Protect Yourself And Your Clients – Best Practices For Securing Documents - ABA YLD 101 Practice Series

By Sharon Nelson, John Simek and Michael Maschke

How many attachments do you send a week? The days of transmitting documents using antiquated fax machines have been replaced with newer and more convenient methods for sending information such as directly transmitted Word or PDF documents or scanning documents to e-mail and forwarding the documents on to the recipient. Ways that are much easier and quicker. Often forgotten with the "attach and send" mentality, is one very important question. Do you know what information you are about to send? No, we are not talking about the documents themselves, but rather the hidden data that is contained within them, the metadata.

Metadata is data about data (the most unhelpful yet true definition we've seen), hidden information contained within the document revealing such items as the author, document title, application name and version used to create the document, creation date, date last printed and saved, total amount of time spent editing document, Track Changes and more. The metadata contained within a document will vary depending on the type of document and the software and version used to create it. Attorneys need to be aware of the potential risks this might pose for you, your client and your firm.

There are a few simple actions that can be taken to secure your documents before you send them. The easiest and most convenient method is to purchase and use metadata scrubbing software. Metadata removal software, such as Metadata Assistant (, will remove metadata from a number of document types. This software integrates with the Microsoft Office suite, including Outlook, and will prompt a user to remove the metadata of any compatible attachment before sending. Attorneys love the fact that it's an automated process complete with an "idiot box" that asks if you're sure you want to send an attachment without cleaning it. It just can't get any easier than that and it saves the scalps of busy attorneys who are apt to be a bit harried and therefore click-happy. A single license of this software costs $80 and can be purchased directly from the web site. It's a great tool that we strongly recommend attorneys use.

Regardless of the risks, there are still attorneys that balk at the idea of having to purchase software to remove metadata. It's widely believed that converting Microsoft Office documents to PDFs removes all of the metadata. Not so. What is true is that MOST of the metadata will be gone, and what is left tends to be innocuous. Hence, PDFing is regarded as the poor man's metadata scrubber. However, it is not a complete solution, and for the modest cost of purchasing a true metadata scrubber, it just isn't worth the risk.

Aside from metadata, there are other risks that inherently exist when transmitting an attachment to a recipient. Primarily, once a document is transmitted, the user no longer maintains control of what happens to it. The document, if left unprotected, may be subject to manipulation and alteration. Happily, we have another simple solution to prevent this from happening.

Both Microsoft Office and Adobe Acrobat allow a user to apply security settings and parameters to their documents. In Microsoft Office, when saving a file, within the "Security Options" menu box, a user can set and require a password to open and/or modify the file. Adobe Acrobat has a few more options that can be set when it comes to securing a PDF file, such as requiring a password to open and modify the file, restricting both printing and edits, and determining whether or not any of the text, images or content may be copied. All of the document security options in Adobe Acrobat can be found in the "Security" option located within the "Document" heading present in the main tool bar. It's prudent to get into a habit of securing documents with the necessary settings before sending them. This is definitely a scenario where an ounce of prevention is worth a pound of cure.

By using a combination of metadata scrubbing software and enabling document security restrictions, users can limit their risks when sending documents. Some users will argue that regardless of the restrictions placed on a document that nothing can be done to truly stop someone from bypassing the security. Frankly, that's true. We do it all the time, if only for the purpose of educating lawyers. But not many people have that kind of knowledge - and ethical commandments don't require that you go to the ends of the earth to secure your data. However, they do require that you do whatever a prudent lawyer would do to keep your client's data confidential. In a complicated technological world, that bar gets higher every day.


Download this article in PDF format

About the Author

The authors are the President, Vice President and Director of Computer Forensics of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, VA. 703-359-0700 (phone) They are the authors of The 2009 Solo and Small Firm Legal Technology Guide (ABA, 2009).

101 Practice Series: Breaking Down The Basics

Learn More Order Today