The North Carolina State Bar has proposed an Ethics Opinion on whether a lawyer can look for and use metadata contained in a electronic communication from another party or that party’s lawyer. Proposed 2009 Formal Ethics Opinion 1, if approved, would place affirmative obligations on not only the recipient of the data, but also its sender.
[Note: On October 22, 2009, the State Bar Ethics Committee voted to withdraw this opinion and to send it to a subcommittee for further study.]
Metadata is "data contained within electronic materials that is not ordinarily visible to those viewing the information." Metadata might show information that a lawyer chose to delete, or a private comment that the lawyer didn’t mean the reader to see.
Obligations On Sending Lawyers
Those sending an email or electronic version of a document to an opposing counsel or party will be obligated to "use reasonable care to prevent the disclosure of confidential client information." That means being careful about using word processing software that tracks changes, allows the insertion of comments, or permits the saving of multiple versions of a document. The Opinion says that lawyers should use scrubbing applications that delete metadata, or avoid metadata altogether by sending fax transmissions or hard copies of documents.
Obligations On Receiving Lawyers
On the recipient side, the Proposed Opinion would prohibit a lawyer receiving electronic communications from searching for or using confidential information contained in the metadata in the document. And not only that, if the recipient unintentionally views hidden data, he or she must notify the sender of that fact.
The Proposed Opinion doesn’t apply, of course, to documents produced in response to a subpoena or a discovery request.
The issue of metadata has been confounding state bar ethicists for years. The Proposed Opinion references a number of other state bars which have issued ethics opinions on the subject, including Alabama, Arizona, Colorado, the District of Columbia, Florida, Maine, Maryland, New York, and Pennsylvania.
North Carolina, if it adopts the Proposed Opinion, will be lining up with Alabama, Arizona, Florida, Maine, and New York. Each of those states takes the position that a lawyer should not search metadata for confidential information belonging to an opposing party. There are a few with a contrary view or which don’t take a position on the subject, including the American Bar Association, Colorado, Maryland, and Pennsylvania.
The ABA has a good one page summary of the rules on metadata in these various jurisdictions, including a few additional jurisdictions not referenced by the NC State Bar in the Proposed Opinion.
If you have thoughts on this subject, you can address comments on the Proposed Opinion by September 30, 2009, to the NC State Bar Ethics Committee at P.O. Box 25908, Raleigh, North Carolina 27611.
The full text of the Proposed Opinion is below.
Proposed 2009 Formal Ethics Opinion 1
Review and Use of Metadata
January 22, 2009
Proposed opinion rules that a lawyer must use reasonable care to prevent the disclosure of confidential client information hidden in metadata when transmitting an electronic communication and a lawyer who receives an electronic communication from another party or another party’s lawyer must refrain from searching for and using confidential information found in the metadata embedded in the document.
In the representation of clients in all types of legal matters, lawyers routinely send e-mails and electronic documents, spreadsheets, and PowerPoint presentations to a lawyer for another party (or to the party if not represented by counsel). The e-mail and the electronic documents contain metadata or embedded information about the document describing the document’s history, tracking, and management such as the date and time that the document was created, the computer on which the document was created, the last date and time that a document was saved, "redlined" changes identifying what was changed or deleted in the document, and comments included in the document during the editing process. Pennsylvania Bar Ass’n. Comm. on Legal Ethics and Professional Responsibility, Formal Opinion 2007-500, notes that, although most metadata contains "seemingly harmless information," it may also contain "privileged and/or confidential information, such as previously deleted text, notes, and tracked changes which may provide information about, e.g., legal issues, legal theories, and other information that was not intended to be disclosed to opposing counsel." This embedded information may be readily revealed by a "right click" with a computer mouse, by clicking on a software icon, or by using software designed to discover and disclose the metadata. The sender of the document may be unaware that there is metadata embedded in the document or mistakenly believe that the metadata was deleted from the document prior to transmission. The Ethics Committee is issuing this opinion sua sponte in light of the importance of the ethical issues raised by metadata.
What is the ethical duty of a lawyer who sends an electronic communication to prevent the disclosure of a client’s confidential information found in metadata?
Rule 1.6(a) of the Rules of Professional Conduct prohibits a lawyer from revealing information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized to carry out the representation, or disclosure is permitted by one of the exceptions to confidentiality set forth in paragraph (b) of the rule. As noted in comment  to the rule, "[w]hen transmitting a communication that includes information acquired during the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients." Therefore, a lawyer who sends an electronic communication must take reasonable precautions to prevent the disclosure of confidential information, including information in metadata, to unintended recipients.
RPC 215 addressed the preservation of confidential client information when using modern forms of communication including cellular phones and e-mail. The opinion states that the professional obligation to use reasonable care to protect and preserve confidential information extends to the use of communications technology; "[h]owever, this obligation does not require that a lawyer use only infallibly secure methods of communication." Nevertheless, "a lawyer must take steps to minimize the risks that confidential information may be disclosed in a communication."
What is reasonable depends upon the circumstances including, for example, the sensitivity of the confidential information that may be disclosed, the potential adverse consequences from disclosure, any special instructions or expectations of a client, and the steps that the lawyer takes to prevent the disclosure of metadata. Of course, when electronic communications are produced in response to a subpoena or a formal discovery request in civil litigation, the responding lawyer may not remove or restrict access to the metadata in the communications if doing so would violate any disclosure duties under law, the Rules of Civil Procedure, or court order.
May a lawyer who receives an electronic communication from another party or the party’s lawyer search for and use metadata embedded in the communication without the consent of the other party or lawyer?
No. The information revealed, whether trivial or significant, is confidential information of another party. By actively searching for such information, a lawyer interferes with the client-lawyer relationship of another lawyer and undermines the confidentiality that is the bedrock of the relationship. Rule 1.6. Moreover, because the sending lawyer (or the other party if unrepresented) trusts the receiving lawyer to read only the information that is readily visible on the document, a lawyer who takes steps to reveal embedded information is engaged in dishonest conduct in violation of Rule 8.4(c) and (d) which prohibit conduct "involving dishonesty, fraud, deceit, or misrepresentation" and that is "prejudicial to the administration of justice."
The New York State Bar was the first to adopt this position which was followed by the state bars of Alabama, Arizona, Florida, and Maine. New York Ethics Opinion 749 holds that:
in light of the strong public policy in favor of preserving confidentiality as the foundation of the lawyer-client relationship, use of technology to surreptitiously obtain information that may be protected by the attorney-client privilege, the work product doctrine, or that may otherwise constitute a "secret" of another lawyer’s client would violate the letter and spirit of [the New York] Disciplinary Rules.
Agreeing with the position of the New York State Bar, the Alabama State Bar Disciplinary Commission in Opinion 2007-02 finds that, "[t]he mining of metadata constitutes a knowing and deliberate attempt by the recipient attorney to acquire confidential and privileged information in order to obtain an unfair advantage against an opposing party." Although the ABA Standing Committee on Ethics and Professional Responsibility, in Formal Opinion 06-442 (2006), takes the position that the Model Rules of Professional Conduct do not prohibit a lawyer from reviewing and using metadata, this position was subsequently rejected by the State Bar of Arizona among others. Arizona Opinion 07-03 observes that under the ABA opinion, which puts "the sending lawyer85at the mercy of the recipient lawyer85, the sending lawyer might conclude that the only ethically safe course of action is to forego the use of electronic document transmission entirely85[this is not] realistic or necessary." The North Carolina State Bar Ethics Committee agrees.
Rule 4.4(b) concerns the receipt of a writing that was never intended for the receiving lawyer and it does not, therefore, address the ethical issues raised by the search for and use of metadata. Rule 4.4(b) requires a lawyer who receives a writing relating to the representation of a client that the lawyer knows, or reasonably should know, was inadvertently sent, to promptly notify the sender. However, the rule does not prohibit the receiving lawyer from reading the document and, as noted in the comment to the rule, "[w]hether the lawyer who receives the writing is required to take additional steps, such as returning the original writing, is a matter of law beyond the scope of these rules85.Whether a lawyer is required [to return a writing unread] is [also] a matter of law." A lawyer who receives an inadvertently sent document must read the document to determine its purpose and character and cannot know that the document was inadvertently sent without doing so. The lawyer is a passive recipient of the document and is not actively attempting to unveil the other party’s confidences. Conversely, a lawyer who receives an electronic communication knows that the sender intends to disclose only the information visible on the face of the communication unless the lawyer has an agreement to the contrary with the sender. Therefore, a lawyer who purposefully searches for and uses the information contained in metadata in a communication received from another lawyer or party is engaged in dishonest and unethical conduct that betrays the trust of the other lawyer or party and undermines that lawyer’s confidential relationship with his or her client.
In conclusion, a lawyer may not search for and use metadata in an electronic communication sent to him or her by another lawyer or party unless the lawyer is authorized to do so by law, rule, court order or procedure, or the consent of the other lawyer or party. If a lawyer unintentionally views metadata, the lawyer must notify the sender and may not subsequently use the information revealed without the consent of the other lawyer or party.
1. Metadata is explained in Pennsylvania Bar Ass’n. Comm. on Legal Ethics and Professional Responsibility, Formal Op. 2007-500 (2007), as follows: "Metadata, which means ‘information about data,’ is data contained within electronic materials that is not ordinarily visible to those viewing the information. Although most commonly found in documents created in Microsoft Word, metadata is also present in a variety of other formats, including spreadsheets, PowerPoint presentations, and Corel WordPerfect documents."
2. Arizona State Bar Comm. on the Rules of Professional Conduct, Op. 07-03 (2007).
3. Pennsylvania Formal Op. 2007-500 (2007).
4. This is the consensus position of the jurisdictions that have considered the issue as well as the ABA Standing Committee on Ethics and Professional Responsibility. Alabama State Bar Disciplinary Comm’n, Op. 2007-02 (2007); Arizona State Bar Comm. on the Rules of Professional Conduct, Op. 07-03 (2007); Colorado Bar Ass’n. Ethics Comm., Op. 119 (2008); District of Columbia Legal Ethics Comm., Op. 341 (2007); Florida Professional Ethics Comm., Ethics Op. 06-2 (2006); Maine Bd. of Bar Overseers Professional Ethics Comm’n., Op. 196 (2008); Maryland State Bar Ass’n. Comm. on Ethics, Op. 2007-09 (2006); New York State Ethics Op. 782 (2004); Pennsylvania Formal Op. 2007-500 (2007); ABA Standing Comm. on Ethics and Professional Responsibility, Formal Op. 06-442 (Aug. 5, 2006).
5. Steps to minimize the risk of disclosure of metadata include the following:
- Avoiding the use of the redlining function of a word processing program.
- Not embedding comments in a document.
- Not using template documents that may include embedded information about clients for whom a lawyer previously used the template.
- Using computer programs to "scrub" the document of embedded information before sending.
- Sending a version of the document that does not include embedded information such as a hard copy, a scanned image, or a fax.
- Negotiating a confidentiality agreement or protective order that will allow embedded information to be kept out of evidence.
See opinions listed in footnote 4 supra.
6. Alabama Ethics Op. 2007-02 (2007); Arizona Op. 07-03 (2007); Florida Ethics Op. 06-2 (2006); Maine Op. 196 (Oct. 21, 2008), and New York Ethics Op. 749 (2001). Pennsylvania Formal Op. 2007-500 (2007) holds that a lawyer must determine for himself or herself whether to utilize metadata based upon the lawyer’s judgment and the particular factual situation. District of Columbia Legal Ethics Comm., Op. 341 (2007) holds that a lawyer may not view metadata if the lawyer has actual knowledge that it was provided inadvertently.
7. ABA Formal Op. 06-442 (2006) concludes that the Model Rules of Professional Conduct permit a lawyer to review and use metadata contained in e-mail and other electronic documents. The Colorado Bar Association and the Maryland State Bar Association agree with the position expressed in the ABA opinion. Colorado Op. 119 (2008); Maryland Op. 2007-09 (2006).