When did you last consciously think about what you might be revealing in your metadata?
If the answer isn’t “the last time I shared a file,” you might be running a considerable risk with your clients’ information, your employees’ personal data, or even your ethical compliance.
What Is Metadata?
Metadata is, essentially, data about data. It includes those file descriptors that are automatically generated and invisibly attached to every generated document and computer file. Those descriptors may include information about a document’s author or editors, a file’s creation date and editing time, or even, for some documents, specific changes and edits or margin comments embedded within the document.
Metadata is, frankly, usually not all that interesting. But when it’s good, it can be really good. For example, margin comments can unintentionally reveal your or your clients’ thoughts about specific contract clauses. Such comments can disclose intended or desired settlement outcomes. If you’re not carefully monitoring everything you type, edits could reveal your internal thoughts about a case or an involved individual, with horrifying and embarrassing results.
If that doesn’t terrify you, it should. Just ask Merck.
Why Should You Care About Metadata?
A decade ago, Merck had to pay out a total of $4.85 billion to settle claims related to its painkiller medication Vioxx, in part because metadata revealed that Merck had edited out known negative results from its studies. Without that disclosure, the settlement could have been considerably less.
And these days, it’s not just sensitive or confidential details about a case that could be leaked by careless metadata sharing. Now that the EU’s General Data Protection Regulation is in force, companies must exercise particular caution to avoid disclosing the personal data of EU residents. If one of your employees is protected by the GDPR and your metadata reveals her full name and IP address as the creator of a file, that’s potentially a disclosure of private personal data.
But wait, there’s more! You’re also putting yourself at risk of an ethical violation if you’re not consciously attending to your metadata. The ethical opinions governing how lawyers deal with metadata vary from state to state. It’s generally considered an ethical violation to share potentially confidential metadata, but in many states, it’s also a violation to go looking for it in your opponent’s disclosures. Some states, like Arizona, create a double-bind: it’s an ethical violation to mine metadata from an opponent’s files, but if a lawyer happens to find sensitive metadata that the opponent didn’t mean to share, the finder is obligated to let the opponent’s counsel know about the leaked information.
What Should You Do About Metadata?
At a minimum, lawyers—and other professionals—should be mindful that metadata exists; remember that it may contain sensitive, confidential, or embarrassing information; and have a formal process for removing it.
That means that you must do more than just use a metadata scrubber. Your metadata-removal process should be so thoroughly integrated into your workflow that it’s a non-negotiable, unforgettable part of producing any document or file. Similarly, if you use Microsoft Word’s “track changes” feature, you must ensure that you have a bulletproof process for reviewing changes and exiting the track changes view before sending any Word files.
Mind your metadata—because there are some headlines that no one wants to make.