NEW YORK STATE BAR ASSOCIATION
Committee on Professional Ethics
Opinion #782 - 12/08/2004
Topic: E-mailing documents that may contain hidden data reflecting client confidences and secrets.
Digest: Lawyers must exercise reasonable care to prevent the disclosure of confidences and secrets contained in "metadata" in documents they transmit electronically to opposing counsel or other third parties.
Code: DR 1-102(A)(5), 4-101(B), (C), (D); EC 4-5.
DR 4-101(B) states that a lawyer shall not "knowingly" reveal a confidence or secret of a client. Does a lawyer who transmits documents that contain "metadata" reflecting client confidences or secrets violate DR 4-101(B)?
Word-processing software commonly used by lawyers, such as Microsoft Word and Corel WordPerfect, include features that permit recipients of documents transmitted by e-mail to view "metadata," which may be loosely defined as data hidden in documents that is generated during the course of creating and editing such documents. It may include fragments of data from files that were previously deleted, overwritten or worked on simultaneously. Metadata may reveal the persons who worked on a document, the name of the organization in which it was created or worked on, information concerning prior versions of the document, recent revisions of the document, and comments inserted in the document in the drafting or editing process. The hidden text may reflect editorial comments, strategy considerations, legal issues raised by the client or the lawyer, legal advice provided by the lawyer, and other information. Not all of this information is a confidence or secret, but it may, in many circumstances, reveal information that is either privileged or the disclosure of which would be detrimental or embarrassing to the client. SeeDR 4-101. For example, a lawyer may transmit a document by e-mail to someone other than the client without realizing that the recipient is able to view prior edits and comments to the document that would be protected as privileged attorney-client communications. Or, more dramatically, a prosecutor using a cooperation agreement signed by one confidential witness may use the agreement as a template in drafting the agreement for another confidential witness. The second document's metadata could contain the name of the original cooperating witness, and if e-mailed, could expose that witness to extreme risks.
The Lawyer's Code of Professional Responsibility (the "Code") prohibits lawyers from "knowingly" revealing a client confidence or secret, DR 4-101(B)(1), except when permitted under one of five exceptions enumerated in DR 4-101(C). DR 4-101(D) states that a lawyer "shall exercise reasonable care to prevent his or her employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client." See also EC 4-5 ("Care should be exercised by a lawyer to prevent the disclosure of the confidences and secrets of one client to another"). Similarly, a lawyer who uses technology to communicate with clients must use reasonable care with respect to such communication, and therefore must assess the risks attendant to the use of that technology and determine if the mode of transmission is appropriate under the circumstances. SeeN.Y. State 709 (1998) ("an attorney must use reasonable care to protect confidences and secrets"); N.Y. City 94-11 (lawyer must take reasonable steps to secure client confidences or secrets).
When a lawyer sends a document by e-mail, as with any other type of communication, a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client's confidential information. What constitutes reasonable care will vary with the circumstances, including the subject matter of the document, whether the document was based on a "template" used in another matter for another client, whether there have been multiple drafts of the document with comments from multiple sources, whether the client has commented on the document, and the identity of the intended recipients of the document. Reasonable care may, in some circumstances, call for the lawyer to stay abreast of technological advances and the potential risks in transmission in order to make an appropriate decision with respect to the mode of transmission. SeeN.Y. State 709 (1998).
Lawyer-recipients also have an obligation not to exploit an inadvertent or unauthorized transmission of client confidences or secrets. In N.Y. State 749, we concluded that the use of computer technology to access client confidences and secrets revealed in metadata constitutes "an impermissible intrusion on the attorney-client relationship in violation of the Code." N.Y. State 749 (2003). See alsoN.Y. State 700 (1997) (improper for a lawyer to exploit an unauthorized communication of confidential information because doing so would constitute conduct "involving dishonesty, fraud, deceit or misrepresentation" and "prejudicial to the administration of justice" in violation of DR 1-102(A)(4) and DR 1-102(A)(5), respectively).
Lawyers have a duty under DR 4-101 to use reasonable care when transmitting documents by e-mail to prevent the disclosure of metadata containing client confidences or secrets.
David Hricik and Robert R. Jueneman, "The Transmission and Receipt of Invisible Confidential Information," 15 The Professional Lawyer No. 1, p. 18 (Spring 2004); Mark Ward, "The hidden dangers of documents," BBC News World Edition, August 18, 2003, at http://news.bbc.co.uk/2/hi /technology/3154479.stm; "Barry MacDonnell's Toolbox for WordPerfect for Windows - Macros, Tips, and Templates;" February 5, 2004 , at http://home.earthlink.net/~wptoolbox?Tips/UndoRedo.html.
 "How To: Minimize Metadata in Microsoft Word 2002 Documents," at http://support. microsoft.com/?kbid=237361; "How To: Minimize Metadata in Microsoft Word 2000 Documents," at http://support.microsoft.com/?kbid=237361. Most Word document files contain a revision log listing the last 10 edits of a document, and identifying the names of the people who worked on the document and the names of the files in which the data was saved. Richard M. Smith, "Microsoft Word bytes Tony Blair in the butt," June 30, 2003, at http://www.computerbytesman.com/privacy/blair.htm (describing how the British government was embarrassed in February 2003 when 10 Downing Street published a dossier on Iraq's security and intelligence organizations and posted it as a Microsoft Word document on their Web site, which through its metadata revealed the identities of the four civil servants who worked on the document as well as various other documents that contained the same information). Similarly, WordPerfect documents may contain information text that had been cut, copied or deleted, as well as the drafter's username, the drafter's initials, the company or organization name, the name of the computer, embedded objects, comments, and other file properties and summary information. "Barry MacDonnell's Toolbox for WordPerfect for Windows - Macros, Tips, and Templates," February 5, 2004, at http://home.earthlink.net/~wptoolbox?Tips/UndoRedo.html.
 Some commentators have suggested that a lawyer has an affirmative duty to remove metadata whenever documents are exchanged with opposing counsel or disclosed to the public. See, e.g.,David Hricik & Robert R. Jueneman, The Transmission and Receipt of Invisible Confidential Information, 15 The Professional Lawyer no. 1, p. 18 (Spring 2004) ("To comply with their duty of confidentiality, lawyers should take steps to remove metadata from documents exchanged with opposing counsel or disclosed to the public"). While exercising reasonable care under DR 4-101 may, in certain circumstances, require the lawyer to remove metadata (for example, where the lawyer knows that the metadata reflects client confidences and secrets, or that the document is being sent to an aggressive and technologically savvy adversary), in general the level of care required varies with the particular circumstances of the transmission.
Unlike lawyers, non-lawyer recipients of documents containing hidden text have no obligation imposed by the Code to avoid uncovering and exploiting information contained in an e-mailed document's metadata.
Related FilesOpinion 782