Metadata Update: The Duty of Reasonable Care
E-Ethics Vol. III, No. II (Feb. 2005)
(c) 2005 by Professor David Hricik
Mercer University School of Law
A December 2004 ethics opinion by the New York State Bar Association imposes a duty on lawyers to monitor against improper disclosure of metadata. (If you don't know what metadata is, but you use Microsoft Word or Corel Word Perfect, or disclose or transmit to third parties client documents created with such programs, you should read my article about it here.). The opinion is the first of its kind, is pretty straightforward, and is reprinted below in full.
New York State Bar Association
Committee on Professional Ethics
Opinion Number 782
December 8, 2004
DR 4-101(B) states that a lawyer shall not "knowingly" reveal a confidence or secret of a client. Does a lawyer who transmits documents that contain "metadata" reflecting client confidences or secrets violate DR 4-101(B)?
Word-processing software commonly used by lawyers, such as Microsoft Word and Corel WordPerfect, include features that permit recipients of documents transmitted by e-mail to view "metadata," which may be loosely defined as data hidden in documents that is generated during the course of creating and editing such documents. It may include fragments of data from files that were previously deleted, overwritten or worked on simultaneously. [FN1] Metadata may reveal the persons who worked on a document, the name of the organization in which it was created or worked on, information concerning prior versions of the document, recent revisions of the document, and comments inserted in the document in the drafting or editing process. The hidden text may reflect editorial commenst, strategy considerations, legal issues raised by the client or lawyer, legal advice provided by the lawyer, and other information.[FN2] Not all of this information is a confidence or secret, but it may, in many circumstances, reveal information that is either privileged or the disclosure of which would be detrimental or embarrassing to the client. See DR 4-101. For example, a lawyer may transmit a document by e-mail to someone other than the client without realizing that the recipient is able to view prior edits and comments to the document that would be protected as privileged attorney-client communications. Or, more dramatically, a prosecutor using a cooperation agreement signed by one confidential witness may use the agreement as a template in drafting the agreement for another confidential witness. The second document's metadata could contain the name of the original cooperating witness, and if e-mailed, could expose that witness to extreme risks.
The Lawyer's Code of Professional Responsibility (the "Code") prohibits lawyers from "knowingly" revealing a client confidence or secret, DR 4-101(B)(1), except when permitted under one of five exceptions enumerated in DR 4- 101(C). DR 4-101(D) states that a lawyer "shall exercise reasonable care to prevent his or her employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client." See also EC 4-5 ("Care should be exercised by a lawyer to prevent the disclosure of the confidences and secrets of one client to another"). Similarly, a lawyer who uses technology to communicate with clients must use reasonable care with respect to such communication, and therefore must assess the risks attendant to the use of that technology and determine if the mode of transmission is appropriate under the circumstances. See N.Y. State 709 (1998) ("an attorney must use reasonable care to protect confidences and secrets"); N.Y. City 94-11 (lawyer must take reasonable steps to secure client confidences or secrets).
When a lawyer sends a document by e-mail, as with any other type of communication, a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client's confidential information. What constitutes reasonable care will vary with the circumstances, including the subject matter of the document, whether the document was based on a "template" used in another matter for another client, whether there have been multiple drafts of the document with comments from multiple sources, whether the client has commented on the document, and the identity of the intended recipients of the document. Reasonable care may, in some circumstances, call for the lawyer to stay abreast of technological advances and the potential risks in transmission in order to make an appropriate decision with respect to the mode of transmission. See N.Y. State 709 (1998). [FN3]
also have an obligation not to exploit an inadvertent or unauthorized
transmission of client confidences or secrets. In N.Y. State 749, we concluded
that the use of computer technology to access client confidences and secrets
revealed in metadata constitutes "an impermissible intrusion on the
attorney-client relationship in violation of the Code." N.Y. State 749
(2003). See also N.Y. State 700 (1997)
(improper for a lawyer to exploit an unauthorized communication of confidential
information because doing so would constitute conduct "involving
dishonesty, fraud, deceit or misrepresentation" and "prejudicial to
the administration of justice" in violation of DR 1-102(A)(4) and DR
Lawyers have a duty under DR
4-101 to use reasonable care when transmitting documents by e-mail to prevent
the disclosure of metadata containing client confidences or secrets.
[FN1] David Hricik and Robert R. Jueneman, "The Transmission and Receipt of Invisible Confidential Information," 15 The Professional Lawyer No. 1, p. 18 (Spring 2004); Mark Ward, "The hidden dangers of documents," BBC News World Edition, August 18, 2003, at http://news.bbc.co.uk/2/hi /technology/3154479.stm; "Barry MacDonnell's Toolbox for WordPerfect for Windows - Macros/Tips, and Templates;" February 5, 2004, at http://home.earthlink.net/~wptoolbox?Tips/UndoRedo.html. [Note: I posted an earlier version of the Hricik & Jueneman article on LegalEthics.com.]
[FN2] "How To: Minimize Metadata in Microsoft Word 2002 Documents," at http:// support.microsoft.com/?kbid=237361; "How To: Minimize Metadata in Microsoft Word 2000 Documents," at http://support.microsoft.com/?kbid=237361. Most Word document files contain a revision log listing the last 10 edits of a document, and identifying the names of the people who worked on the document and the names of the files in which the data was saved. Richard M. Smith, "Microsoft Word bytes Tony Blair in the butt," June 30, 2003, at http:// www.computerbytesman.com/privacy/blair.htm (describing how the British government was embarrassed in February 2003 when 10 Downing Street published a dossier on Iraq's security and intelligence organizations and posted it as a Microsoft Word document on their Web site, which through its metadata revealed the identities of the four civil servants who worked on the document as well as various other documents that contained the same information). Similarly, WordPerfect documents may contain information text that had been cut, copied or deleted, as well as the drafter's username, the drafter's initials, the company or organization name, the name of the computer, embedded objects, comments, and other file properties and summary information. "Barry MacDonnell's Toolbox for WordPerfect for Windows - Macros, Tips, and Templates," February 5, 2004, at http://home.earthlink.net/~wptoolbox?Tips/UndoRedo.html.
[FN3] Some commentators have suggested that a lawyer has an affirmative duty to remove metadata whenever documents are exchanged with opposing counsel or disclosed to the public. See, e.g., David Hricik & Robert R. Jueneman, The Transmission and Receipt of Invisible Confidential Information, 15 The Professional Lawyer no. 1, p. 18 (Spring 2004) ("To comply with their duty of confidentiality, lawyers should take steps to remove metadata from documents exchanged with opposing counsel or disclosed to the public"). While exercising reasonable care under DR 4-101 may, in certain circumstances, require the lawyer to remove metadata (for example, where the lawyer knows that the metadata reflects client confidences and secrets, or that the document is being sent to an aggressive and technologically savvy adversary), in general the level of care required varies with the particular circumstances of the transmission.
Lawyers have a duty under DR 4-101 to use reasonable care when transmitting documents by e-mail to prevent the disclosure of metadata containing client confidences or secrets.
E-Ethics is a free e-mail based newsletter that is published every little once in a while, when the fancy strikes me, concerning ethical issues in the practice of law, ranging from conflicts of interest, to in-house counsel licensing requirements, to the ethics issues created by the use of high-technology. Links to numerous sites relating to those topics, as well as other discussions, can be found onHricik.com. Obviously, as is the case with any legal question, the matters discussed in E-Ethics are time-sensitive and subject to change. No one should rely on E-Ethics in place of actual legal advice addressed to a specific set of known facts.
To subscribe, please go towww.Hricik.com and follow the links or send an e-mail with "subscribe e-ethics" in the subject line. To unsubscribe, please send an e-mail to David@Hricik.com with "Unsubscribe E-Ethics" in the subject line or body of the e-mail.