If you asked anyone involved in law firm compliance “what are your two highest priority concerns?” It is hard to imagine a response that did not involve cyber risks and/or the impact on supervision and monitoring of policies following the fundamental changes to the way law firms operate since upsurge in hybrid working. 

Managing the constantly evolving risks in a sometimes-uncertain landscape is critical to safeguarding client and practice confidentiality and meeting regulatory requirements.  One such risk that lies largely hidden, comes in the form of the metadata in documents, images, and other file types.

Metadata is data about data, ranging from the author’s name, date, location, edits, and comments of a document. Undeniably useful though it is, it can reveal sensitive information about clients, cases, strategies, and internal processes that could compromise confidentiality, privacy and security. For law firms in the UK, managing metadata properly is more than professional ethics, but also a legal obligation and a business necessity.

The UK General Data Protection Regulation (UKGDPR) and the Data Protection Act 2018 (DPA) are the main legal frameworks that regulate the processing of personal data in the UK. They apply to law firms that collect, store, use or share personal data of their clients and staff, such as names, addresses, email addresses, phone numbers, bank details, health records or biometric data.

It carries potential fines for failure to comply of up to 4% of annual global turnover or £17.5 million (whichever is greater), as well as sanctions from regulators and reputational damage from clients and the public.

The 2023 ‘Risk Management and Professional Indemnity Survey’, published annually by Legal Business Marsh posed the question “What are the top 3 events you consider might significantly impact on your firm’s objectives?”  In the ‘External/Regulatory category, responses from law firms ranked at No.1 “Failure to satisfy new or existing regulatory framework and keep up to date with new requirements”.

Law firms are often targeted by cybercriminals who seek to exploit metadata for fraud, extortion, identity theft or sabotage. Metadata can provide valuable clues or evidence for hackers who want to access confidential information, impersonate legitimate parties, or disrupt legal operations.

Prevention is key to avoid these incidents.  Managing metadata effectively and securely requires a combination of tools, policies, and education. These are my top tips on how to do so:

• Use metadata management tools or software, such as BigHand’s Metadata Assistant.  This solution can help you create, modify and delete metadata from documents in a consistent and efficient way. It can also help you clean metadata from documents before sharing them with third parties. Automatically.  With no option for individuals to skip the cleansing process if that is your preference. Define your own levels of removal to suit the profile of your work.  Batch clean folders of files, convert to secure PDF and enjoy self-service administration.
• For the risk team’s additional peace of mind, this can be combined with BigHand’s Email Recipient Checking for recipient validation, prompting on reply, reply all and forward as well as alerting to sending to external addresses. 
• Where appropriate, utilise BigHand’s Content Redaction for effectively obscuring confidential information from individual documents or batches.
• Education of internal teams on the importance and risks of metadata helps to underpin the policies and tools applied. Understanding what metadata is, how it is created and stored, what it can reveal and how it can be exploited brings the threat to life and supports clear guidelines and training on how to handle metadata properly and securely.
• Develop and enforce policies and procedures on metadata creation, modification, and deletion. Establish rules and standards on what metadata should be included or excluded from documents, how it should be formatted and updated, who should have access to it and how long it should be retained. Review and update these policies and procedures regularly to reflect changes in laws, technologies, and practices.
• Conduct regular audits and reviews of your metadata practices. Check whether your metadata management tools are working properly and securely. Assess whether your policies and procedures are being followed and complied with. Identify any gaps or weaknesses in your metadata practices and take corrective actions.

Metadata is a valuable asset for legal collaboration (where would we be without comments and tracked changes?), research, knowledge management and compliance, but it can also pose significant risks for confidentiality, privacy, and security. Law firms in the UK need to be aware of these risks and take appropriate measures to mitigate them. By managing metadata properly, law firms can protect their clients’ interests, guard against reputational damage, and contribute toward their business’ continued success.