Metadata is information (data) that describes your data. For example, metadata may include:
- Important date/timestamps: such as when a file was created, last modified, last accessed
- The original author of the file (perhaps many years, revisions, and firms ago)
- The location a photo automatically captured from a phone GPS
- Email From/To, Dates, Subject, Attachments (email routing, timestamps, & IP addresses) history
- Edit History (such as with “Track Changes” enabled) or Comments
This is certainly useful information and may include confidential information. Unfortunately, much of this metadata may also be “hidden” and easy to overlook. State Bar of Arizona Ethics Opinion, 07-03: Confidentiality; Electronic Communications; Inadvertent Disclosure was published to highlight the risk, provides guidance on avoiding inadvertent disclosure, and provide instructions on how lawyers must respond if they receive inadvertently disclosed confidential metadata. Opinion 07-03 references and expands on ER 1.6 (Confidentiality of Information), ER 4.4 (Respect of Rights of Others) & ER 8.4 (Misconduct).
From a preventative standpoint, opinion 07-03 advises lawyers must “take reasonable precautions to prevent the information (metadata) from coming into the hands of unintended recipients.” This opinion also provides some data scrubbing procedure recommendations as well as providing some advice regarding the use of metadata management software and informed client consent in forgoing the use of this software.
Technology and your risk profile both continually evolve. How well are you and your firm keeping on top of and managing your metadata risk?
Some questions you might consider in performing your review of your metadata risks and management policy:
- Have there been changes to your firm profile (areas of law, types of clients, changes in staff, risks) that require an evolution of your metadata policies and procedures?
- Do your policies and procedures adequately address risks associated with Microsoft Office Track Changes & Comments? Other metadata risks?
- Do you have metadata management software in place?
- Is it actively running/working? (test it)
- Is it effective? Is it efficient/easy to work with?
- Have you evaluated if there are any newer, better technology and/or approaches?
- Has the firm considered the risks associated with the use of BCC (blind carbon copy) in sending email?
- Is your employee training and education regarding metadata risks sufficient?
Finally, remember that the key to all risk management is a regular rhythm – this is a process, you are never “finished”. Determine appropriate risk management review frequency (at least once per year, more frequently based size, complexity, risks) and set a recurring appointment to review progress towards your plan, reassess risks, and update your plan. Metadata is one of many risks. Your metadata management policy should be on the list of items contemplated & managed.
For more information on how to protect your firm’s data, contact us directly at 602-412-5025 or firstname.lastname@example.org.