By Dr Tristan Jenkinson

Introduction

All eDiscovery project managers have been there – a last minute request comes in over email for additional documents to be included in production, with the additional documents attached. Unfortunately, this does not seem to be a particularly uncommon occurrence.

Sending documents which are expected to be disclosed to an eDiscovery vendor over email has some potentially significant risks. While sending files over email is commonplace and may seem an obvious way to send files, corporate and legal clients should carefully consider those risks before sending documents for disclosure over email.

This is a topic that has come up in conversation a few times over the last few months. I thought that it might be helpful to put together a quick blog article summarising some of the potential risks that can be involved.

Metadata Scrubbing

Many lawyers have systems set up by IT which apply metadata scrubbing to outgoing files. Essentially this is to protect themselves and their clients from inadvertently disclosing information in metadata. There are a number of programs that exist which are focussed on this market, for example Litera Metadact (https://www.litera.com/store/metadact).

If lawyers have such a system in place, and then send documents for disclosure to their eDiscovery vendor, they could be removing metadata from the files to be disclosed. This could, arguably be seen as a breach of the Civil Procedure Rules in the courts of England and Wales. Paragraph 2.6 of Practice Direction 57AD (which handles disclosure in the Business and Property Courts) states that the definition of a document “extends to metadata, and other embedded data which is not typically visible on screen or a printout” – meaning that the metadata is viewed to be part of the document itself. In addition, on disclosure documents are to be provided “in a manner which preserves metadata” (PD57AD paragraph 13.1 (1)), if that metadata had not been preserved, then it would not be possible to meet this criteria.

When parties are reviewing documents and they find that particular information is not available, this can raise concerns, especially if this relates to dates on documents of particular relevance. This can then result in suspicion of deliberate manipulation of the files, or even potentially spoliation.

Such claims are something that I have seen several times – having subsequently been asked to analyse such files to see if it is possible to pull other metadata, or identify how or when metadata was lost. Such allegations give opposing counsel the opportunity to raise questions over not just the specific document, but potentially over all the data that has been collected and reviewed as part of disclosure.

I have written about an example of this before, in my eDiscovery Horror Stories compilation for 2023 (https://ediscoverychannel.com/2023/10/31/ediscovery-horror-stories-2023/) under “The Case of the Mangled Metadata”.

Metadata Generation

It is not just the loss of metadata that can be a concern. In some situations sending files via email can result in sender and/or recipient information being stored within the sent files. This is most typical when email files (such as .msg files) are sent as email attachments. This can cause significant issues. For example, the name of an individual working at an eDiscovery vendor could be listed as having created or modified a file which is provided in disclosure. Perhaps worse, the file could potentially list the name of an individual working at the law firm as having created or modified the file.

Such situations can similarly lead to allegations from opposing counsel of data manipulation, or concerns that the data has not been treated in line with best practice, leading to the loss of metadata (i.e. data relating to the original creator/last modifier).

In addition to issues regarding the data itself, this could also potentially be viewed as a GDPR issue, depending on the specific situation and which metadata is embedded into the file.

Original Data Handling

When data is provided over email, there can be a bigger question over the procedures taken to collect that data, prior to it being sent over email. I am writing content specifically focussed on self-collections separately, and there is far more to cover than could be included here. However, it is worth understanding that the files being sent over email may not be the biggest concern. If the data was not collected properly, metadata could have been already lost or overwritten, and there could be separate concerns regarding the process used, documentation etc. It is worth bearing in mind that concerns over the collection methodology could cause as many issues (if not more) than the issue of the file being sent over email.

It is also worth thinking about consistency in this scenario. If this is a larger project, with all prior data having been collected using a dedicated digital forensic team, then providing data over email would be a significant departure from that approach. This in itself could potentially be used by opposing counsel to question why that data was not collected using the same methodologies as elsewhere.

Privacy and Confidentiality

Lawyers have a duty of confidentiality to their clients (see for instance https://www.sra.org.uk/solicitors/guidance/confidentiality-client-information/). This could potentially cause some concerns where files relating to the client’s interests are provided over email.

To understand why this may be an issue, it is worth considering the impact of data being present on email. Typically firms of lawyers will implement a retention policy on emails. This can vary on jurisdiction and may not necessarily be specifically set by regulation, but is regularly 7 years or more. This means that these client files are retained for a potentially significant amount of time, and could be kept for many years after the matter itself has been resolved by the courts. There is also the potential, with staff turnover etc. that access to those emails may be given to others at the law firm.

In addition, there is also the recipient side to consider, an eDiscovery vendor may also have a retention plan in place, and may also give others access to data due to staff retention etc.

All of this could mean that access to (potentially sensitive) files which were sent over email could be far wider than initially envisaged.

Security and Discoverability

If files are sent unprotected (for example not within an encrypted container), then they could be at risk. For example, in the event in the event of a compromised email account either at the sender or receiver. Given the potentially significant timeframes that emails may be retained for, this could increase the possible risk of exposure.

Potentially, as instructions to a vendor, the emails themselves could be discoverable. This means that while the files were intended to disclosed, the emails, and the full email thread could be discoverable. This could be potentially embarrassing if the email thread contains confidential information, or if the thread contains a recommendation that files should not be provided on email, but the client has done so regardless.

In Summary

Providing files for disclosure via email is not typically to be recommended. While there may be some times where options may be limited (for example including files in a disclosure at the last minute), clients should be aware of the potential risks that they may face down the line before making a decision.

If you are a corporate or law firm, you should ensure that you understand the risks that may be involved. If you are an eDiscovery vendor receiving such files, it may be worth checking that your client is aware of the potential risks before pushing them through to be included in disclosure – you may save your client from potential difficulties in the future.