Total Networks

Metadata is the information embedded in files that describes their properties—when they were created, who authored them, where they were edited, and more. It can be useful for tracking document history, but it can also contain sensitive or confidential details you didn’t intend to share.

Examples of metadata include:

• Date/timestamps: such as when a file was created, last modified, last accessed

• Original author information, sometimes from years and multiple revisions ago

• Location data on a photo automatically captured by a phone’s GPS

• Email routing details such as sender/recipient addresses, dates, attachments, and IP addresses

• Edit history (like Microsoft Word’s Track Changes) and comments

Metadata can be helpful internally, but often includes confidential information. When sharing externally, this metadata may be “hidden,” making it easy to overlook.

Why this matters for law firms: Hidden metadata can reveal confidential or privileged information. Understanding and managing it is critical for protecting clients and maintaining compliance with legal ethics rules.

Managing Metadata Risk: Legal and Ethical Guidance

State Bar of Arizona Ethics Opinion, 07-03: Confidentiality; Electronic Communications; Inadvertent Disclosure addresses the risks of inadvertent metadata disclosure and provides instructions for avoiding it. The opinion references and expands on:

• ER 1.6 – Confidentiality of Information

• ER 4.4 – Respect of Rights of Others

• ER 8.4 – Misconduct

From a preventative standpoint, opinion 07-03 advises that lawyers must “take reasonable precautions to prevent the information (metadata) from coming into the hands of unintended recipients."

It also advises:

• Implementing data scrubbing procedures to remove sensitive metadata

• Using metadata management software for automatic review or removal

• Obtaining informed client consent when choosing not to use such software

Because technology and risk profiles evolve, your metadata management approach should be reviewed and updated regularly.

Questions to Guide Your Metadata Policy Review

Consider the following when reviewing your metadata risks and management policy:

• Have there been changes to your firm profile (areas of law, types of clients, changes in staff, risks) that require an evolution of your metadata policies and procedures?

• Do your procedures address Microsoft Office Track Changes, comments, and other metadata risks?

• Is your metadata management software in place, running, and effective?

• Have you evaluated if there are any newer tools or approaches?

• Are employees adequately trained on metadata risks?

• Do you understand the risks associated with using blind carbon copy (BCC) in email?

Make Risk Management a Regular Practice

Remember, risk management is ongoing—it’s a process, and you are never “finished.” We recommend a risk management review at least annually, or more often for larger or higher-risk firms, to assess risks, review progress, and update your plan. Metadata is one of many risks, and how it’s managed should be part of your regular review.

At Total Networks, we help law firms protect sensitive information, comply with ethics requirements, and minimize the risk of inadvertent disclosure through effective metadata management.