Opinion #196: Transmission, retrieval and use of metadata embedded in documents

Issued by the Professional Ethics Commission

Date Issued: October 21, 2008

Question

Bar Counsel has asked for the Commission’s opinion concerning the application of the Bar Rules to the ethical duties of lawyers involving the transmission, retrieval and use of metadata embedded in documents which may reveal client confidences or other legally privileged information (“confidential information”). The issue gives rise to two questions: first, whether it is ethical for an attorney receiving electronic documents (the “receiving attorney”) to make efforts to uncover embedded metadata that contains confidential information not intended to be communicated by the attorney transmitting the document (the “sending attorney”); and second, whether the sending attorney has an ethical duty to take reasonable measures to remove metadata containing confidential information before document transmission. Applying the principles of Bar Rules 3.2(f)(3) and (4),[1] 3.6(h)(1) and (2),[2] and 3.6(a),[3] the Law Court’s reasoning in Corey v. Norman, Hanson & DeTroy,[4] this Commission’s Opinions 172 (2000), 194 (2007) and 195 (2008), as well as opinions from other states following the lead of New York, we draw the following conclusions:

  1. Without authorization from a court,[5] it is ethically impermissible for an attorney to seek to uncover metadata, embedded in an electronic document received from counsel for another party, in an effort to detect confidential information that should be reasonably known not to have been intentionally communicated.

  2. A sending attorney has an ethical duty to use reasonable care when transmitting an electronic document to prevent the disclosure of metadata containing confidential information.

Discussion

Lawyers today routinely make use of electronic document transmission, including in communications to opposing counsel. Such documents often contain metadata, which is peripheral information electronically embedded within the document but often not seen by and sometimes not even known to those who produce or read it.6 Much metadata is mundane and legally inconsequential, lodged within the document by the software and identifying the date and time that the document was produced and the version of the software utilized. Some of this data may be accessed with as little effort as resting the cursor upon, or right clicking, the document icon. However, purposeful efforts to ‘mine’ metadata in a document may allow a receiving attorney to glean information that was clearly never intended to be communicated by the sending attorney. The revelation of such metadata could result in the disclosure of client confidences, litigation and negotiation strategy, legal theories, attorney work product and other legally privileged and confidential information. Due to the rapid advance and general opaqueness of some computer technology, it may not be reasonably possible for an attorney to know all the types of metadata that might be embedded in a document or the extent to which such data may be subject to being probed by someone using extraordinary but technologically available methods.

A number of other jurisdictions have considered these questions. While there are inconsistent approaches taken regarding the ethical duties of receiving attorneys in probing documents for metadata containing confidential information, there is greater harmony among the jurisdictions with respect to the duties of sending attorneys to take reasonable measures to minimize the prospect that such data will be inadvertently transmitted. In this Opinion, the Commission adopts a balanced view, articulating reasonable ethical duties on both the receiving and sending attorneys.

Duties of Receiving Attorneys in Probing Documents for Metadata Containing Confidential Information

In the first major bar ethics opinion on the subject, relying principally upon a lawyer’s ethical duty to refrain from dishonest, fraudulent, or deceitful conduct, New York determined that “Lawyers may not ethically use available technology to surreptitiously examine and trace email and other electronic documents.” NY Bar Ethics Op. 749 (2001). Citing a 1992 ABA opinion, New York concluded that “the strong policy in favor of confidentiality outweighs what might be seen as the competing principles of zealous representation….” “No such balance need be struck here because it is a deliberate act by the receiving lawyer, not carelessness on the part of the sending lawyer, that would lead to the disclosure of client confidences and secrets.”

Three years later, in an opinion discussed below focused on the duties of sending attorneys, New York renewed its ethical admonition to receiving attorneys: “Lawyer-recipients also have an obligation not to exploit an inadvertent or unauthorized transmission of client confidences or secrets.” NY Bar Ethics Op. 782 (2004).

Generally following New York’s lead, Florida concluded that “A lawyer receiving an electronic document should not try to obtain information from metadata that the lawyer knows or should know is not intended for the receiving lawyer. A lawyer who inadvertently receives information via metadata in an electronic document should notify the sender of the information’s receipt.”“It is the recipient lawyer’s concomitant obligation, upon receiving an electronic communication or document from another lawyer, not to try to obtain from metadata information relating to the representation of the sender’s client that the recipient knows or should know is not intended for the recipient.”FL Bar Ethics Op. 06-02 (2006).

Emphasizing “the strong public policy in favor of preserving confidentiality as the foundation of the lawyer-client relationship,” Alabama followed the New York analysis in finding that “the receiving lawyer also has an ethical obligation to refrain from mining an electronic document.” “The disclosure of metadata contained in an electronic submission to an opposing party could lead to the disclosure of client confidences and secrets, litigation strategy, editorial comments, legal issues raised by the client, and other confidential information.” AL Bar Ethics Op. 2007-02 (2007).

In contrast to the New York rule, some jurisdictions have adopted a view that more or less liberates receiving attorneys from ethical considerations in probing metadata in electronic documents, thereby placing upon the sending attorney the entire burden of cleansing the document of any possible, embedded client confidences or other privileged information. This view is based upon the fact that no bar rule specifically addresses the issue, together with the difficulty in prescribing permissible conduct in the context of rapidly changing technology.

Thus, recognizing that “metadata is ubiquitous in electronic documents” and that its model rules “do not contain any specific prohibition against a lawyer’s reviewing and using embedded information in electronic documents,” the ABA opinion placed the sole ethical obligation on the sending attorney: “A lawyer who is concerned about the possibility of sending, producing, or providing to opposing counsel a document that contains or might contain metadata, or who wishes to take some action to reduce or remove the potentially harmful consequences of its dissemination, may be able to limit the likelihood of its transmission by ‘scrubbing’ metadata from documents or by sending a different version of the document without the embedded information.” ABA Ethics Op. 06-442 (2006).

Following the ABA view, Maryland concluded that “there is no ethical violation if the recipient attorney… reviews or makes use of metadata without first ascertaining whether the sender intended to [send it].” MD Bar Ethics Op. 2007-09 (2007). Likewise, Colorado rejected New York’s and adopted a variation of the ABA’s view, emphasizing the responsibilities of the sending lawyer “to guard against the disclosure of metadata containing Confidential Information” and “to ensure that he or she is reasonably informed about the types of metadata that may be included in an electronic document or file and steps that can be taken to remove metadata if necessary.” [7] Generally absolving the receiving attorney of ethical responsibilities in probing metadata embedded in the document (“[T]here is nothing inherently deceitful or surreptitious about searching for metadata”), Colorado reasoned that the lawyer “who receives electronic documents or files generally may search for and review metadata.” However, Colorado went on to create a complex and perhaps impractical set of requirements for the parties to such communications: “If a Receiving Lawyer knows or reasonably should know that the metadata contain … Confidential Information, the Receiving Lawyer should assume that the Confidential Information was transmitted inadvertently unless the Receiving Lawyer knows that confidentiality has been waived. The Receiving Lawyer must promptly notify the Sending Lawyer,” in which case “the lawyers may, as a matter of professionalism, discuss whether a waiver of privilege or confidentiality has occurred.” If, however, before examining the metadata, “the Receiving Lawyer receives notice from the sender that Confidential Information was inadvertently included, the Receiving Lawyer must not examine the metadata and must abide by the sender’s instructions regarding the disposition of the metadata.” CO Bar Ethics Op. 119 (2008).

Two other jurisdictions have adopted variations on the New York and ABA views. Acknowledging that there is no specific rule determining the ethical obligations of attorneys in this particular context, Pennsylvania arrived at what seems a default. “[E]ach attorney must… ‘resolve [the issue] through the exercise of sensitive and moral judgment guided by the basic principles of the Rules’ and determine for himself or herself whether to utilize the metadata contained in documents and other electronic files based upon the lawyer’s judgment and the particular factual situation.” “The utilization of metadata by attorneys receiving electronic documents from an adverse party is an emerging problem. Although a transmitting attorney has tools at his or her disposal that can minimize the amount of metadata contained in a document he or she is transmitting, those tools still may not remove all metadata.” PA Bar Ethics Op. 2007-500 (2007).The District of Columbia has articulated yet another approach: “A receiving lawyer is prohibited from reviewing metadata sent by an adversary only where he has actual knowledge that the metadata was inadvertently sent.” (emphasis added). “[W]e believe that mere uncertainty by the receiving lawyer as to the inadvertence of the sender does not trigger an ethical obligation by the receiving lawyer to refrain from reviewing the metadata…. Where there is such actual prior knowledge…, the receiving lawyer’s ethical duty of honesty requires that he refrain from reviewing the metadata until he has consulted with the sending lawyer to determine whether the metadata includes privileged or confidential information.” DC Bar Ethics Op. 341 (2007).

Having considered all of the approaches extant, this Commission believes that the better view is that generally expressed by New York and the jurisdictions that have followed it. While the Commission recognizes, as is the case in those jurisdictions, that no Bar Rule specifically addresses this particular situation, and the Commission is appropriately cautious in its specific application of the general proscription in Bar Rule 3.2(f)(3) and (4) on attorneys engaging in conduct involving dishonesty or prejudicial to the administration of justice, an attorney who purposefully seeks to unearth confidential information embedded in metadata attached to a document provided by counsel for another party, when the attorney knows or should know that the information involved was not intended to be disclosed, has acted outside of these broad ethical requirements. While the Commission has considered the contrary view held by the ABA and the states that have followed it, the Commission believes that Bar Rule 3.2(f)(3) and (4) would have little (and we believe quite inadequate) meaning if it were not applied in this situation. Not only is the attorney’s conduct dishonest in purposefully seeking by this method to uncover confidential information of another party, that conduct strikes at the foundational principles that protect attorney-client confidences, and in doing so it clearly prejudices the administration of justice.

The Law Court’s decision in Corey, while not directly addressing the Bar Rules, and the Commission’s adoption of Corey in Opinion 172 (reversing Opinion 146), offer additional support for this conclusion. There, the issue was whether an attorney might retain and make use of confidential information that had been inadvertently disclosed to him by opposing counsel, the Law Court determining that he could not, based upon the shared responsibility to protect the attorney-client privilege. [8] In Opinion 172, this Commission determined that it would be a violation of the Bar Rules, in direct contravention of the holding in Corey and therefore prejudicial to the administration of justice, for an attorney to retain and make use of such information. If anything, the issue before us now is more straightforward. Unlike in Corey, here the receiving attorney is making purposeful efforts to probe for information he or she knows or should know to be confidential and not to have been knowingly communicated by opposing counsel. That such conduct is dishonest and designed to prejudice the administration of justice seems beyond dispute.

In sum, following the general analysis of New York and the other states that have adopted its view, and based upon Bar Rule 3.2(f)(3) and (4) and Corey, we find that an attorney may not ethically take steps to uncover metadata, embedded in an electronic document sent by counsel for another party, in an effort to detect information that is legally confidential and is or should be reasonably known not to have been intentionally communicated.[9]

Ethical Duties of Sending Attorneys in Taking Measures to Avoid Transmission of Metadata Containing Confidential Information

While the jurisdictions opining to date have arrived at inconsistent views in dealing with the ethical duties of document-receiving attorneys, there has been relative unanimity in dealing with those of sending attorneys. Therefore, we have no difficulty in following the consensus approach on the subject.

New York determined that sending attorneys have a duty to take reasonable measures to guard against improper disclosure of confidential information contained in metadata in documents transmitted to other parties. This conclusion was based on the rule “that a lawyer shall not ‘knowingly’ reveal a confidence or secret of a client.” “When a lawyer sends a document by email, as with any other type of communication, a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client’s confidential information.” NY Bar Ethics Op. 782 (2004).

Following New York’s lead, Florida concluded that “A lawyer who is sending an electronic document should take care to ensure the confidentiality of all information contained in the document, including metadata.” “It is the sending lawyer’s obligation to take reasonable steps to safeguard the confidentiality of all communications sent by electronic means… and to protect from other lawyers and third parties all confidential information, including information contained in metadata.” “The foregoing obligations may necessitate a lawyer’s continuing training and education in the use of technology in transmitting and receiving electronic documents in order to protect client information.” FL Bar Ethics Op. 06-02 (2006).

Alabama, Maryland, Colorado and Pennsylvania have all followed suit. AL Bar Ethics Op. 2007-02 (2007); MD Bar Ethics Op. 2007-09 (2007); CO Bar Ethics Op. 119 (2008); PA Bar Ethics Op. 2007-500 (2007). However, those jurisdictions following the ABA analysis (described above), in finding few or no ethical duties of the receiving attorney to refrain from probing document metadata, have placed a correspondingly heavier burden on the sending attorney to take measures to avoid the transmission of metadata containing confidential information. “The ultimate responsibility for control of metadata rests with the Sending Lawyer,” who “may not limit the duty to exercise reasonable care in preventing the transmission of metadata that contain Confidential Information by remaining ignorant of technology relating to metadata or failing to obtain competent computer support.” CO Bar Ethics Op. 119 (2008). Going further, the Colorado opinion suggests that attorneys should access resources exceeding those normally expected of lawyers by retaining computer experts who understand the reach of metadata and methods to avoid transmission of confidential information embedded therein.

While we stop short of embracing the full force of Colorado’s advice, we agree with the other jurisdictions that attorneys are ethically required to take reasonable measures to avoid the communication of confidential information, regardless of the mode of transmission. This duty logically extends to metadata that the attorney should reasonably know may lie within an electronic document. If an attorney is in doubt, many documents can be readily converted to generic files (such as PDF) which retain little of the metadata contained in word processing documents, and of course resort can be made to paper copies where issues of metadata confidentiality are significant. Although we do not believe that an attorney’s ethical duties dictate, in routine work, the retention of a computer expert for these purposes, we also do not believe it reasonable for an attorney today to be ignorant of the standard features and capabilities of word processing and other software used by that attorney, including their reasonably known capacity for transmitting certain types of data that may be confidential.

This Opinion is consistent with others the Commission has recently issued dealing with confidentiality of information in the computer era. In Opinion 195 (2008), the Commission concluded that, as a general matter and subject to appropriate safeguards, an attorney may utilize unencrypted e-mail without violating the attorney's ethical obligation to maintain client confidentiality. The issue invoked the prohibition on knowing disclosure of confidential client information under Bar Rule 3.6(h)(1) as well as the general standard requiring lawyers to "employ reasonable care and skill and apply the lawyer's best judgment in the performance of professional services” under Bar Rule 3.6(a). While we found that it is reasonable for attorneys transacting routine business through unencrypted email, some circumstances might require a more secure method of communication.

Likewise, in Opinion 194 (2007), the Commission concluded that, with appropriate safeguards, an attorney may utilize transcription and computer server backup services remote from both the lawyer's physical office and the lawyer's direct control or supervision, without violating the attorney's ethical obligation to maintain client confidentiality. The Opinion cautioned, however, that the lawyer utilizing such services has a duty to take practical measures to assure that the services are reasonably secure and appropriate for the intended purpose. [10] As here, the issue is not amenable to an unqualified answer but requires the application of a standard of reasonableness, weighing all the factors of which the lawyer should be aware.[11]

On the issue before us, we conclude that, in applying Bar Rules 3.6(h)(1) and (2) in combination with 3.6(a), the sending attorney has an ethical duty to use reasonable care when transmitting an electronic document to prevent the disclosure of metadata containing confidential information. Undertaking this duty requires the attorney to reasonably apply a basic understanding of the existence of metadata embedded in electronic documents, the features of the software used by the attorney to generate the document and practical measures that may be taken to purge documents of sensitive metadata where appropriate to prevent the disclosure of confidential information.

Footnotes

[1] Rule 3.2(f) sets forth an attorney’s ethical obligations in broad terms: “A lawyer shall not:… (3) engage in conduct involving dishonesty, fraud, deceit, or misrepresentation; (4) engage in conduct that is prejudicial to the administration of justice.”

[2] Rule 3.6(h)(1) sets forth an attorney’s ethical obligations to maintain client confidentiality:

Except as permitted by these rules, or when authorized in order to carry out the representation, or as required by law or by order of the court, a lawyer shall not, without informed consent, knowingly, disclose or use information (except information generally known) that:

i. Is protected by the attorney-client privilege in any jurisdiction relevant to the representation;
ii. Is information gained in the course of representation of a client or former client for which that client or former client has requested confidential treatment;
iii. Is information gained in the course of representation of the client or former client and the disclosure of which would be detrimental to a material interest of the client or former client; or
iv. Is information received from a prospective client, the disclosure of which would be detrimental to a material interest of that prospective client, when the information is provided under circumstances in which the prospective client has a reasonable expectation that the information will not be disclosed.

Rule 3.6(h)(2) addresses an attorney’s ethical obligation to ensure that others working on the attorney’s behalf in the course of representation who are privy to confidential client information likewise maintain the client's confidences: "A lawyer shall exercise reasonable care to prevent lawyers and non-lawyers employed or retained by or associated with the lawyer from improperly disclosing or using information protected by paragraph (1) of this subdivision."

[3] Rule 3.6(a) sets forth a general standard requiring lawyers to "employ reasonable care and skill and apply the lawyer's best judgment in the performance of professional services.”

[4] 199 ME 196

[5] This Opinion is not intended to deal with the extent to which relevant information may be sought in litigation through proper discovery under the guidance of a court.

[6] Although the type of metadata embedded in an electronic document varies with the software being used. and its full scope is unknown except to those with advanced computer expertise, examples include recording of the document’s source, authors, editors and those offering comments, as well as changes and comments made in the course of document preparation. Some metadata may reveal client confidences and attorney work product and advice, among other confidential information.

[7] While metadata may be “ubiquitous” (to use the words of the ABA), we think that, with rapid technological advances, it may be overly simple to assume that an attorney may reasonably be able to know its full extent in all the software applications used, or that easily applied steps will cleanse the document of all embedded information not intended to be revealed. While reasonable steps can and should be taken to minimize the amount of metadata contained in an electronic document to be transmitted to another party, and of course the document can be transmitted in paper copy if security is paramount, there is no absolute assurance that electronic transmission of documents can be undertaken in a manner that is totally immune from unwanted probing for confidential information.

[8] “In Corey, the Law Court, jurisdictionally unconstrained, has now pronounced that, as a matter of common law, the obligation to preserve the lawyer-client privilege is indeed an affirmative obligation shared by adversaries, and that the privilege cannot be inadvertently relinquished.” Opinion 172.

[9] See footnote 5.

[10] As stated in Opinion 194, “[T]he primary responsibility for file integrity, maintenance, disposition, and confidentiality rests with the attorney employed by the client. See Maine Professional Ethics Commission Opinion # 74 (10/1/86)…. Rule 3.6(h)(2) implies that lawyers have a responsibility to train, monitor, and discipline their non-lawyer staff in such a manner as to guard effectively against breaches of confidentiality. Failure to take reasonable steps to provide adequate training, to monitor performance, and to apply discipline for the purpose of enforcing adherence to ethical standards is grounds for concluding that the lawyer has violated Rule 3.6(h)(2). See Maine Professional Ethics Commission Opinion #134 (9/21/93).”

[11] “With the pervasive and changing use of evolving technology in communication and other aspects of legal practice, particular safeguards which might constitute reasonable efforts in a specific context today may be outdated in a different context tomorrow. Therefore, rather than attempting to delineate acceptable and unacceptable practices, this opinion will outline guidance for the lawyer to consider in determining when professional obligations are satisfied.” Opinion 194.


Enduring Ethics Opinion