Metadata: Data About Data

A version of this article was published in The Maryland Bar Journal May/June 2010 issue.

Lurking in every computer file, in every document and in every spreadsheet is hidden information you don’t want your adversary to see.  Embedded in the digital version of a draft agreement are hidden secrets about an adversary’s negotiating position that you would love to see.  Contained in electronic documents you just transmitted is information protected by attorney-client privilege that nobody should see.  This potentially damaging information which initially remains invisible, but can wreak havoc when revealed, is known as “metadata.”  Lawyers should understand the potency of metadata, when they are and are not allowed to view it, when it is discoverable and when they should retain or can destroy it.

Metadata is literally “data about data.”  It is the information which a computer generates to identify relevant facts about a saved file.  In digital photographs, metadata includes the shutter speed, aperture and day the photograph was taken.  In documents, spreadsheets and email messages, metadata can include the date the document was created, the date it was revised, people who revised the document and the duration of time the person spent with the file open.  The importance of even the date a document was created was played out in an October 2009 case in which the Arizona Supreme Court found that metadata is subject to disclosure under public records laws if a public entity maintains a public record in an electronic format.  Lake v. City of Phoenix, 222 Ariz. 547, 218 P.3d 1004 (2009).  The issue related to whether a report by a police officer’s superiors was backdated, and the metadata showed the original date the document was created.  The court determined that metadata was no different from the document itself, and thus must be made available to the public.

Beyond being merely data about a file, metadata can also be hidden digitized substance.  In a document, metadata can include language from prior drafts that the attorney thought was deleted, and could be confidential internal comments an attorney believed were inaccessible to an adversary.  Sometimes, even past versions of documents can be invisibly stored intact when a new document is “saved as,” such as when creating a working document from a prior form.  Thus, metadata might reveal information from other clients, not merely the client involved in the transaction necessitating the current document.  One of the more prevalent -- but certainly not the only -- form of metadata is what you seen when you use the Microsoft Word “Track Changes” feature, which redlines a document as it is being revised.  In Track Changes, you can view your modified version with all changes in different colors, but you also might inadvertently be viewing the document (which you might have received from a client) in its final form which does not reveal that Track Changes is activated.  If you then forward the document to opposing counsel, you raise a number of concerns, as opposing counsel could choose to view the marked version of the document and see your client’s changes.

There are a number of ways to reduce the risk of transmitting this digital menace which alleviates much of the problem.  Avoiding Track Changes is one option; you can purchase an independent “redlining” software package.  Scanning a document to a .pdf file or saving the document as a rich text file (rtf) scrubs away much metadata, but does retain information such as a creation date.  Microsoft provides a downloadable “scrubbing” utility on its website for those who use Track Changes.  The Word program even provides certain safeguards, such as deleting personal information or notifying you if your current document is running Track Changes (go to “Tools” – “Options” – “Security” and click the appropriate box).  You may also want to check what information you have listed under the File-Properties-Summary listing in your documents.  In Excel, you may want to learn how to get to the “unhide” submenu and delete those rows or columns you do not intend the other side to see.  You can also use “scrubbing” software for all outgoing documents and files.  Many “scrubbing” software packages exist in the marketplace, and are very effective.

But even with these variety of safeguards, attorneys may still transmit documents containing metadata, and the sending of files containing compromising metadata ignites ethical, tactical and legal concerns for both the dispatching attorney and the receiving attorney.  The three most pressing ethical issues facing a practitioner about metadata revolve around whether a recipient is entitled to search for (or “mine”) metadata, whether the recipient, upon finding metadata, should notify the sender that the document contains possibly compromising information and the scope of the sender’s duty when transmitting a document containing metadata.

Maryland is one of a dozen (as of this writing) states with an Ethics Opinion focused on this issue, although the Maryland view is in the minority.  The American Bar Association also issued an opinion, which, in different parts, agrees and disagrees with the Maryland view.

Among all other states, Maryland is perhaps the most lenient in allowing a recipient to “mine” a document for metadata.  Because of this leniency, Maryland attorneys should be more diligent in protecting against the unintended disclosure of metadata.  The Maryland State Bar Association Committee on Ethics, Ethics Docket #2007-09, found that “Subject to any legal standards or requirements (case law, statutes, rules of procedure, administrative rules, etc.), this Committee believes that there is no ethical violation if the recipient attorney (or those working under the attorney’s direction) reviews or makes use of the metadata without first ascertaining whether the sender intended to include such metadata.”  But unrestricted mining for metadata may exist only in Maryland state cases, because the 2006 changes to Section 26(b)(5) of the Federal Rules of Civil Procedure provides that a party who realizes it has produced information in discovery that is subject to a claim of privilege or protection can notify the receiving party, and the recipient “must promptly return, sequester or destroy” the information … until the claim is resolved.”  Thus, if one party realizes its mistake, the receiving party cannot mine the data.  The Federal Rules seem to be the “legal standard or requirements” that the Committee on Ethics was contemplating.  A Maryland attorney can go hunting for electronic evidence in documents and emails he receives from an adversary, but if the attorney is in Federal Court, he may be compelled to stop looking.

Maryland’s view is contrary to those of most other states’ ethics committees that have issued an opinion.  For example, the New York Bar Association Committee on Professional Ethics held that “In light of the strong public policy in favor of preserving confidentiality as the foundation of the lawyer-client relationship, use of technology to surreptitiously obtain information that may be protected by the attorney-client privilege, the work product doctrine that may otherwise constitute a ‘secret’ of another lawyer’s client would violate the letter and spirit of these Disciplinary Rules.” (Opinion 749).  The District of Columbia Bar Legal Ethics Committee’s opinion (Opinion 341) is closer to New York in finding that an attorney cannot mine for metadata if the attorney had actual knowledge that the metadata was sent inadvertently.  This DC Opinion specifically about metadata uses as its basis other DC opinions relating to inadvertent disclosure in discovery.

Because many surrounding states find it contrary to that state’s ethics for an attorney to mine for metadata, a Maryland attorney should proceed cautiously.  An attorney must abide by the ethical requirements of all states in which she is a member of the bar, including those to which she is admitted pro hac vice for a particular piece of litigation.  Even when an attorney is merely negotiating an agreement, and there is thus no litigation and no court as the fulcrum of a dispute, she should be wary of acting contrary to the ethical requirements of the state in which her adversary resides, especially if the document being negotiated recites that venue is in the other state.

The ABA Standing Committee on Ethics and Professional Responsibility, in Formal Opinion 06-422, found, like Maryland, that an attorney does not have an ethical obligation to refrain from mining for metadata in documents the attorney receives.  The basis of the ABA’s Opinion was that Rule 4.4(b) of the Model Rules for Professional Conduct, as adopted by the ABA -- being a requirement to notify the sender of an inadvertent transmittal of privileged materials contained in a disclosure -- is the sole requirement dealing with inadvertently sent information.  Since the ABA Model Rules are the basis of  the rules most states adopt, this interpretation is likely applicable in most states.

Maryland’s Rules of Professional Conduct have not been amended to include Model Rule 4.4(b), making Maryland the only state with an opinion in place not requiring an attorney to notify his adversary that the attorney has found metadata in a document.  The Maryland Ethics Opinion notes that in Maryland the receiving lawyer “can, and probably should” consult with his client about the pros and cons of informing the sending attorney about the inadvertent transmission, or the attorney should take other steps it believes appropriate.  Here again, the Federal Rules of Civil Procedure relating to electronic discovery, may provide impetus for the attorney to disclose that he has received the metadata, as the rules encourage the parties to meet and reach agreements regarding disclosing electronically stored information and assertions of privilege or protection.

A recipient of inadvertently disclosed metadata would face no conundrum if only the disclosing attorney had been more careful to avoid the disclosure.  But when an attorney does send documents containing relevant metadata, her concerns then relate to waiver of the attorney-client privilege and improper disclosure of confidential material.  The attorney-client relationship protects information between a lawyer and her client, but duties under Rules of Professional Conduct require an attorney not to disclose confidential information, which is a much broader range of information.

The privilege issue rests on whether the attorney was reasonably safeguarding information her client provided to her.  An attorney who takes reasonable measures to protect metadata likely will not waive the attorney-client privilege, while an attorney discovered to be ignorant of metadata, or unconcerned or careless, might harm her client’s case by waiving the attorney-client privilege.  Standards for reasonableness in an attorney-client privilege case seem equally applicable when the disclosed information is printed on paper as when the disclosed information is metadata.  The only difference should be what precautions an attorney must take to prevent inadvertent disclosure in the digital age.  With the prevalence of “scrubbing” software, it seems reasonable for attorneys to run any transmitted documents through that software, although, with any legal decision, the facts and circumstances of the case will be determinative.

In opining about a sender’s duty not to send metadata which the sending attorney believes to be confidential information, Maryland is in line with other states’ Ethics Committees that have considered the issue.  Maryland and other states believe that an attorney acts ethically if she takes reasonable measures to avoid the disclosure of confidential or work product materials embedded in the electronic discovery.  The Maryland Ethics Committee acknowledged that its opinion was “set in the context of litigation” but also acknowledged that due to the burgeoning area of electronic discovery and technology, the “scope” of the opinion could expand more broadly.  Considering both the attorney-client privilege and the confidentiality of the information, it seems reasonable -- and an act of self-preservation -- for a disclosing attorney to consider scrubbing any documents it sends out.

Scrubbing metadata, however, is not always the prudent course of action.  The more metadata becomes a crucial portion of a document and recognized as containing facts pertinent to a case, the more likely it is that removing metadata would constitute destroying evidence.  While it is beyond the scope of this article to delve into nuances of e-discovery, a lawyer should, whenever involved in litigation, counsel her client against destroying anything that might be evidence.  Additionally, electronic discovery rules, most notably FRCP 34, contemplate the parties agreeing to the format of document production.  If metadata is removed from a document, the party may be foreclosing itself from presenting information in the way the parties previously agreed.

As important as metadata seems, courts have not all believed that it is discoverable.  For example, Nova Measuring Instruments Ltd. v. Nanometrics, Inc., 417 F. Supp. 2d 1121 (N.D. Cal. 2006) found that metadata was important, and the documents should be produced with the metadata in tact, although in Kentucky Speedway, LLC v. NASCAR, Inc., No. 05-138-WOB, 2006 WL 5097354 (E.D. Ky. Dec. 18, 2006) the court found that a plaintiff must show a particularized need for metadata, because in most cases “metadata does not provide relevant information.”  Even more extreme, Michigan First Credit Union v. Cumis Ins. Society, Inc., No. 05-74423, 2007 WL 4098213 (E.D. Mich. Nov. 16, 2007) found a “relative lack of worth of metadata and the lack of any showing by plaintiff [it would be likely to lead to the discovery of relevant evidence] and production of the metadata would be overly burdensome with no corresponding evidentiary value.”

In the debate over admissibility of electronically stored information -- which includes metadata -- Maryland has become a leader, thanks to United States Chief Magistrate Judge Paul W. Grimm’s thorough opinion in Lorraine v. Markel American Insurance Company, 241 F.R.D. 434 (D. Md. 2007).  In Lorraine, Judge Grimm walked through a five step analysis to determine whether electronically stored information (ESI), and thus metadata, is admissible.  Weaving through the Federal Rules of Civil Procedure, Judge Grimm set out five steps, which have since been followed in other jurisdictions, for determining admissibility:  (1) is the ESI relevant; (2) if it is relevant, is it authentic; (3) if offered for its substantive truth, is it hearsay, and if so, is it covered by an applicable exception; (4) is the ESI original or a duplicate under the Original Writing Rule, or is there secondary evidence to prove its content; and (5) is its probative value substantially outweighed by the danger of unfair prejudice or another factor identified by Rule 403.

As with all areas of law relating to computers and technology, innovation is sometimes outpacing the ability to fit the innovation into existing legal frameworks.  Metadata is another example of the rapid pace of the Information Age.  The need to act ethically and zealously for clients is why all attorneys needed to continue monitoring and collecting information about metadata, or, data about data about data.