The rules governing discovery of electronically stored information, though not fully developed, have matured enough to provide the basic “do’s and don’ts” for attorneys. Frequently, a party must produce electronic documents, such as Word documents, in their native format, rather than producing paper copies, in response to discovery requests; this obligation includes producing the document’s metadata, the data automatically embedded in an electronic file that contain information about the document, such as its origin and history of revisions. But what are a lawyer’s responsibilities concerning the transmission or receipt of metadata outside of the discovery context? A recent ethics opinion from the State Bar of Texas offers some guidance—and a stern warning: attorneys risk violating state rules of professional conduct if they mishandle metadata.
According to one source, the number of business e-mails sent and received worldwide each day is expected to exceed 120 billion this year. Attorneys have taken advantage of the speed, ease, and low cost of transmitting documents via e-mail; they share drafts of motions and pleadings with clients or co-counsel, for example, and exchange draft agreements with opposing counsel. When these documents are transmitted in their native format, they may include, unbeknownst to some senders or recipients, metadata containing confidential information.
The Professional Ethics Committee for the State Bar of Texas recently concluded that a lawyer must take “reasonable measures” to avoid transmitting metadata containing a client’s confidential information to persons to whom such confidential information shouldn’t be disclosed. See Professional Ethics Committee for the State Bar of Texas, Opinion No. 665, at 2 (Dec. 2016). This obligation, according to the committee, springs from two duties imposed under Texas rules of professional conduct: the duties of competence and confidentiality. Id.
These professional duties are not unique to Texas, so it is unsurprising that other states similarly require attorneys to handle metadata carefully. Lawyers in New York, for example, must exercise “reasonable care” to prevent the disclosure of metadata containing confidential information. See Committee on Professional Ethics, New York State Bar Association, Opinion No. 782 (Dec. 2004). Similar rules exist in Alabama, Arizona, Colorado, Florida, Maine, Maryland, Minnesota, Mississippi, New Hampshire, New Jersey, North Carolina, Oregon, Pennsylvania, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.
But not every state has formally addressed the issue, and those that have taken it up have adopted different rules regarding the obligations of an attorney who receives electronic documents containing metadata. In Arizona, for example, a lawyer who receives an electronic communication may not examine, or “mine,” the document for metadata. See State Bar of Arizona Ethics Committee, Opinion No. 07-03 (Nov. 2007). Further, an attorney who inadvertently discovers metadata that she knows, or reasonably should know, reveals confidential information must not review it and must notify the sender. Id. The state bars of Florida, New York, New Hampshire, North Carolina, West Virginia, and the District of Columbia have adopted a similar position.
By contrast, attorneys in Colorado, Maryland, New Jersey, Oregon, Vermont, Washington, and Wisconsin are generally permitted to review or mine metadata, though there are important qualifications in many of these states. In Washington, for example, an attorney may not use special software to examine metadata that is not readily accessible. See Washington State Bar Association, Advisory Opinion No. 2216 (2012). Other states, such as Minnesota and Pennsylvania, have adopted a case-by-case approach rather than a bright-line rule.
Given this patchwork of rules, what steps can be taken to avoid violating them? State bars have not precisely defined what constitutes “reasonable measures” for protecting against transmitting metadata containing confidential information. The “reasonableness” of the lawyer’s conduct depends upon the factual circumstances, including the information’s sensitivity and the intended recipient. Still, there are relatively straightforward precautions that can be taken that may go a long way in meeting this standard.
- Consult with an information technology expert to obtain software that removes the metadata. Of course, software is only effective if used correctly. Some programs may prompt the user to choose whether or not to “scrub” the metadata before transmitting the document. If the program’s default is not set to remove the data, blindly “clicking through” the program queries could result in the inadvertent transmission of metadata.
- Convert the electronic document to a read-only PDF, or print the document and scan it as a PDF, and transmit the PDF version. The PDF is itself an electronic document, so it may include metadata, though not necessarily the same data embedded in the original electronic document.
- Transmit the document the old fashion way: print the electronic document and send the paper copy by fax, mail, or courier.
The answer to avoiding ethical violations by the recipient of metadata is less straightforward given the different state rules. Recipients who take a better-safe-than-sorry approach by ignoring metadata in all instances might not be choosing the right course, as failing to thoroughly review documents obtained from opposing counsel could itself be a violation of an attorney’s duties of competence and diligence. See, e.g., Vermont Bar Association Professional Responsibility Section, Opinion No. 2009-1 (2009). Attorneys, therefore, must carefully review the rules in their own state. Failure to do so could have significant consequences.