After hearing Marc Rotenberg, the Executive Director of the Electronic Privacy Information Center, speak on the amount of our information that is available online and trends that impact our privacy even more, it is a pretty easy choice to name the Electronic Privacy Information Center's website, EPIC.org, as my Website of the Week. In particular, you should check out EPIC's Online Guide to Practical Privacy Tools.
Most of you know I am a believer in using keyboard shortcuts. It is a lot quicker to hit a pair of keys as opposed to navigating with the mouse. I've blogged about this before and provided a downloadable keyboard shortcut "cheat sheet." But today I want to talk about one particular keyboard shortcut that protects your privacy as well as your clients' privacy. That is hitting the Windows key (with the Windows logo) and at the same time the L key (for lock.) This locks the computer and no one can access it again until you hit Cntrl+Alt+Delete and enter your password.
If you are leaving the computer to take a brief break, make a habit of locking it every time. I know you don't allow anyone access to your office whom you do not trust. But still, maybe you don't want your secretary to read that e-mail from your spouse or see just how far along you really are on that brief or view that open online game. This is just a good business privacy habit.
If the article and cheat sheet linked above are not enough for you, check out Wikipedia's keyboard shortcut table.
Forbes.com has some commentary from Robert Ellis Smith entitled Laptop Hall Of Shame.
The article begins "When the history of personal privacy is written--and there are persons who monitor this sort of thing--they will call this "The Year of the Stolen Laptop."
Read the article and ask yourself "Have we taken reasonable steps to ensure that our client's confidential information would not be compromised if one of our laptops was stolen or lost?" There is only one right answer to this question.
Thanks to Michael Arlfeld's Electronic Discovery and Evidence blog for the pointer.
I am still surprised at how many lawyers seem to be unaware of the existence of metadata.
Metadata is, simply put, data about data. To look at some of the metadata in one of your documents, simple click File, then Properties. So when you look at the revision history of a document or check the word count of an article you are writing for publication, you are looking at metadata. So metadata is a useful thing when you are working on your own document, but it can present a problem when you e-mail that document to opposing counsel or other third parties. Deleted comments and prior drafts can be viewed by the recipient, to a greater or lesser extent, depending on the tools that are used. Dan Pinnington's superb article on metadata lists many types of metadata.
One Florida lawyer was quite upset when he learned his firm had been hoodwinked into e-mailing a document to opposing counsel instead of faxing it so that the metadata could be mined by opposing counsel. Apparently some client comments that were attached to the document and then deleted were recovered by opposing counsel. Well, this lawyer was on the Florida Bar's Board of Governors and that body expressed its opinion that metadata mining is unethical and referred the matter to committee to determine what rules should be enacted on the subject.
Needless to say the idea that lawyers should be prohibited from reviewing metadata shocked Dennis Kennedy and generated lots of commentary in the blogosphere like this post with the accompanying comments, this one and even this one from Toby Brown at the Utah State Bar. I share their concerns in that it appeared from the article these bar officials were acting to ban a practice that some of them had just learned of a few minutes before. I withheld comment, but was struck by the fact that I had been involved in preparing the Oklahoma Electronic Discovery Summit last fall where, among other things, lawyers were taught how to analyze metadata. OK, it is unethical in Florida and we're teaching it in Oklahoma.
Actually Florida wasn't the first to offer an opinion on this topic. In 2001 the New York State Bar published Ethics Opinion 749 which stated "A lawyer may not make use of computer software applications to surreptitiously 'get behind' visible documents or to trace e-mail." This was so obviously overbroad that I had lumped it in with all of those early ethics opinions that it was unethical for lawyers to use e-mail, which were later modified or withdrawn. I thought that the NYSBA did a better job with Ethics Opinion 782 in 2004 that "Lawyers have a duty under DR 4-101 to use reasonable care when transmitting documents by e-mail to prevent the disclosure of metadata containing client confidences or secrets." They didn't retreat from 749 in that one. But at least the statement was made that it is your responsibility to your clients not to pass out damaging metadata.
Tracing e-mail sounds like something FBI agents or spies would do, right? (Well, I guess not if they are lawyers licensed by the NYSBA.) The Winter 2006 edition of Family Advocate (from the ABA Family Law Section) contains a feature by Sharon D. Nelson and John W. Simek discussing a divorce case where a mother lost child custody in part because of a disturbing series of e-mails she sent to the father. But she vigorously denied doing any such thing. A court-ordered forensic examination of the father's computer revealed that he had set up a system to "spoof" e-mails so that the incriminating e-mails which appeared to be coming from her had actually been written by him. The custody order was quickly reversed. Was the mother's lawyer, or the judge who ordered the exam, doing anything unethical?
Our adversary system of litigation is cast as a search for the truth. Metadata speaks the truth. Sure, it could be fabricated just like any document could be forged. But one can understand those who have concerns about a rule that hides the truth, especially a rule about ignoring metadata that would not apply to the police, the insurance companies, the private investigators and, generally everyone in society-- except lawyers.
Noted ethics scholar David Hricik notes his preliminary agreement with the Florida rule. But he interprets the rule to apply only to metadata in documents drafted by opposing counsel. He notes that a lawyer may well have the duty to examine the metadata in documents produced pursuant to discovery, depending on the circumstances. With that limitation, the rule is more understandable. It's hard to defend the lawyer who used the metadata analysis tools on another lawyer's brief. Essentially such a search would only be for attorney-client communications, internal law firm communications or insight into opposing counsel's thought processes. But the law practice management point is not to release potentially problematic metadata in the first place.
Microsoft has released a downloadable metadata removal tool add-in that works with Office 2003 and 2002 versions of Word, Excel and PowerPoint. Corel's WordPerfect never carried quite as much metadata as Word and has had the publish to PDF feature built in. But, as noted here, the latest release has a built-in metadata removal tool.
Tom Mighell has linked to some articles on dealing with metadata. Conversion to PDF is generally a good way to remove metadata, although the PDF will still contain some metadata. Purists say too much still remains behind after that. My inclination is that the most, if not all, potentially embarrassing metadata will be removed by this practice. (Of course, after I finished this post Tom Mighell tells me he has a PDF with deleted comments imbedded in it.) Last month the National Security Agency released a step-by-step outline titled "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF." The NSA says the steps outlined above are completely sufficient. You would want to follow these steps for redaction of documents.
One lawyer told me that he simply prints out his documents and scans the paper to PDF. That would work, but it is time-consuming. Faxing the document instead of e-mailing it likewise provides security. There's always the old standby of copying all of the text and pasting it into a blank document. Sometimes the result is not perfect if the document was heavily formatted. Payne Consulting's Metadata Assistant for Word/Excel/Powerpoint is a highly regarded commerical product that has been around for some time. The free version will allow you to see, but not erase, the metadata.
I simply stress that we focus on not sending out metadata rather than enacting new ethical rules about who can look at what when you do.
Noted science fiction author Arthur C. Clarke propounded Clarke's Laws, the third of which holds: "Any sufficently advanced technology is indistinguishable from magic." Certainly we've all noted new technologies that appear magical the first time we've seen them. Having a bar regulator decree an ethical rule concerning a technology they have just heard of or know little about is problematic. At that stage, it looks like magic and smacks of unfair advantage. Whether a new technology like e-mail or metadata analysis tools should be classified as black magic or white magic is an important decision with far reaching implications. My position has always been that a tool is a tool. Whether a tool is used for good or evil is the responsibility of the one who uses the tool.
Update: A couple of other blogs noted this post. Thanks. Dan Hull reminded me of one resource I intended to include but omitted, Mining the Value from Metadata by Dennis Kennedy, Tom Mighell and Evan Schaeffer, (who had another recent post on the topic.) I also would like to update with references to two recently published articles on law.com: Craig Ball's article, Make Friends with Metadata, and Metadata: Uncertain and Unseen by Tom Nunn, with references to the recent proposed changes in the Federal Rules of Civil Procedure that touch on metadata.
Preserving client confidences is an important part of a lawyer's professional life. Hopefully we all instruct our staff frequently about the importance of maintaining confidentiality. Documenting instructions about confidentiality can have at least two benefits: 1) More formality serves to impress staff even more with the significance of the discussion and 2) Documentation can aid the firm should a third party ever question the training process.
As a first step toward that goal, attached is a downloadable sample confidentiality agreement to be executed by all nonlawyer staff. You may also want a version for outside contractors such as computer consultants or couriers. There's no magic language here. Download this file, copy the text, paste it into your word processor and customize it as you wish. If you find something missing, e-mail me your suggestions. Several Oklahoma lawyers have contributed to this document.
Subscribe to my feed.
