Metadata: Ethical Obligations of the Witting and Unwitting Recipient

As shown in our last column, software commonly used by lawyers often creates embedded data, otherwise known as metadata.1 As previously discussed, there are means to avoid creating embedded data, as well as means available to remove hidden data already created. In theory, at least, it is possible to remove all metadata prior to sending a document to opposing counsel.

In theory.

As also mentioned in our last column, good lawyers in large, sophisticated firms have recently transmitted documents that contain not just embedded data, but confidential embedded data - revealing even who the lawyer's client was intending to sue.2 Accidents will happen; people are not perfect and no doubt even the best software will miss some form of embedded data even if the document is properly scrubbed.

Suppose you open a document sent to you from opposing counsel. Is it ethical for you to purposely mine through the document to see if there is embedded data present? If it is present, can you actually use it?

Before turning to those questions, it is important to note that the discussion in this article is limited to inadvertent transmission outside the context of document production. Procedural rules, such as the new Federal Rules of Civil Procedure, may replace or augment the issues of ethics discussed here and, thus, this discussion may have limited application to document production during litigation.

Can You Look?

Given that metadata is a relatively new concern for lawyers, it is not surprising that formal ethical rules do not yet directly address the question of whether it is proper for a lawyer to search an electronic file sent by another lawyer to see if any useful embedded data is present. However, like most states, Georgia has a general catchall rule that prohibits "professional conduct involving dishonesty, fraud, deceit or misrepresentation."3 Although the Georgia Bar has not yet addressed the question of whether it is dishonest to look for metadata in a document exchanged between counsel, bar associations in other jurisdictions have and may provide some guidance to Georgia lawyers.

Unfortunately, however, the bar associations that have analyzed the issue have openly split on whether it is ethical for a lawyer to look for metadata. And the split is deep, direct, and irreconcilable.

On one end of the spectrum, the bars of New York, Florida, Arizona, and Alabama have concluded that conducting a purposeful search for metadata is unethical. The New York Bar Association emphasized that "it is a deliberate act by the receiving lawyer, not carelessness on the part of the sending lawyer, that would lead to the disclosure of client confidences and secrets" in the embedded data.4 Alabama's Bar similarly condemned the act of mining for metadata as "a knowing and deliberate attempt by the recipient attorney to acquire confidential and privileged information in order to obtain an unfair advantage against an opposing party."5 Florida's Bar also agreed but more softly wrote that a recipient should not try to view metadata the lawyer knows or should know was not intended for his or her viewing.6 Most recently, Arizona's Bar issued an opinion advising lawyers that as a general rule a lawyer may not "mine" documents from opposing counsel for metadata.7

On the other end of the spectrum, both the American Bar Association ("ABA") and the Maryland Bar Association found nothing unethical with deliberately mining documents sent by opposing counsel outside the context of discovery for metadata.8 The ABA expressed its disagreement in mild terms, however, stating only that "the Committee does not believe that a lawyer . . . would violate" his or her professional duties by mining for metadata.9 Taking a slightly more nuanced approach, the District of Columbia Bar reasoned that viewing metadata was dishonest only if, before viewing it, the lawyer actually knew that the metadata had been inadvertently sent.10

Perhaps representing the more balanced view is a very recent opinion from the Pennsylvania Bar Association. After noting the split detailed above, the Pennsylvania Bar refused to take a bright-line position on whether mining for metadata is unethical. Instead, it stated that "each attorney must determine for himself or herself whether to utilize the metadata contained in documents and other electronic files based upon the lawyer's judgment and the particular factual situation."11 Similarly, the Pennsylvania Bar stated that whether the information should be used turned upon "the nature of the information received, how and from whom the information was received, attorney-client privilege and work-product rules, and common sense, reciprocity and professional courtesy."12

Georgia lawyers are thus left with neither controlling authority nor a clear majority rule from those authorities that have addressed the question of whether it is ethical to mine for metadata. If the opinions suggest anything, it is that a lawyer who decides to mine for embedded data should proceed with caution, particularly if the embedded data reveals either the other side's client confidences, privileged information, or work product and the circumstances are such that a reasonable lawyer would know that the embedded data was sent inadvertently. More fundamental than whether the lawyer will be disciplined for examining embedded data is the question of whether it is professional to do so. The ethics rules decide only matters of discipline, and the broader and greater question of whether it is "right" to look should not be lost. Not only does the adage of "what goes around comes around" apply, but a judge may question the integrity of a lawyer who intentionally takes advantage of an opponent's mistake that reveals privileged information, for example. More is at stake than discipline.

Assuming, however, that a Georgia lawyer comes across metadata in an exchanged document either by intentionally mining for it or through innocent discovery, does the lawyer have any obligation to notify the sender of the existence of the metadata?

Must the Recipient Notify the Sender of the Mistake?

A lawyer may learn of the existence of embedded data intentionally - the issue discussed above - or by mistake. As shown above, a lawyer can actively "mine" for metadata contained within a document. At the same time, an attorney who creates a document with track changes turned on may believe that the record of changes is free from the unintended viewer's prying eyes so long as the track changes setting has been changed from "Final Showing Markup" to "Final."13 Without the proper removal of metadata, any holder of the electronic document maintains the ability to manipulate that document in the same manner as the document's creator. This means that, when a lawyer opens a document sent from opposing counsel and currently has track changes set to "Final Showing Markup," that document will show all track changes regardless of the original creator's track changes setting. If sensitive information had previously been deleted from the document by its creator, the unwitting attorney could inadvertently be exposed to this information and may be faced with a serious ethical obligation. While most metadata is discovered through intentional mining, accidental exposure to embedded data is still possible.14

Many states expressly impose an obligation upon a lawyer who is inadvertently sent a document to notify opposing counsel of the mistake. Specifically, Model Rule of Professional Conduct 4.4(b) requires a "lawyer who receives a document relating to the representation of the lawyer's client . . . [who] knows or reasonably should know that the document was inadvertently sent" to "promptly notify the sender."15 The comments also specifically state that the rule covers inadvertently sent e-mail.16 Model Rule 4.4(b), however, has only been adopted in a few jurisdictions.17

Georgia does not yet have a specific rule like Model Rule 4.4(b). This fact does not mean that ethical obligations are not raised when a lawyer inadvertently receives a sensitive document. For example, other states without a rule specifically addressing inadvertent transmission have nonetheless issued opinions that impose obligations on the recipient in such situations. The question Georgia lawyers face is whether the duty exists even in the absence of a specific rule governing the situation.18

In the context of misdirected faxes, mail, e-mail, and other communications besides embedded data, the authorities have generally recognized that ethical obligations can arise when a lawyer receives a document that was not intended for him or her,19 such as the receipt of a fax intended for opposing counsel's client.20 As a general principle, those authorities hold that where a lawyer receives privileged or confidential client information from another lawyer where the circumstances reasonably show that the disclosure was inadvertent, the recipient must notify the sender of the mistake and, in some jurisdictions, follow the sender's instructions on how to proceed next.21

Assuming that such a duty exists in Georgia, the question would be whether that duty should apply in the special context of embedded data. Several bar associations have analyzed this duty in the context of embedded data where the lawyer intended to send the file containing that data to the lawyer who received the file but did not intend to transmit embedded confidential information. Unfortunately, those authorities have also split widely on whether the recipient has any duty to notify the sender of the presence of embedded data.

The opinions split along the same lines, essentially, as they do concerning whether it is dishonest to look. Specifically, the ABA22 and the Maryland Bar23 concluded that there was no obligation to notify the sender, while Florida,24 New York,25 Arizona,26 and Alabama27 concluded that such an obligation exists. The District of Columbia concluded that an obligation to notify existed only if the lawyer had actual knowledge that the embedded data was sent inadvertently before examining it,28 while Pennsylvania again adopted a facts-and-circumstances approach to the question.29

What, then, must a Georgia lawyer do when faced with this situation? Without clear guidance, the best advice would be the same as that regarding how to handle whether mining is appropriate: the greater the significance of the information and the clearer it is that the information was sent by mistake, the more likely it is that it is unethical not to notify the sender of the presence of embedded data. Whether inadvertent transmission waives the attorney-client privilege is, of course, a different question, and how the lawyer should proceed after notification - whether he should follow the sender's, his client's, or his own view of what to do - is itself a complex issue unaddressed by any Georgia authority.

Conclusion

Georgia lawyers are, at least for the time being, at an impasse when it comes to the treatment of opposing counsel's metadata. As the significance of metadata becomes more widely known, each state will no doubt develop its own approach to the treatment of inadvertent disclosure of confidential information through metadata. Until such a time arrives in Georgia, we hope that, at a minimum, we have provided a warning as to where these problems await and some guidance regarding how to emerge from this ethical predicament unscathed.

1See generally David Hricik and Chase Edward Scott, Metadata: The Ghosts Haunting e-Documents.

2 Id. at 20 n.21.

3Ga. R. Prof. Conduct 8.4(a)(4).

4 N.Y. St. B. Ass'n. Op. 749 (Dec. 14, 2001). All on-line ethics opinions and rules are available through http://www.hricik.com/StateEthics.html

5Ala. Op. 2007-02 (March 14, 2007) ("it is ethically impermissible for an attorney to mine metadata from an electronic document he or she receives inadvertently or improperly from another party.")

6Florida Prof. Eth. Comm. Op. 06-2 (Sept. 15, 2006).

7St. B. Ariz. Op. 07-03 (Nov. 2007).

8Am. B. Ass'n. Formal Opinion 06-442 (Aug. 5, 2006). See Md. B. Ass'n. Eth. Op. 2007-9 (2007) (not unethical to view metadata).

9ABA Op. 06-442 at 4 n.10. The ABA also stated that it "views similarly" the Florida Bar Association's conclusion that mining metadata was unethical. Id.

10D.C. B. Eth. Op. 341 (2007).

11Pa. Formal Eth. Op. 2007-500 (Jan. 2008).

12Id.

13As discussed in our previous article, views maybe changed in Microsoft Word to allow the user to either see or not see changes that have been made to a document. Thus, it is possible that a lawyer may, depending on the view she has set in Word, not even know she is transmitting embedded data in an exchanged document.

14We created a copy of this file with track changes on, but the "Show" toolbar for track changes showing "Final," and then saved the file and e-mailed it. When the recipient opened the file with his "Show" toolbar set to "Final Showing Markup," all of the changes were visible. Thus, it is possible for a recipient to unintentionally view metadata.

The discussion in this section, however, would likely apply whether the lawyer learned of the presence of embedded data intentionally, or by mistake.

15Model Rules Of Prof'l Conduct R. 4.4(b).

16 Id.

17 Andrew M. Perlman, Untangling Ethics Theory from Attorney Conduct Rules: The Case of Inadvertent Disclosures, 13 Geo. Mason L. Rev. 767, 783-85 (2006) (listing jurisdictions that had adopted Model Rule 4.4(b)).

18See generally, Robert C. Port, Whoops! You've Got Mail!, 6 Ga. B.J. 4, 16 (Feb. 2001).

19The ABA mentioned inadvertent transmission of e-mail when analyzing waiver of privilege over a misdirected fax: "the availability of xerography and proliferation of facsimile machines and electronic mail make it technologically ever more likely that through inadvertence, privileged or confidential materials will be produced to opposing counsel by no more than the pushing of the wrong speed dial number on a facsimile machine." ABA Formal Op. 92-368 (November 10, 1992). Accord Fla. St. Bar Assn. Comm. On Prof. Ethics Op. 93-3 (Feb. 1, 1994) ("Such an inadvertent disclosure might occur as part of a document production, a misdirected facsimile or electronic mail transmission, a 'switched envelope' mailing, or misunderstood distribution list instructions.").

20ABA Formal Op. 92-368 (November 10, 1992). Accord Fla. St. Bar. Assn. Comm. on Prof. Ethics Op. 93-3 (Feb. 1, 1994) ("Such an inadvertent disclosure might occur as part of a document production, a misdirected facsimile or electronic mail transmission, a 'switched envelope' mailing, or misunderstood distribution list instructions.")

21See generally Douglas R. Richmond, Key Issues in the Inadvertent Release and Receipt of Confidential Information, 72 Def. Couns. J. 110 (2005); James Q. Walker, Ethics and Electronic Media, 716 PLI/Lit 313, 334-36 (2004).

22Am. B. Ass'n. Formal Op. 06-442, supra, note 8.

23Md. B. Ass'n. Eth. Op. 2007-9, supra, note 8.

24Florida Prof. Eth. Comm. Op. 06-2, supra, note 6.

25N.Y. St. B. Ass'n. Op. 749, supra, note 4.

26Ariz. Op. 07-03, supra, note 7.

27Ala. Op. 2007-02, supra, note 5.

28D.C. B. Eth. Op. 341, supra, note 10.

29Pa. Formal Eth. Op. 2007-500, supra, note 11.