More On

Expanded version: Metadata raises legal risks

Lawyers who receive inadvertently disclosed hidden data face ethical questions.

Read this article as it appeared in the print issue.

In 2000, global health care company Merck deleted information concerning the heart attack risk associated with the arthritis drug Vioxx from an article it was about to submit to a medical journal. The changes in the electronic document, hidden from view, were revealed five years later, after the journal’s editor learned during a deposition in a Vioxx product liability lawsuit that an earlier version of the article had more information on heart attack risk. The editor retrieved the original file, uncovered the deleted information, and made a public announcement of the discovery.

Such hidden information commonly found in e-documents is called metadata. Metadata has been defined as “data about data,” and may contain such information as the identity of the author, when the document was written and changed, as well as a short summary, according to Scott Smull, CEO of software vendor Workshare.

“In Microsoft Word, Excel and PowerPoint the ability to add comments and track changes can be very helpful to users collaborating on a document,” says Smull. “However, changes that are not accepted still remain with the document, even though they appear to be invisible. These changes can easily be displayed by turning on the ‘Show Markup’ view. This can result in embarrassing situations where external parties see information that was not intended for their eyes.”

The Vioxx story is one of several high-profile examples of companies facing legal and public relations setbacks from the release of metadata in recent years. But the ethical responsibility of lawyers who inadvertently release metadata or receive information intended to be confidential remains unsettled. Some state bar ethics committees have tackled the question and reached different conclusions, while other state bars haven’t addressed the issue at all.

Sender's responsibility

The dozen state bars that have issued ethics opinions have focused on three issues: the sender's responsibility when transmitting electronic data including metadata; the recipient's duty to notify the sender when metadata is inadvertently received; and the recipient's right to examine (or "mine") such files. These issues generally arise when data is transmitted in transactional matters. E-discovery is governed by its own metadata disclosure rules. Electronically stored information that is subject to a legal hold prior to or during litigation can’t be altered and any relevant nonprivileged metadata may be discoverable.

In all other legal contexts, the sender’s responsibility regarding metadata is generally considered the same as his duty to protect against inadvertent disclosure of confidential information in another form.

“In the historical context, the inadvertent disclosure of information [by attorneys] has been a problem that has existed for decades,” says Andrew Perlman, Suffolk University Law School professor and chief reporter for the American Bar Association's (ABA) Commission on Ethics 20/20. In general, state bar opinions addressing metadata conform to their state’s previous opinions concerning attorneys’ inadvertent disclosure of information by more traditional methods like postal mail and fax.

“In my personal opinion,” says Perlman, “that is the right way to think about it. Inadvertently disclosed metadata should be viewed in the same way as other inadvertently disclosed information.”

All jurisdictions that have published metadata ethics opinions agree that an attorney sending an electronic document has a duty to exercise reasonable care to avoid inadvertently or unintentionally disclosing confidential information. But what is “reasonable” depends on the circumstances.

Alice Mine, assistant executive director and ethics counsel of the North Carolina State Bar, refers to an ethics opinion issued by her state’s bar in January 2010. The opinion asserts that what is reasonable depends on such variables as the sensitivity of the confidential information, the potential adverse consequences from the inadvertent disclosure, any special instructions or expectations of a client, and the steps that the lawyer takes to prevent the disclosure of metadata. The State Bar of Arizona's Ethics Committee includes some of the same criteria, and adds that what is "reasonable" may also depend on "whether further disclosure is restricted by statute, protective order, or confidentiality agreement.”

Duty to notify

The lawyer receiving the metadata faces his own ethical questions.

A 2006 ABA ethics opinion “does not squarely address whether a lawyer has a duty to notify the sender of a document when the document was intentionally sent but happened to contain privileged metadata,” says Perlman. However, the ABA proposes to address that issue by amending Rule 4.4 of the ABA Model Rules of Professional Conduct, which says that a lawyer who receives a “document” that he knows or should know was inadvertently sent should notify the sender. The amendment would replace the word “document” with the more expansive “information or material” to include metadata.

The proposed amendment is currently open to the public and the Bar for comments, following which the resolution, in its original form or amended, will be presented for a vote by the ABA House of Delegates in August 2012, according to Perlman.

Most of the state bar opinions agree with the proposed ABA model rule on recipient responsibility, but a few differ. Maryland does not require the recipient to notify the sender, but states that "the receiving attorney can, and probably should, communicate with his or her client concerning the pros and cons of whether to notify the sending attorney." Alabama and Maine do not directly address this issue in their opinions.

Metadata Mining

State bar ethics opinions vary most widely on whether the recipient of inadvertently disclosed metadata has a right to examine or “mine” the information. The state bar associations of Colorado, Maryland and Pennsylvania agree with the position expressed in the 2006 ABA opinion, which concludes that the Model Rules of Professional Conduct permit a lawyer to review and use metadata contained in e-mail and other electronic documents.

Several state bar opinions, however, have reached the opposite conclusion, stating that lawyers should not be permitted to look at an opposing party’s metadata. The state bars of Alabama, Arizona, Florida, Maine, North Carolina and New York agree that a lawyer may not ethically search for confidential information inadvertently embedded within an electronic communication from another party. “To do so would undermine the protection afforded to confidential information … and would interfere with the client-lawyer relationship of another lawyer,” states the North Carolina opinion.

In contrast, Colorado, Washington D.C., and West Virginia permit metadata mining unless the recipient has actual knowledge that the metadata was inadvertently sent.

Both Minnesota and Pennsylvania avoid a bright-line rule on metadata mining and state that the determination is fact-specific.

Join the Conversation

Advertisement. Closing in 15 seconds.