org/, under the “publications” section.

See the accompanying article for more resources for learning about metadata, the risks it poses and how to clear it from your documents.

1 ABA Formal Opinion No. 99-413 (1999) does address the topic of “Protecting the Confidentiality of Unencrypted E-Mail” and concludes unencrypted e-mail is acceptable given “a reasonable expectation of privacy.” The opinion does not address the topic of metadata.

2 New York State Bar Ass’n Comm. On Professional Ethics, Op. 749, 2001.