Metadata is information (data) that describes your data. Metadata may include:
- Dates/Timestamps: file creation, last modified, last accessed.
- Original Author: perhaps many years, many firms ago.
- Location of a Photo: automatically captured by a phone GPS.
- History of email routing, including timestamps, IP addresses.
- Email From/To, Dates, Subject, and Attachments.
- Edit History: Track Changes, Comments.
Unfortunately, much of this metadata is “hidden” and easily overlooked.
AZ Ethics Opinion 07-03
From a preventative standpoint, opinion 07-03 advises lawyers must “take reasonable precautions to prevent the information (metadata) from coming into the hands of unintended recipients.” The opinion provides data scrubbing procedures and recommends metadata management software as well as informed client consent in forgoing the use of this software.
ABA 477R & Technology Evolution
In May, the ABA, in Formal Opinion 477R (Securing Communication of Protected Client Information) underscored the importance of keeping up with technology. Some questions you might consider when reviewing your policies, procedures and training schedule:
- Have changes in areas of law, clients, staff, or other factors been contemplated? Litigation practices are generally at highest risk of inadvertent metadata disclosure.
- Do your policies and procedures adequately address risks associated with Microsoft Office track changes and comments? Other metadata risks?
- Have the risks of the use of bcc (blind carbon copy) in sending emails been addressed?
- Do you have metadata management software in place?
- Is it actively running and working? (test it)
- Is it effective, efficient?
- Have you evaluated newer approaches and technologies to better manage the risk?
Bare Minimum Recommendation
Microsoft Office has a metadata warning system which can alert you before you save, print and in certain instances email a document that it contains metadata. It is not enabled by default, but it is recommended that all law firms consider enabling this feature throughout the firm.
There are more comprehensive approaches, but this basic warning feature is built-in to all Microsoft Office versions since Office 2003 and it can help reduce risk and protect sensitive metadata. It is a simple and free starting point. However, due to technology advances, approaches that are more comprehensive are now far simpler and more affordable than ever.
Older metadata management software generally installs onto PCs and integrates with Microsoft Office, via Outlook “addins” in particular. Significant challenges exist with this approach. First, Outlook add-ins are one of the primary causes of Outlook crashes.
While the crashes themselves are a problem, the more crucial challenge is what happens in the aftermath of an Outlook crash. After an Outlook crash, Outlook will offer you the option to start up in safe mode. Outlook does this because it wants to ensure you have a good, stable experience and disabling the add-in that was involved in the Outlook crash can help accomplish this result. However, if you are counting on that add-in to prevent inadvertent metadata disclosure, safe mode will disable the very software that you need. If you need that add-in, then safe mode really means “safer for Outlook, but riskier for the firm.”
Modern approaches no longer require Outlook add-ins and avoid these challenges altogether. For example, you may have your email system automatically review and scrub all metadata on all outgoing email. You might configure groups – such as an “opposing counsel” group. For any email sent to opposing counsel, you might not only have attachments stripped of all metadata, but actually converted into PDF. You may have another group, “co-counsel,” where emails are unaltered. You might have a default group where you remove metadata by default, but do not convert to PDF. You might allow the ability to override default behaviors by a special keyword in the email subject or other means. These are sample workflow ideas. Many workflow options are available in modern approaches to fit your firm’s risk profile and business objectives.
Once again, a regular review schedule for risk management and technology management is the key. Metadata management is just one of many risk items that might be included in your risk management and technology review and planning meetings. Dave Kinsey