Metadata And The Challenges It Raises
Metadata is too often defined today by referring to the origins and history of the component parts of the term. You often see metadata referred to as "data about data," a linguistically accurate and descriptive formulation, but not an especially useful or illuminating one. For our purposes, metadata should be thought of as information associated with and made part of an electronic document that is not visible in the normal viewing or printing of that document. In that sense, "hidden data" might one day replace "metadata" as a more useful term. Metadata can include descriptive, historical, technical or other information and is often generated automatically. It can also include hidden information manually added by users of the document. Classic examples of metadata are the information contained in "document properties" of Microsoft Word documents and comments or tracked changes in Word documents.
Metadata is neither inherently good nor bad. Depending on its context, it can be quite useful. Outside the legal environment, adding and using metadata is a highly valued method of making information more usable and findable. Metadata can also be quite useful in helping you organize, identify, and review your electronic documents. Metadata is not a new topic. It has been with us for a long time. Interestingly, the concept of metadata is not confined to electronic documents.
In fact, paper documents have their own analogous forms of metadata that are not immediately visible to readers. Consider "metadata" like paper size, whether a paper was printed, typed or copied, paper type, and other information, or written comments (ink, pencil or typed) or highlighting (color, ink type). Thinking about "paper metadata" will help you think more clearly about electronic metadata.
Metadata, and electronic documents, might contain three categories of metadata. In many cases, elements from all three categories will be found.
1. System Metadata
System metadata is data automatically added by your computer system that relates to the operation of the system and the handling of files. Examples of system metadata include file creation date and time stamps, file location, author or user identification and other information generally useful for system administration purposes. While this metadata is not the type that regularly draws headlines, it might be very useful when certain types of fact issues arise. For example, if the date when a document was created is a key fact issue in a case, a "date created" time stamp might be dispositive on the issue. A user name might resolve a dispute over who created a document.
2. Application Metadata
Application metadata is like system metadata in that it is automatically created and associated with your document. The difference is that application metadata directly relates to the application that creates or uses the document. Using Microsoft Word as an example, you can check the properties of a document (the Properties choice under the File menu) and find data relating to word and character counts, document statistics, total editing time, and the like. You might find more than one hundred metadata items automatically generated and incorporated into your Word document.
3. Document (or User-Added) Metadata
Document metadata describes hidden or embedded data that is manually added to a document. Comments, highlighting and track changes markup are good examples of this category. When people talk about the dangers of metadata or metadata containing "smoking guns," they generally are referring to document metadata. Cases like the SCO filing that showed a petition was originally going to be filed against another company have appeared regularly over the years.
Metadata adds a large amount of new information to documents when compared to paper documents. In that context, a printout of a document (or a scan of a printout) simply does not give the full picture of all that is contained in a document. Although much metadata is innocuous and will have little or no value in discovery, the fact that it can be automatically generated or included in a document without anyone's knowledge presents problems for everyone involved in handling and managing documents in electronic discovery.
Laying The Groundwork For Managing Metadata
The new FRCP amendments move metadata from the frontier of e-Discovery to the mainstream, with possible involvement in every case. They also put organizations and their legal teams at a crossroads. They simply cannot rely on the methods that worked for paper discovery. They must make choices about what directions to take as they move forward. Metadata risk should be managed well before opposing parties request it in discovery. In order to manage metadata risk, companies must prepare and implement policies, practices and tools that minimize their risk profile and improve their discovery readiness.
Setting up policies in advance offers organizations several benefits. First, remember that metadata is not always a bad thing. Metadata can help you find information, categorize data, and identify ESI as part of your discovery preparation. In the same way as organizations have found that "document deletion" procedures eliminate both "good" and "bad" documents, it is clear that an emphasis on metadata management, not just metadata deletion or scrubbing, can have positive benefits in helping you with the discovery process. Second, just as policy-based email and document retention can provide protection in the event emails or documents are deleted in accordance with the policy, reasonable metadata management policies and procedures will allow you to defend your reasonable procedures rather than leave you in the weak position of trying to explain ad hoc, suspicion-inducing metadata deletion efforts. Developing routine, good faith, business-justified metadata policies will also provide a basis for application of the Rule 37(f) safe harbor protections.
There are three key areas to consider as you prepare to make decisions about the directions you will take in handling metadata.
1. Understanding And Training
Dealing with metadata in e-Discovery starts with obtaining a solid, practical understanding of the nature and scope of the potential issues and problems created by your use of metadata. The stories and cases that have already appeared (and the ones that are likely to come) will sound the wake-up call on the extent of the potential problems. These are not headlines in which any organization wants to see its name featured.
Many lawyers have only a limited understanding of what metadata is, where it exists, and how it should be handled. Businesses also have only a limited understanding of the issues, and their employees often have little or no understanding over what metadata is being created, what control they do or do not have over this metadata, and what they need to do to deal with, manage, or remove metadata that has been created. This state of affairs all but guarantees that there will be insufficient knowledge to take appropriate actions on how metadata should be handled in advance of litigation or produced as part of a litigation. Education and training will play a key role in any serious metadata management efforts.
2. Identification and Awareness
After establishing a solid base of knowledge, you must identify the metadata that exists, where it is located, and how it is created. You must have a working knowledge of what is happening in your own systems and documents. With this knowledge, you can assess the issues you face in your documents, both those that may already be subject to production and those that might one day become subject to production. Remember that not all metadata will be dangerous or potential "smoking guns." Some can be quite valuable to your business or your clients. Becoming fully aware of what your metadata landscape looks like is a necessary step in getting prepared to deal with metadata inside and outside the e-Discovery process and complying with the new rules.
3. Usage and Strategies
How will you use metadata and what strategies will you choose? Lawyers tend to focus on the "offensive" use of metadata. How might they find a "smoking gun"? While there are good incentives to look at the other side's metadata, organizations are better-served by focusing on the "defensive" use of metadata and ways to protect their own documents.
What can you do to control, reduce or eliminate the amount and types of metadata created? Can existing metadata be removed from all or selected documents? What options are available to help you manage the disclosure of your metadata? What will judges be willing to accept as ways to avoid disclosure of metadata?
Once you educate yourself and your employees about metadata and the way it is created and can be used, you can move to take prudent action on the issues raised by metadata. The best approach is to think systematically about metadata and how it is used in organizations and how the needs of the organization and litigation might intersect. You will want to adopt, and the new rules definitely encourage, reasonable policies and procedures for dealing with metadata.
Steps Toward Gaining Control Of Metadata
Control of your metadata issues will come from the adoption of targeted, well-conceived policies and procedures. Unfortunately, in the new world of e-Discovery, not choosing a policy means that you have in fact chosen a default policy that will probably not be the policy you want. A passive approach is a dangerous route to take, especially when you stand at a crossroads knowing that the old ways and directions will not longer work. You will want to implement practices that move you along the steps set out in the preceding section of this article. There is no substitute for hard work and diligence in this process. It will take significant time and money and require a dedicated team effort. The sooner you get started, the better.
1. Education and Training
If you and the people working with you on these issues do not understand the nature of the problem, you will not be able to address your metadata concerns successfully. Fortunately, a good number of articles, seminars and other resources are now available to help you understand how metadata is created and how you can work with it and manage or eliminate it, especially in connection with commonly used programs such as the Microsoft Office suite. Following up on basic Metadata 101 education with ongoing training about your policies and procedures and new developments is a must.
2. Policies
Organizations and their legal teams must begin to create consistent, well-thought-out and reasonable policies for the use and handling of metadata. Successful policies grow out of having the right people ask and concentrate on the right questions. Metadata management requires a team approach, not a purely legal approach. What metadata are you creating and transmitting, and why? What should be happening? Can you change default settings? What are the likely uses of documents with metadata? Should different types of documents be treated differently? Should legal or other business concerns drive the project? What are the legal and business ramifications of the policy choices? As a practical matter, can policies be enforced or implemented? Who will implement them? Who owns and pays for these efforts? These are but a few of the questions that will lead you toward an effective policy.
Your history of litigation and your prospects for future litigation are some of the other factors that will play a part in these decisions. You also want to consider the impact of the new FRCP amendments on your efforts. While the amendments do not enact any specific requirements for the handling of metadata, they certainly place a premium on developing reasonable approaches and policies for the routine handling of metadata. If you have an existing reasonable policy for deleting or otherwise managing metadata, a judge will be more likely to approve your handling of metadata than if you simply begin scrubbing metadata from selected documents in preparation for an individual suit or, worse, after a suit is filed. Whether or not your procedures bring you into Rule 37(f) safe harbor, they should make you prepared for the "meet and confer" requirements and the obligations to address ESI early and often in your cases.
Expect policies that focus on thoughtful, selective handling and deletion of metadata to be better received by courts than "scrub every bit of metadata" approaches. Before the new rules became effective, it probably did make sense to think in terms of "scrubbing" metadata and scouring away all of its traces. A better way to think about metadata policies today is in terms of "document hygiene." In other words, you must determine the ways you can clean documents appropriately, address specific risks and problems with appropriate targeted interventions, and take care that your documents stay healthy for all business purposes.
3. Processes and Procedures
Once you have developed a policy, you will need to develop and put into place the processes and procedures to turn policy into action and cultivate appropriate behaviors. In general, the rules suggest that reasonable and defensible processes and procedures will be looked upon favorably. Because of the complexity and potentially overwhelming burden of dealing with mountains of metadata, it is highly likely that courts will focus on what policies and procedures an organization uses more so than specific actions it takes with individual documents. In other words, in the absence of specific corporate metadata policy, a court is highly likely to order production of documents and data in native file formats with all metadata included. On the other hand, if a company has a reasonable corporate policy that is effectively implemented, a judge is likely to permit the production of documents without metadata as they are maintained in normal processes. This result will be even more likely if metadata is cleaned and managed automatically using rules-based processes, procedures, and tools that reflect clearly-stated and enforced policies driven by reasonable business justifications.
Processes and procedures will involve the selection of appropriate tools. The new rules will push use to a second generation of metadata management tools. In the first generation of metadata tools, "scrubbing" or removal was the goal. Today, a more sophisticated approach that implements policies and reflects the broader scope of document hygiene is called for. Tools that implement policy rules, act automatically, and give flexibility for specific concerns and exceptions will be necessary to implement the processes and procedures that are most appropriate for your document and data environment. Perhaps just as important, they will help reduce the time, burden, and cost of e-Discovery production by helping you achieve consistent, repeatable, and defensible results across all of your litigation matters.
4. Team Approach
None of these metadata decisions should take place in isolation. There are legal, IT, business and other management components of all policies dealing with metadata, and each of the stakeholders must be represented on the team determining and implementing these policies. In some companies, these efforts and costs can be folded into existing records management efforts, but in other businesses, it will be best to set up separate teams. Seeking additional input from outside counsel, consultants and vendors will be essential.
These efforts should not be driven entirely by the considerations and perspectives of lawyers who see metadata as an evil to be eradicated. Metadata can be quite valuable when people collaborate on documents and projects. Therefore, it is unlikely that a policy that deletes all metadata will work in most business settings. On the other hand, sending out documents outside the firewall loaded with metadata will rarely make sense. Dealing with metadata requires a balancing of interests and concerns within your organization, and a nuanced approach that considers business concerns and not just the legal ones.
Considerations When Selecting Metadata Tools
The FRCP amendments are a call to action. Drafting policies alone will not get the job done. When you have settled on policies and developed your processes and procedures, you will need to find the tools to implement your approach and help you comply with the new e-Discovery rules. As part of your education and training process, you will want to understand the types of tools and approaches that are now available. In general, you will want to select tools that make it easy for employees, your legal team, and others to effectively and consistently carry out your policies and to handle metadata and ESI in accordance with the policies. At this point, the use of single-purpose, free metadata scrubbing plug-ins, will no longer suffice for metadata management in the age of ESI and the new FRCP amendments.
In fact, the new e-Discovery rules push you toward more sophisticated tools and a movement from "scrubbing" to the idea of "document hygiene" discussed above. A policy-based approach brings us to a more nuanced word of intelligent preventive management of metadata and away from a word of brute force scrubbing. You want to target and prevent future problems, address existing problems, and establish a routine to maintain a healthy document policy and your organization. This will involve the selection of appropriate tools that allow you to comply with the new rules and the necessary training of personnel to use these tools and to implement and follow your procedures as part of their everyday approach to document creation and management.
Tools that reflect this new approach should offer features that both help you gain control of your metadata and implement your selected policies, and enhance your chances of being eligible for Rule 37(f) safe harbor protections for routine, good faith operation of computer systems:
•
Automation of rules-based policies.
•
Ability to identify documents in a variety of ways and to treat metadata differently depending upon a document's classification automatically.
•
Confirmation that your policies are being implemented and enforced.
In addition, these tools should:
•
Not interfere with or slow down your work and business processes.
•
Work seamlessly and transparently with the software programs used within the organization.
•
Allow you to manage the hidden data in your documents in ways other than simple deletion.
•
Cover as many types of metadata as may exist in your organization.
•
Let you handle metadata both internally and when documents leave the protection of your firewall, treating metadata appropriately in each setting.
•
Provide warnings and reports to assist authors and reviewers of documents in dealing with hidden data issues, especially the types of reporting that will prepare your legal team quickly for the "meet and confer" requirements under the new rules.
•
Be easy to use and usable by employees with minimal training.
Flexibility is also a must, as metadata and the treatment of metadata will continue to evolve and change. For example, with the introduction of Windows Vista and Office 2007, we can expect to see the nature of Office metadata to change, probably in some unexpected ways. Rulings and case law might also require changes in your approach. Selection of the right tools can tame the daunting job of metadata management and e-Discovery preparation and give you an easier, more effective path through the dangers of the new litigation world.
Avoiding The Lurking Dangers At The Crossroads
The new FRCP amendments have brought organizations facing actual and potential litigation matters to a crossroads where business as usual and new directions must be chosen. Ignoring the issues or putting off the day of reckoning raises embarrassing, costly, and potentially disastrous consequences. The new FRCP amendments have removed any questions that anyone might have had about the availability of hidden data or metadata for production during discovery. In fact, the new rules bring hidden data out into the open, revealing the many lurking dangers of metadata in this process. The clear message is to begin planning for metadata issues, not to simply wait and react to them. For most businesses this will require a team-based approach with the development of specific policies created in consultation with legal, IT and other engaged business leaders and stakeholders.
By having solid policy around metadata management and retention you can avoid the inherent risk of "smoking gun" discoveries in metadata while protecting your documents and streamlining the litigation process in ways that will appeal to the judges handling your matters and have you well-prepared for the new FRCP amendments. You must now begin to work on policies and approaches for your metadata and select the correct tools. By doing so, you will not only lower your e-Discovery costs, but you will avoid future e-Discovery disasters that can lead to sanctions and penalties and, worse, lost business, brand reputation and customers. The choice is yours.
For further details please visit www.workshare.com.
Published August 1, 2007.
