Have you heard about the importance of metadata but you’re not sure what it is or how to address it? Metadata is data about data, and lawyers are must keep it confidential according to the ethics rules. In this interview with document privacy expert Chris Cangero, you’ll learn about the information in your documents—that doesn’t appear on the page—and discover where it fits in your privacy and security analysis.
What is your role and how is it related to privacy law?
I am the Chief Executive Officer of both Evolution Software, LLC in New York, and DocStyle LLC in Miami. We design and distribute technology products to the legal community, one of which focuses on protecting electronic files from unwanted disclosure of hidden data. We created PuR MetaData in 2012 to make professionals aware of hidden information and identify it with granularity; we also allow the user to remove the hidden information for privacy or security purposes before the information leaves the user’s environment. PuR MetaData integrates with Outlook where it analyzes and cleans hidden information from Word, Excel, PowerPoint, and PDF attachments.
What’s the difference between privacy and data security?
Privacy is information or stored data relating to an individual, a group of individuals, or an organization. It can include who you are, where you live, where you work, your family members, healthcare information, and your personal or professional contact information.
Data security is about the protection of that information, including the systems, policies, and procedures put in place to ensure it does not fall into the wrong hands. This doesn’t just end with protecting private data you control. It includes taking responsibility for all data, either at rest or in transit; protecting data from unauthorized access; defending against cyber threats; and knowing how to recover from a breach or even a natural disaster. Data security is about taking responsibility for the information you’re entrusted with.
What surprising types of information qualify as confidential information or electronically stored information?
We all understand personal information to be data about ourselves, such as a person’s name, email address, geographic location, etc. Basically, information directly related to who we are. This is just the tip of the iceberg. Confidential information also includes data about behavioral patterns, all of which is considered information about information commonly called metadata.
With software applications we use or the websites we visit, often the only choice a privacy-conscious individual has is whether to participate or not. Metadata can be found everywhere, including within electronic files like Word or PDF documents. We created PuR MetaData to focus on identifying metadata within electronic files and allowing individuals to act before sharing inadvertently.
People think a lot about privacy related to email, but they don’t think about it related to documents. What are other surprising areas where privacy might be a concern?
This is a great question because most people don’t know that there’s a lot of metadata contained within electronic files. When we do think of metadata, we think of document properties like author, title, and subject. Metadata has useful purposes, and it is often used by other software solutions to organize and reference the information within.
The downside to metadata is that inadvertently sharing it without considering your audience can lead to unforeseen disclosure of confidential information. Let’s say you’re creating a Word document, and you want to hide information. Text or objects can be formatted so they are invisible to the naked eye, yet still present within the document. Not even knowing it’s there can come back to haunt you.
Why is it important for legal professionals to care about metadata in their documents?
Metadata gives us the ability to create information about other information. Documents or electronic files contain metadata that can improve the accuracy of search, aid in collaborative efforts, and even relate documents for more advanced needs. To determine when metadata is important or perilous, professionals should gain a basic understanding of it. Only then can someone determine whether any circumstance (or document) warrants removing or retaining the metadata inside. It’s particularly important to understand what metadata might be hiding in a document. When you work with confidential information—like legal professionals do—metadata can matter.
Why did you create PuR MetaData? Why is it important to offer metadata cleaning from within Outlook?
By its very nature metadata is hard to find; it’s often hidden in file properties or the content within. We realize the problem is twofold; the average user does not understand metadata well, and even if they did, most do not know where to look. We created PuR MetaData so professionals could first identify the metadata within their files, and then decide how to act. Microsoft Outlook is more than just a simple email client; it allows us to intercept mail messages and their attachments before they leave through your environment's most commonly used gateway. This provided us with the perfect opportunity to design a metadata removal platform as a seamless compliment to security and compliance policies.
What are some red flags in privacy policies of consumer apps?
The most obvious red flag is when a privacy or a data retention policy references “other data.” For example, a website may say: “We gather information about the devices you use to access our site, including IP addresses, geographic location data, browser type, operating system, and other data." The fact that "other data" is not described is disturbing because it basically says that they can collect whatever else they want.
Two other red flags, for me, include vague or defensive statements that allow a company to release your information to any undisclosed third party without any further responsibility to you; and the ability to use information collected about you for an unlimited period for any purpose.
Do you see legaltech vendors missing any important privacy trends or changes? What new privacy rights and obligations should legaltech vendors know?
As legaltech vendors, we must consider how the solutions we provide and the businesses we run impact our clients. I’m disheartened to see technology companies (including legaltech vendors) embracing expansive data collection without considering whether they should. It’s a mistake. Legaltech vendors should do better than that. We have an obligation to protect our law firm customers and respect our ethical responsibilities. We must keep up with changes to privacy laws and technology regulations, and we must also keep up with ethics and confidentiality changes in the legal profession. What matters to our customers must matter to us.
When you’re searching for new software, what’s the most important privacy-related question to ask vendors?
There’s no one specific question I would mention that stands out above the rest; they are all important and relevant. It all comes down to what information they’re collecting and how they’re protecting it.
You’ll want to know what information specifically vendors are collecting, how is that information shared, and with whom. You also want to discuss the company’s policy around data retention and data protection. There is no guarantee against a data breach, so you should question what happens if one occurs. How prepared is the organization for a breach, and what policies are in place to ensure efficient handling and recovery of compromised data? Are there redundancies in place to ensure operational continuity if a catastrophe occurs?
What are the top 3 privacy-related questions lawyers should ask about access to confidential data granted to consumer apps?
For what purpose is data being collected, how is it secured, and for how long is it retained? You must be particularly careful with information that could promote identity theft such as name, address, social security number, etc.
What resources do you recommend for laypeople wanting to learn more about privacy?
You can start with the ACLU’s Privacy and Technology page. As an advocate for civil liberties, the ACLU outlines the challenges before us well.
I also recommend learning about General Data Protection Regulation (GDPR), a law on data protection and privacy in the European Union. Although the California Consumer Privacy Act incorporates some of the same concepts, it was not modeled after GDPR, so it will give you another perspective. Both laws are major steps forward regarding privacy protections for consumers, and they are worth understanding. If you’ve never heard of GDPR before, a good place to start is a book called GDPR For Dummies by Suzanne Dibble. Don’t be deceived by the name—it’s informative.
About Chris Cangero
Chris Cangero is the Chief Executive Officer of both Evolution Software, LLC and DocStyle LLC, which provides document automation and styling solutions. He is a productivity expert and a Microsoft Office efficiency designer. Before developing software, he served as a technology solution provider and system architecture expert, designing Electronic Content Managements systems for the Legal Community. What started as a passion for technology quickly turned into a life’s work laser focused on delivering practical solutions to the legal industry. Connect with Chris on Twitter at @ChrisCangero.
About the Privacy and Security Interview Series
This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.
WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.