Metadata is becoming an ever-present threat to today’s legal and business interactions. While the concept sounds daunting, it’s important to understand what metadata is, how it can be used against employers, and how to limit the associated risks.
Audio Conference: Practical ESI Management for HR: Rules for Controlling Electronically Stored Information
Out with the antiquus, in with the novus
Lawyers use such weird terms these days. It seems like only yesterday when attorneys would meet and offer such straightforward sentiments as: “Our judge just ruled, sua sponte, that the evidence establishes only de minimis violations.” Then they would pat each other on the back and say: “Res ipsa loquitur.” That always got a good laugh.
Not anymore. Now our clients want us to say everything in plain English. But even plain English is getting complicated. Our information society is infused with weird new words like “gigabyte” and acronyms like “ROTFLMAO.” Luckily, unless you work in IT or you have a kid with a MySpace page, you can pretty much ignore that techno-babble — just like you (hopefully) ignored our legal jabber.
Unfortunately, now more than ever, employees’ attorneys are well versed in this techno-lexicon. And while many of these terms never surface in court, they become tools in a new arsenal designed to attack employers. For that reason, we caution businesses to put a techno-concept on their radar: metadata.
Audio Conference: What to Save, What to Shred: What New Laws Say About Handling Personnel Files
Metawhat?
While many employers have probably heard the term floating around, it’s important to understand what it really means and how it can be used against you. Metadata, put simply, is data about data. Put another way, it’s data embedded in a file that contains information about the file. If you’ve ever used “Track Changes” in Microsoft Word or looked at a file’s properties in either Windows Explorer or OS X’s Finder, you’ve already seen an obvious example of how metadata works.
Usually, metadata is innocuous and helpful, such as when you want a coworker to see the changes you made to her document or if you want to see the date a document was created to understand if you’re dealing with the most recent version. In those instances, the program’s automatic tracking functions improve our workflow.
But other times — like when you’re in the heat of negotiation — that information can be unnecessarily revealing. For example, if you just sent a Word document to a party with whom you’re negotiating a purchase and forgot to turn off “Track Changes,” you may have just clued your adversary in to your thought processes. So when the adversary calls you with a counteroffer that just happens to match a price you thought you deleted from the document, you’ll understand where he got it.
Additionally, metadata often will reveal information such as the name of the computer on which the document was created, the document’s author, the dates it was created and modified, and the identities of those who accessed and printed the document. While often innocuous, that information can communicate volumes to a business or legal adversary. In the legal arena, clients may inadvertently waive attorney-client privilege by sending an adversary metadata revealing comments left by their counsel.
As you can see, while metadata sounds like it should remain your IT person’s problem, it allows every e-mail-wielding employee to expose a business to liability.
Audio Conference: E-Discovery & Document Retention: What Employers Need to Know
Metaethics
There are only a few state courts that have weighed in on the issue. Two, Florida and New York, decided that looking at metadata was improper (Florida likened viewing it to “rifling through someone’s briefcase”), while a third, Maryland, found that reviewing metadata wasn’t an ethics violation.
Despite the ethical uncertainty surrounding metadata, there’s no guarantee that an ethical rule would keep another business or attorney from taking advantage of information learned from metadata. Thus, it’s important that employers lower their exposure to the risks of metadata.
State-by-state comparision of 50 laws in 50 states, including personnel files
Metamitigation
Luckily, limiting a company’s exposure is pretty simple. There are two main methods we recommend for limiting the amount of metadata available to other parties.
First, an employer can convert its documents to a PDF (portable document file) before giving it to anyone outside your organization. The converted PDF will still contain some metadata, such as the date the document was created, but it shouldn’t have any of the other document data (such as “Track Changes” and “Comments”) that programs often include. Also, there are two types of PDFs: image PDFs and text PDFs. If you convert your document to an image PDF, the recipient will be unable to manipulate the text without jumping through hoops.
If a company wants to “clean” its documents even further before sending them out, it may purchase software applications built for the job. This is where you’ll want your IT person’s input. The best software will automatically scrub every document attached to a piece of e-mail before it leaves your employees’ computers. There are a number of applications that will do the job, and a quick Google search should point you in the right direction.
Of course, a third option is to go back to putting everything on paper. But if you’ve read The Da Vinci Code or seen National Treasure, you’ll know that even paper can be deceiving.
Audio Conference: Cut the HR Clutter: How to Comply with Personnel Record Retention Laws