Document Metadata and Legal Malpractice: The Cases You Need to Know
Bar associations have issued ethics opinions on metadata. Courts have used it as evidence. Here are the cases and rules every attorney should know.
The ethics landscape
The legal profession has a metadata problem, and the organized bar knows it. Multiple bar associations have issued formal ethics opinions addressing an attorney's duty to handle document metadata — both the duty to remove metadata from outgoing documents and the ethical boundaries around mining metadata from received documents.
This is not a hypothetical concern. Metadata in legal documents has exposed privileged communications, revealed negotiation strategies, identified confidential clients, and resulted in disciplinary proceedings.
ABA Formal Opinion 06-442
The American Bar Association's Standing Committee on Ethics and Professional Responsibility addressed metadata directly in Formal Opinion 06-442 (2006). The opinion concluded that:
-
Sending attorneys have a duty under Model Rule 1.6 (Confidentiality) to take reasonable steps to prevent the inadvertent disclosure of confidential information in document metadata.
-
Receiving attorneys are subject to Model Rule 4.4(b), which requires a lawyer who receives a document relating to the representation of the lawyer's client and who knows or reasonably should know that the document was inadvertently sent to promptly notify the sender.
The ABA opinion stopped short of prohibiting receiving attorneys from reviewing metadata, instead leaving that question to individual state bars. This created a patchwork of rules across jurisdictions.
State bar opinions: the split
States that prohibit metadata mining
New York State Bar Association Opinion 749 (2001): One of the earliest opinions, concluding that a lawyer may not use technology to surreptitiously obtain metadata from documents sent by opposing counsel. The New York opinion treats metadata mining as analogous to reading a fax cover sheet addressed to someone else.
Florida Bar Ethics Opinion 06-2 (2006): Attorneys who receive electronic documents should not try to discover metadata embedded in those documents.
Alabama Ethics Opinion 2007-02: An attorney may not mine metadata in documents received from opposing counsel when the attorney knows or should know the metadata was not intended to be shared.
States that permit metadata review
Maryland Bar Ethics Opinion 2007-09: The receiving attorney has no ethical obligation to refrain from reviewing metadata. The obligation falls entirely on the sending attorney.
Pennsylvania Bar Ethics Opinion 2009-100: Similar to Maryland — the burden is on the sender to clean documents, not on the receiver to ignore metadata.
Colorado Bar Ethics Opinion 119 (2008): Permits metadata review, reasoning that widely available metadata extraction tools mean attorneys should expect that metadata will be reviewed.
This jurisdictional split means that attorneys practicing across state lines face conflicting obligations. The safest approach — and the one most ethics scholars recommend — is to clean outgoing documents and assume incoming documents may be mined.
Cases where metadata caused harm
McDermott Will & Emery: tracked changes in settlement documents
In a widely discussed incident, the law firm McDermott Will & Emery shared settlement documents that contained tracked changes revealing the firm's internal negotiation strategy. The tracked changes showed what terms the firm was prepared to concede and what positions were considered non-negotiable. Opposing counsel extracted this information, gaining a significant advantage in negotiations.
The case became a cautionary example cited in multiple CLE presentations and bar publications. It demonstrated that even sophisticated firms with dedicated IT departments can fail to clean documents before sharing.
Manafort indictment: metadata identifies collaborators
In the 2018 indictment of Paul Manafort, prosecutors used document metadata to establish that Manafort had collaborated with a lobbying firm on documents that Manafort claimed to have no involvement with. The "Author" and "Last Modified By" fields in Word documents directly contradicted Manafort's representations, providing evidence that he had edited documents he denied creating.
British Ministry of Defence: redaction failures
In 2005, the British Ministry of Defence published a document about the Iraq War in Microsoft Word format. The document contained tracked changes that, when revealed, showed how the document had been edited to strengthen the case for military action. The deleted text revealed the original, more cautious language — creating a significant political controversy.
Model Rule 1.1: competence includes technology
ABA Model Rule 1.1 requires attorneys to provide competent representation, which includes "the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation." In 2012, the ABA amended Comment 8 to Rule 1.1 to explicitly state that competence includes keeping abreast of "the benefits and risks associated with relevant technology."
This amendment means that technological competence — including understanding document metadata — is no longer optional for practicing attorneys. An attorney who sends a document containing privileged metadata is not merely careless; they may be incompetent under the rules.
Multiple state bars have adopted this amendment, making it binding in their jurisdictions. A disciplinary complaint based on metadata leakage can now cite Rule 1.1 in addition to Rule 1.6.
Model Rule 1.6: confidentiality extends to metadata
Model Rule 1.6 requires attorneys to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
Metadata fields in legal documents — author names identifying which attorney worked on a matter, tracked changes revealing legal strategy, template paths showing which other clients use the same document templates — all constitute "information relating to the representation" under Rule 1.6.
The standard is "reasonable efforts," not perfection. But in 2024, given the widespread availability of metadata scanning and removal tools, doing nothing is difficult to characterize as reasonable.
What firms should be doing
1. Firm-wide metadata policy
Every law firm should have a written policy on document metadata that covers:
- What metadata must be removed before external sharing
- Who is responsible for metadata removal (individual attorneys, paralegals, IT)
- What tools are approved for metadata scanning and removal
- How to handle metadata received in incoming documents
2. Training
Annual CLE training should include practical metadata awareness. Attorneys should know how to check a document's properties, understand what tracked changes look like in the XML, and know what tools the firm provides for cleanup.
3. Automated scanning
Relying on individual attorneys to remember to clean metadata is a control that fails under pressure — exactly when the stakes are highest. Firm-wide automated scanning, either as an email gateway filter or as a required step in the document management system, provides consistent protection.
4. Template hygiene
Firm document templates should be cleaned of metadata before being added to the template library. A template that carries the name of the attorney who created it will propagate that name to every document generated from it.
5. Verify, do not assume
The Document Inspector in Microsoft Word can miss metadata fields. A comprehensive scan at the structural level — reading the document's XML and binary content — catches what built-in tools miss. Verification by re-scanning the cleaned output confirms that removal was successful.
Purgit scans legal documents for metadata that could expose privileged information — author names, tracked changes, template paths, timestamps. It removes findings and verifies removal with a re-scan.
[Scan a File Free]