Part I of this series explained the most common types of metadata and what they can tell you. This post describes how employers should handle metadata to protect from claims of misappropriating the trade secrets or proprietary information of another company.
Consider these three scenarios:
- A new employee brings a thumb drive from his former employer. Do you open it?
- You’re clearing up needed space on your server and you see files bearing the name of a competitor. Do you open them?
- You’ve just been sued by a competitor that claims you’ve misappropriated electronic files that it shared with you under a nondisclosure agreement when you and the competitor were working together on a project. Do you re-open those files?
The smart answers are: No, No and No.
But you say: “I need to know what’s in these files. Not to steal anything. But to be able to show what we did – or did not – receive.” It’s true – you do need to know. But if you open those files yourself, you risk tampering with their metadata.
These three scenarios scream: “Litigation ahead!”
Think of these electronic files as potential pieces of evidence. For starters, that means not opening the files, because doing so will alter their metadata. For example:
Operating systems and some software applications (like Microsoft Office applications) record a “Last Accessed” date when you open a file. For some file types, merely viewing, copying, moving or hovering over the file automatically updates the “Last Accessed field” and overwrites the earlier “Last Accessed” date. In a case I recently tried, the trial judge sanctioned the opposing law firm because, in part, the judge found that the law firm mismanaged its clients’ storage devices and compromised the integrity of important electronic information where the metadata showed “Last Accessed Dates” of some files after the law firm took possession. Even if the firm’s actions were innocent, it was irresponsible for the firm to do anything that altered this metadata. Altering that metadata overwrote earlier metadata, which may well have been evidence in the case.
If you open a file, merely clicking the space bar will count as editing the document, even if you don’t change one letter in that document. It seems crazy. But once you’ve hit the Space bar, you’ve created a new “Last Modified” date and possibly changed other metadata, such as “Last Author.” You’ll then have to prove that the remaining file is no different in substance from the pre-opened file.
Naturally, actually changing the contents of a file will change its metadata. If you add, remove or replace any content and save the new version of the file, you have changed the “Last Modified Date” of the file. Some applications, including the Microsoft Office applications, will then add your name to the “Author” or “Last Author” metadata field.
Hearing all of this, you say: “I won’t open the file. In fact, I’ll do better than not open it. I’ll delete it.” You may think you’re doing better, but in fact you may be doing worse. The operating system (Windows, mac OSX) will log when the file was deleted and by which user. What’s more, the deleted file isn’t necessarily gone. A forensic analysis not only may show that the file was deleted, but possibly can restore the file and its metadata. Deleting the file likely raises more questions than it answers.
If you shouldn’t open or delete the files, what can you do? Image the files. Doing so preserves them and their metadata as is. Recently, a client discovered files on its server bearing the name of a competitor. The files appeared to have been put there by a recently-hired employee who worked for that competitor. After imaging the server (thus preserving the metadata), the client eventually was able to disclose to the competitor what it had found and assure the competitor that the files had not been opened while in the client’s possession. That was the end of what might otherwise have led to litigation. Some organizations may have the in-house capability to image, but most will need a vendor that specializes in litigation technology.