Today I am going to discuss electronic security as it applies to law firms. This is important information for both counsel and client: if you are a client, your privacy is at risk if your attorney is not honoring his duty of confidentiality and competency to you; and if you are an attorney, your license is at risk, as this discussion goes right to the heart of your duties of confidentiality and competence, as owed to client information.
In the past few years, in California, we have seen just a few opinions issued by the Attorney General of our state concerning electronic security. One such opinion imposed a duty on attorneys to keep their client information confidential and to by competently ensuring, if they are working on a public wireless network, that their client’s information is protected from intrusion while the attorney is on that network. In other words: don’t log on to the public Wi-Fi network at Starbucks. Spend $30 per month on your own encrypted 4G access. Both Ipad and Samsung tablets now have this capability.
Though I cannot find anything to indicate that California’s Attorney General has considered the dangers of emailing created documents back and forth, I am aware that every email and every created document – whether MSWord, Excel, .pdf, jpeg, whatever – has in it sufficient metadata for an opportunistic or electronically savvy opposing party/counsel to view, not just the author and the date of the last modification, but any revisions you made to the document.
Why is that important, you ask? Well… let me ask you: do you really want opposing counsel to know every word your attorney took out of a document, and to wonder about why she did so? Why the amount offered for settlement was greater than that your attorney first typed? The answer, quite simply, is “no.”
This issue has been considered at some length in the California Practice Guide on Professional Responsibility, which discusses the possibility of “mining” metadata from an adverse party’s electronic documents.
According to the California Practice Guide, e-mail and other electronic documents often contain embedded information known as “metadata” (¶ 7:156.6 ff.). While much metadata is mundane and legally inconsequential, some of it can provide information regarding a document’s preparation (history of revisions, deleted text, written comments, etc.), and it also may reveal client confidences, litigation strategy, legal theories, attorney work product and other privileged and confidential information not meant for disclosure.
Disturbingly, as of the time of this writing, there is no California authority specifically on point regarding an attorney’s professional obligations upon receipt of documentation containing metadata; and out-of-state ethics opinions are split on this issue:
- Arizona, Alabama, and Florida use what is called the ” State Fund” approach: The policy behind the “State Fund rule” arguably could apply in California where a lawyer mines metadata in an opposing party’s document and discovers information that appears to be both privileged and sent inadvertently, and require counsel to inform you of the inadverdent disclosure. This rule however doesn’t prevent opposing counsel from capitalizing on the inadverdent disclosure.
- New York and New Hampshire have adopted a rule that “mining metadata” is improper and an ethical violation. These ethics opinions take the position that mining metadata is per se improper, and say that uncovering an opponent’s metadata is “much like eavesdropping,” don’t provide any rule of enforcement, nor does it prevent opposing counsel who mined the data from using the data.
- Maryland, Pennsylvania, and Vermont, all hold with the view espoused by the American Bar Association. The position of the ABA (along with jurisdictions in agreement) is that nothing in the Model Rules prohibits the “mining” of metadata. In fact, the Model Rules of Professional Conduct generally permit a lawyer to review and use metadata contained in e-mail and other electronic documents. Thus, the majority of states thus far, and the American Bar Association itself, considers metadata in your documents to be fair game for intelligence gathering. Think about that.
Microsoft does offer a metadata cleaner, but it has to be applied to every single document. To rely on the cleaner is to trust staff to apply their own judgment to every document that leaves your office. In my opinion it’s much better to have a policy that acts as a “metadata firewall” – no metadata gets in, no metadata gets out. The most effective way to prevent the flow of metadata from your firm is to, quite simply, print and then fax documents to opposing party/counsel. If one insists on delivering information via email, it is imperative to interrupt the flow of information to opposing party/counsel via metadata by printing the document in house, scanning it to create a .pdf file, and then uploading the scanned document to send to opposing party/counsel. This is the policy we have instituted at Hartley, Maxwell & Castellano, and we are sticking with it.
If you are an attorney, and don’t want your firm to be the subject of the next Attorney General’s opinion concerning e-security and steps you should have been diligently pursuing in the protection of your duty of confidentiality to our clients, you would do well to implement a similar policy and educate your staff on the reasons therefor. It is vitally important that attorneys and staff observe this policy diligently and without exception. Our licenses may depend upon it. I am not willing to risk my license, or that of any member of this firm, for the mere expediency offered by the exchange of emails and MSWord files to and from opposing counsel.
If you are a client, you will want to ensure that your attorney is taking necessary steps to protect your confidential, privileged information, including the work product your attorney generates in your case file. This column should have given you a couple of basic questions, but keep in mind this is by no means an exhaustive list.