March 7, 2013
It is likely that many legal professionals give little thought to the challenge that metadata present to information security and privacy. A number of bar organizations have, however, begun to examine this issue. To comply fully with their ethical responsibilities, legal professionals should begin to familiarize themselves with the issues associated with metadata management.
Metadata are data embedded in digital files, such as word processing documents, spreadsheets, etc. The embedded data are often generated automatically each time a file is created, reviewed or modified and they provide information regarding the data file with which they are associated. Metadata reveal information such as the name of the author and the date of file creation. Metadata can also provide a record of the changes made to a digital file.
Absent some form of special attention, electronic files shared with other parties often carry their metadata with them. The metadata are readily accessible to the recipients of the files. That sharing and accessibility can result in violations of confidentiality and can compromise legal strategies.
The American Bar Association has begun to analyze the challenges posed by metadata. In Formal Opinions 06-442 and 05-437, the ABA discusses some important metadata management issues for legal professionals. The ABA emphasizes three metadata management issues: 1.) To what extent do senders of metadata have a duty to manage access to the metadata? 2.) Can recipients of metadata use that data? 3.) Must recipients of metadata notify the sender when they receive such data?
The ABA currently takes the position that senders of metadata have no specific duty to manage that data, however, they must manage their use of metadata in ways which ensure that the metadata use is consistent with their other ethical obligations such as confidentiality.
The ABA also currently concludes that recipients of metadata may make use of that data. Those recipients must also notify the sender of their receipt of the metadata in those instances when the recipient should reasonably have known that the sending of the metadata was inadvertent.
Several state bar organizations have directly examined metadata management. A majority of those organizations takes the position that legal professionals have a duty to exercise reasonable care in their use of metadata. A majority also restricts use of metadata by its recipients and requires recipients to inform the sender of their receipt of the metadata, particularly when there is reason to believe that the metadata transmission was inadvertent.
Specific requirements for metadata management remain unclear. For example, it is uncertain what specific actions should be taken to meet reasonable care obligations imposed by some bar organizations for metadata use. Available technology, often referred to as data “scrubbers,” can remove some metadata. It is presently unclear the extent to which reasonable care requirements might require use of such technology by legal professionals.
There is also uncertainty as to the circumstances when metadata transmission should be deemed to be inadvertent. One can argue, for example, that when a sender is not even aware that metadata associated with the transmitted file exist, the transmission of that data was inadvertent. Such an interpretation could mean that metadata transmission is inadvertent in a substantial number of cases.
Metadata management obligations for legal professionals remain a highly dynamic topic. Members of the legal community should enhance their understanding of metadata and begin to review the ways in which they are using metadata in their daily activities.