David Hricik, associate professor at the Mercer University School of Law, had just finished his speech at a legal conference when an attendee approached him, eager to share an anecdote.
The attendee told Hricik, an expert on legal technology, about a negotiation with a large software manufacturer. The software company sent him a contract that its counsel had drafted in Microsoft Word. With a click of the mouse, the attendee and his team revealed a goldmine of secrets hidden within that contract that completely compromised the software company’s negotiation strategy.
“The changes revealed the comments from the software company’s business people to their attorneys about what they could and couldn’t accept as a deal,” Hricik says. “So the opposing counsel sat there, knowing the company’s entire bargaining position.”
This is an example of how ignorance of metadata can create embarrassing and costly mistakes. The lesson to be learned is that what general counsel don’t know, or can’t see, can hurt them.
“The scale of potential exposure is utterly epic, and yet it is one of the most significant risks that is the least understood by the people who are responsible for it,” says Ross Kodner, president, founder and GC of MicroLaw, a Milwaukee-based legal technology consultancy. “Few general counsel have any idea about it.”
Despite the fact that metadata has existed for decades and is discussed ad nauseam at tech conferences everywhere, in-house counsel are universally unfamiliar with it. In fact, nearly 80 percent of U.S. companies don’t know what the term “metadata” means, according to a 2005 Vanson Bourne/Workshare study.
“People are really starting to treat metadata as some new, bad-by-definition thing that’s never existed before,” says Dennis Kennedy, a St. Louis-based legal technology consultant. “But even paper has metadata associated with it. When I look at a piece of paper, I can tell what type of paper it is, whether there’s a watermark or whether someone used a typewriter.”
As Kennedy points out, metadata, at its simplest, is data about data. This data can be associated with any electronic document, but is most prevalent and accessible through Microsoft Office documents. The umbrella of metadata includes such information as the name of the author of the document, the names of previous document authors, the name of the company, the computer’s network name, the time spent editing a document and the date the author created the document. This information is hidden but accessible. Though many believe metadata is universally negative, records and document management systems rely on this information for archiving and retrieving information.
Metadata also includes hidden information that users can embed into a document such as comments and revisions. When Word, Excel or PowerPoint documents are attached to outgoing e-mails and sent to opposing counsel, a mouse click can reveal hidden information that the author thought was confidential. In addition, if a company’s PR department forgets to scrub metadata from outgoing materials, such as press releases, the company could reveal damaging or confidential information.
“It would be impossible to overstate how disastrous the disclosure of this
information could be,” Kodner says. “This would apply certainly to any document flowing through the general counsel’s offices, but it would really apply to any document that flows through the corporation.”
One recent example illustrates that in-house counsel must educate themselves and their employees about the dangers of unchecked metadata.
In March, Google posted a presentation document on its investor relations Web site. However, someone forgot to scrub the document of metadata. Hidden within the document were comments detailing projections that the company’s advertising business is expected to grow by nearly 60 percent in 2006. Along with the financial information, the document exposed key proprietary information about potential plans to offer infinite online storage to consumers in a yet-to-be released product called GDrive.
“There is so much risk throughout a company,” Kodner says. “There’s HR information that could be subject to HIPAA protection, or it could be corporate trade secrets or information subject to an SEC quiet period that someone accidentally discloses.”
Google suffered a huge fallout from its PR gaffe, which caused the company’s market capitalization to plunge by several billion dollars. But there is more at risk than money.
Accidental disclosure of attorney-client communications through unscrubbed documents could constitute waiver of attorney-client privilege, and at the very least, compromise counsel’s negotiation strategy. Although no court has set precedent on the topic, experts speculate the accidental release of privileged information through metadata could constitute a waiver.
“If outside counsel and in-house counsel have been tracking changes and making revisions to a document and nobody cleanses the metadata out and sends a copy to opposing counsel, I think it’s fair game,” says Denise Howell, counsel at Reed Smith in Los Angeles.
In-house counsel need to educate their employees about the potential exposures metadata creates. One method is to direct employees to Microsoft’s Web site, which offers steps on how users can eliminate comments and revisions prior to sending out a document. In-house counsel also should conduct conversations with outside counsel to make certain that all parties know when and how to scrub metadata.
Those looking for a fail-safe method of ensuring metadata remains hidden may want to look toward a technology solution. For instance, San Francisco-based Workshare, a provider of information security technology, offers a suite of products called Protect Enterprise Suite–a package that helps organizations protect themselves from information leaks.
“The solution follows what we call the ABCs of content security,” says Ken Rutsky, executive vice president of worldwide marketing at Workshare. “It alerts users before they send a document out to scrub it, it blocks metadata when it needs to, and it cures documents of sensitive data according to company policy.”
Workshare currently services 62 percent of the Fortune 1000, and its product starts at about $29 per user annually before volume discounts. Other vendors that provide similar solutions include Esquire Innovations’ iScrub, BEC Legal Systems’ Metadata Scrubber and Payne Consulting Group’s Metadata Assistant.
Whatever solutions in-house counsel decide to employ, the key is to be aware of metadata, understand the risks it creates and know how to avoid liabilities.
“From one GC to another, this is a time bomb waiting to explode in somebody’s case,” Kodner says. “And the last thing you as in-house counsel want is to be the poster child for what not to do.”