The Digital Edge

Metadata Management and Daily Best Practices

In this episode of The Digital Edge, hosts Sharon Nelson and Jim Calloway talk with PayneGroup CEO Donna Payne about ways attorneys can better handle their metadata. Donna reminisces about starting her company in 1998, the client experience that inspired the creation of her Metadata Assistant software, and The Wall Street Journal’s front page article mention that resulted in 150,000 downloads. She analyzes how metadata has changed since she started and provides a list of things, such as track changes and hidden text, that lawyers should be on the lookout for. She states that one of the best things you can do if you can’t afford a third party assistant program is to know what is in the document and use any free options available in your preferred office software suite. Donna closes the interview with an explanation of what exchangeable image file format data is, her checklist of the most common metadata mistakes that lawyers make, and some daily best practices that lawyers can implement to help protect their data.

Donna Payne is the founder and serves as chief executive officer of PayneGroup, Inc. She is a member of the American Bar Association, the American Society of Journalists and Authors, and the Project Management Institute. In addition Donna is an original member of the Microsoft Legal Advisory Council. She is a frequent speaker at legal and technical conferences worldwide and has spoken to Congressional committees, the Senate, and at international judicial conferences on the subject of metadata and preventing accidental disclosure.

Special thanks to our sponsors, ServeNowCloudMask, and Scorpion.

View transcript

The Digital Edge

Metadata Management and Daily Best Practices

08/31/2016

[Music]

Intro: Welcome to the Digital Edge with Sharon Nelson and Jim Galloway, your hosts, both legal technologists, authors and lecturers invite industry professionals to discuss a new topic related to lawyers and technology. You are listening to Legal Talk Network.

Sharon Nelson: Welcome to the 104th edition of ‘The Digital Edge: Lawyers and Technology’. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.

Jim Calloway: And I am Jim Calloway, Director of the Oklahoma Bar Association’s Management Assistance Program. Today, our topic is Metadata: Still a Pain Point for Lawyers.

Sharon Nelson: And before we get started, we would like to thank our sponsors. Thanks to our sponsor, Scorpion, which delivers award-winning law firm web design and online marketing programs to get you more cases. Scorpion has helped thousands of law firms just like yours attract new cases and grow their practices. For more information visit  HYPERLINK “http://www.scorpionlegal.com/podcast” scorpionlegal.com/podcast.

Thanks to CloudMask which offers cost-effective and efficient data encryption for law firms, whether large or small in Google Apps, Office 365 and other cloud solutions. Sign up now for your 60-day free account at  HYPERLINK “http://www.cloudmask.com” cloudmask.com.

Thanks to ServeNow, a nationwide network of trusted prescreen process servers. Work with the most professional process servers who have experienced with high volume serves, embrace technology and understand the litigation process. Visit  HYPERLINK “http://www.servenow.com” servenow.com to learn more.

Jim Calloway: And to discuss this particular pain point, we are very pleased to have as our guest, Donna Payne. Donna is the CEO and Founder of PayneGroup, based in Seattle, Washington. She is an author, columnist, and frequent speaker on the subjects of privacy, metadata, leadership and STEM. She has spoken worldwide as well as to security agencies and Congress on the subject of metadata. Thanks for joining us today, Donna.

Donna Payne: And thanks for having me Jim and Sharon. It’s definitely a pleasure to be here with you today to talk about the pain points of metadata no pun intended or pun intended.

Sharon Nelson: Well, Donna, I kind of think of your royalty because I have always thought of you as the Queen of Metadata. You were the first to jump into this metadata removal arena, what prompted you to do that?

Donna Payne: It’s funny. I almost named my twins Meta and Data, so I kind of feel that way.

But candidly back in 1998, our attorney — we were a new company, we were sending out, we had these new products that we wanted to get out to market and one of the things that we were doing is working with a law firm to get our product contracts out. And one day we received a contract, I opened it up, and bam! There were probably several years worth of changes that had happened in that document, because the firm had used it as a go by document for other software companies. So that was a real eye-opener, I mean for everybody concerned. Track changes coming back, it’s amazing, and somehow that file has been corrupted and all previous versions were made visible.

So we took this and thought there is got to be something that we can do about it. So we developed a product called Metadata Assistant, and back then, it was free. It was free, we were happy, we were sending it out to people and just using it more as a tool to help educate people and to protect lawyers.

And then ‘The Wall Street Journal’ heard about us, and they wrote about us on the front page of their newspaper, and a 150,000 people downloaded the software, and I guess, it was in conjunction with some kind of a political scandal with metadata that it come back in a document or something.

And so they wrote about us, put us up there, and so many people downloaded the software and they wanted customizations and support for it, that we ended up having to hire a lot of people.

So that was 18 years ago, believe it or not.

Jim Calloway: Wow, how time flies when we are having fun, right?

So 18 years ago, do lawyers today have to worry about the same types of metadata, as what existed back then?

Donna Payne: Jim, that’s a great question. The answer is yes and no. Okay, so there is not last 10 authors. Back in the earlier day he is using Microsoft Word, for example. You can choose File>Open and choose a file type as open and recover text from any file, and it would bring back into probably the last 10 authors who touched the document and the filename and path where the document was stored. That was huge, especially because lawyers travel with their documents.

(00:05:02)

So that metadata is gone. So that’s a great thing. But there are new metadata types that you have to be aware of, and there is user-defined metadata in addition to the application Assistant Metadata that we have to be aware of.

And there is lot of generalization of metadata types. So I just want to give a couple of examples of things you have to watch out for. Track changes, comments, those are kind of the obvious things. Hidden text; it’s so easy. I get a document today from someone and I was opening it up and ready to attach it to an e-mail, and thought, oh, I better check something. I found out that that document had lots of track changes residual in it, even though I hadn’t made any myself.

So that can happen, or speaker notes in your PowerPoint file and your Excel workbook can have lots of metadata like your hidden rows and hidden columns or pivot tables. And there is a special little old word for metadata in Excel that I want to kind of give a call out to. If you format the cells’ contents in an Excel spreadsheet with three Semicolons (;), I know pretty obscure, right? If a three semicolons as the format, it makes the cell contents invisible, but if you click in that cell, the Formula Bar shows the invisible contents.

So there is a lot of things that we really have to worry about now.

Jim Calloway: Wow!

Sharon Nelson: That is obscure, and of course you get rid of all of that with your programs?

Donna Payne: Yes, that’s right.

Sharon Nelson: I was pretty sure that was true or I wouldn’t have asked.

Donna Payne: I am so glad the answer was yes.

Sharon Nelson: So if you don’t have a specialized software program are there ways in which a lawyer can see what metadata might exist in a document?

Donna Payne: Absolutely! Actually, that’s one of the best things that you can do is kind of know what’s in the document. So when you’re collaborating with other people it’s kind of hard to know that what did they put in there?

First thing I do is when I open the document I would go to — let’s say the Review Tab if you are using some of the later versions of Microsoft Office, and look to see if Track Changes is enabled, and if so, are all the changes showing in the document or are there comments in the document, or are they expanded, headings expanded.

Microsoft has done a really good thing by having something called Document Inspector. That can go through and do a cursory look and even remove metadata that’s in documents, and that’s free. It’s already in the software. But some of the other things that I would probably do are just looking Explorer, check the file properties, for example. Find out what file name this has been stored at, and how — if it’s tracking how long the document has been edited or created or last printed. Just under File Properties you can find that information.

There is so much metadata that can exist and get attached on to documents that it’s kind of mind-boggling actually, but the free tool, Document Inspector, can help you go a long way in protecting yourself.

Jim Calloway: Microsoft has the Document Inspector, as you mentioned, available under File>Check for Issues>Inspect Document, what’s the difference between this built-in tool and a third-party tool designed to detect and strip metadata?

Donna Payne: Great question again. Well, first you have to remember to use it. The tool can be really effective, but most of us send documents through e-mail. We don’t go in through Word and attach our files that way and send them. We either do it through a Document Management System or through e-mail, attach it, click ‘Send’, it’s gone, and then you are like, oh, metadata.

And so, usually it’s an afterthought, and sometimes people won’t think about it at all until it’s too late, and they have been notified that they just sent out some information. So you have to remember to use it because it’s not automatic and it’s not integrated with any third-party tool. And the other thing to remember is that it’s not going to detect all of the metadata or things that we might consider metadata.

So an example might be, you can actually have in later versions of Office, in PowerPoint and Word, you can have an object and you can change the property to make it visible or invisible. It’s a little Eye icon, which is really strange, and when it’s not visible it’s a straight line. But if it’s not visible and you can’t see it in the document how do you know it’s there?

So that’s a type of metadata that it might not be able to see. Another one is, if you — let’s say PowerPoint for litigation, you have embedded videos or cropped photograph just to kind of illustrate your point further. You can crop it and it’s when you save the file that cropped part is still available for people to be able to undo and to be able to see it, because the picture or video hasn’t been compressed yet.

And so, it doesn’t get everything with Document Inspector. It’s a good start and I would say if you don’t have the money to invest in a metadata tool, just make sure you are cleaning everything or looking at everything through Document Inspector.

(00:10:00)

Jim Calloway: Okay, that’s great information on Document Inspector, before we move on to the rest to the podcast, let’s take a quick commercial break.

[Music]

In recent years, the legal sector has come under increasing pressure to improve efficiency in client services. CloudMask enables law firms and solo attorneys to leverage free and low-cost Software as a Service, such as Google Apps and Office 365 to improve efficiency in client service while reducing cost, strengthening compliance with data privacy laws and ensuring that ethical duties are met. CloudMask encryption is even certified by 26 governments around the world.

[Music]

Looking for a process server you can trust?  HYPERLINK “http://www.Serve-Now.com” Serve-Now.com is a nationwide network of local, prescreened process servers. ServeNow works with the most professional process servers in the country. Connect your firm with process servers to embrace technology, have experience with high volume serves and understand the litigation process and the rules of properly effectuating service. Find a prescreened process server today. Visit  HYPERLINK “http://www.Serve-Now.com” Serve-Now.com.

[Music]

Not getting enough cases from the Internet, the kind of cases you want, Scorpion can help. Over the last 15 years, Scorpion has helped thousands of law firms just like yours to attract new cases and grow their practices. During this time, Scorpion has won over 100 awards for its law firm website design and online marketing success. Join the thousands of law firms which partner with Scorpion and start getting more cases today. For more information, visit  HYPERLINK “http://www.scorpionlegal.com/podcast” scorpionlegal.com/podcast.

Welcome back to ‘The Digital Edge’ on the Legal Talk Network. Today, our subject is Metadata: Still a Pain Point for Lawyers, and our guest is Donna Payne, our friend and the CEO and Founder of PayneGroup based in Seattle, Washington.

Sharon Nelson: Donna, lawyers make so many mistakes with documents, it’s ridiculous, but with respect to metadata what’s the most common mistake do you think?

Donna Payne: Well, I think the most common mistake that people make is, clean it once, forget about it, and then as you’re using this file over and over more metadata gets added. And so, cleaning it once isn’t enough, you can’t just set and forget. You have to go back and be kind of diligent in — it’s an ongoing process and just like using metadata tools, it’s really important to be aware of kind of current vulnerabilities within documents. And that’s hard to do if you are practicing law and you are expected to be a technology expert as well. It’s kind of hard, it’s not impossible.

Jim Calloway: Donna, I once remember taking the contents of a Word document and pasted into WordPad knowing not to lose all my formatting but sure I’d lose the metadata at the same time when I copy to that.

Donna Payne: Jim, I am going to laugh, did you get the last when you copied and pasted, did you get the last paragraph mark in the document, did you copy and paste that?

Jim Calloway: No, I was aware of that issue but once you explain that to our listeners.

Donna Payne: That’s great. I am so glad you brought that up because when you copy and paste information from one document to another, sometimes the metadata can come along and that last paragraph mark contains the formatting and the header and footer information. And so, coping the body of text into a new document container isn’t always a sure thing. Especially, if text has been redacted improperly, it’s funny how those redaction shadings kind of go away when you copy and paste.

Really, it’s kind of ridiculous how smart we all have to be with technology now, just to copy and paste to get a document out the door.

Jim Calloway: Well, I am glad we took that little detour. I think our listeners will be interested in that actually. But I have heard of another type of metadata that I wasn’t really familiar with called Exif metadata, could you speak a little bit about that type of metadata?

Donna Payne: Oh, I can. That’s great that you know about this, because it’s not very well-known. Exif metadata is information that’s especially useful when you are working with photography and with images and things like that. So Exif metadata can store things like your camera, your camera type, your make-in model, the date the picture was taken, all that kind of information. But combining that with the GPS location is really pretty dangerous.

If you have a picture, let’s say you’ve taken a picture from your cellphone and you take a picture and you have GPS Location Services enabled with your camera which is on by default, it captures a part of your Exif metadata, your longitude and latitude and your exact longitude and latitude.

(00:15:00)

So, I worked with a judge in DC who said basically, yeah, I really enjoy taking pictures, I am posting things to the Internet, and I am taking pictures of my grandchildren. And we looked at her pictures and she had her exact longitude, latitude, and altitude that were saved with the pictures. And that’s not something a judge or anyone else wants to really have happened. You don’t want people to know where you live or where they can find you, especially when you are in jobs like that.

I actually heard of this radio announcer, was bragging about his son, just being proud that his son served in the military and then he said, I can’t give you the location where he is at, because I don’t know it, because he is currently deployed. And he posted this picture up and the longitude and latitude of where his son was deployed was available.

So those kinds of things are things we have to be careful with, and you might be like, okay, well, you have to be a map expert to find longitude and latitude; all you have to do is go to Google Maps and put that data in there, and it takes you within about 50 feet of the location for the longitude, latitude, and altitude.

Sharon Nelson: That data, we deal with a lot in digital forensics, and I remember one of the most fascinating stories was how they used that data to find John McAfee when he had a photo of himself posted, and they had his latitude and longitude, and that was the end of him being a person at interest that the authorities could not find.

Donna Payne: That’s funny how that happens, isn’t it? It’s like the — for the good causes, it’s really good. For the bad cause, it’s like, let’s say your kids are playing in the front yard and — it’s just basically we are so much more vulnerable today than probably in the past because we have to worry about people looking for and stalking out kids. And so if there is good and bad for all of this data that’s being captured, it’s great that we can index it. It’s great that we can get data and organize. But it’s also bad that people become at risk if the wrong people get their hands on our metadata.

Sharon Nelson: That is for sure. And I am sure as a mom you worry about that, and I am kind of glad that I at this stage am a grandmother, so now I am worrying about the grandkids and that my girls have survived. I have got my generation of daughters past this, so they are on their own now.

So metadata, we talk about it a lot in terms of one of the things attorneys have to be careful about, but I know there’s a certain amount of metadata fatigue after you have spoken for a while about it. So what different concerns should lawyers have, what else should be on their radar?

Donna Payne: First thing is don’t click every email that comes in and don’t open attachments that you don’t know where they came from. That’s what we are seeing a lot of. There is so much malware and ransomware attacks. I was fortunate enough to go to the Microsoft Digital Crime Unit and I got to see a drill in of where most of the malware exists, and it’s everywhere.

In my office building in Seattle it’s filled with malware, and they are able to tell that just through their analytics. But just clicking a file, clicking a link, keystroke logging, all of that, having due diligence for, is that really an email I need to open up or is that a link I need to click.

If you get hit by a ransomware attack one of the first things that security agencies recommend is, go unplug your server and unplug your laptop and unplug anything that’s being infiltrated by it. If it’s unplugged it can’t continue to propagate and run and damage is contained, or at least kind of mitigated. There are just a few things that you can do like that to kind of mitigate damage and to do damage control on these attacks.

One of the things that kind of is one of my pet peeves is connecting to Wi-Fi. We travel a lot, and we are such a trusting group for what we do, we are a trusting group; we will go to a hotel, go to the business lounge and just start checking our email or logging into sites, and there could be keystroke loggers watching what you are doing and capturing your information.

I went to a hotel in Chicago once and I sat down at the Business Center and someone had their immigration papers and everything was scanned on the desktop, and it’s just kind of mind-boggling that we don’t just go in and check what we are doing, and we don’t just put thumb drives into our computers without some kind of scanning, the passwords that we are using.

I mean, if we were able to poll people who were listening to this podcast and say, how many of you use the same password for Facebook that you use for your firm’s network, unfortunately I think we might get a few affirmative responses there.

(00:19:52)

So it’s using different passwords, changing them, making sure your network and your security updates are up-to-date. Not using Wi-Fi if possible on in-flight with their Wi-Fi, or shopping on Amazon or other places and making orders, and really just being hyperaware of the dangers that are out there.

Sharon Nelson: Because, I know you probably have more to say about this, but I thought it was really interesting that over a thousand of the Republican Convention attendees connected to a fake wireless or multiple fake wireless networks that was set up by a research company so they could track; they didn’t reveal the data, but they could track who is doing what and 5% of them were playing Pokémon Go.

Donna Payne: I am sorry for laughing, but that’s kind of hilarious.

Sharon Nelson: Yeah, it is hilarious. I loved it. But I mean, look how many of them connected to — some of the networks to me, the names are obviously fake, but there they went anyway.

Donna Payne: Yes. Going to — I was at Reagan National not long ago and there were so many obvious false — it wasn’t their free Wi-Fi, it was just made up names, and some of them are obvious, like DEA Task Force, things like that, but in looking at it, they were false networks.

Sharon Nelson: And I probably interrupted your train of thought, where were you in the things we had to look out for?

Donna Payne: Well, no, actually, I think I got it all out. There is just so much. I went on and on and on about things to look out for and I probably missed about 40 of them.

It’s an ongoing process. That’s I guess the big theme, the overall theme of this is, it’s an ongoing process and hackers are coming up with new ways to infiltrate and get information and lawyers unfortunately are a big target right now.

Jim Calloway: Did you have some other products from the PayneGroup you wanted to mention to us, Donna?

Donna Payne: Thank you. Thanks for asking. Yeah, we have been really trying to look at other vulnerabilities and just kind of trying to plug those holes a little bit. We have a product called Outlook Send Assistant, and this is a product that’s more of a reminder before you do a gotcha. It’s, if you say Reply All, I mean how many times have you received a message where the respondent didn’t mean to Reply All, they meant Reply, but they sent something that shouldn’t have been shared with everyone on the distribution list. So it’s kind of a reminder, a last-ditch effort.

It also looks at, are you sending things externally or Bcc’ing and do you want to have special handing so people know that you are Bcc’ing.

This is pretty common, like a product that’s used pretty extensively, not just in legal, but in government and corporate, especially in banking as well. So that’s one of our products.

And then the other thing that we have been working on is we have some versions of Redact Assistant, and I was at Legaltech New York and one of the judges was saying, I wish we had software where you could redact an Excel document, an Excel spreadsheet and keep it in its native file format. And so I looked around and started figuring out, this doesn’t exist, and it did not.

So we created Redact Assistant for Excel and Word, where you can go in and redact either text selection or things that match patters, like Social Security Numbers, dates of birth, phone numbers and so forth. It hasn’t been announced yet, so you are our first announcer or first reveal, but we just came out with cloud versions of that for Office 365, and we are trying to make it really affordable, because everyone should have these tools.

Redaction especially, we have been talking about this for a while, but one of the things your listeners might be kind of interested in is, if you have text, I was talking to Inns of the Court at one conference and the speaker in front of me said, oh, and if you want to redact something just put shading over it and change that to be the same color, like turn your black text black and put a box over it. What they didn’t realize is if you copy and paste that as text only, it removes all that special formatting and layers on top of your text and everything is exposed.

And then, if you go the other route and say, well, I am going to low tech this and I am going to take a magic marker and I am going to stripe through all of my redacted text, the OCR scanners are so good right now that if you scan something, usually they can — nine times of out ten they are able to pick up what the text that was that was redacted and you will be able to see through that.

So if you are going to do that put some white out tape or something over it and then scan it on both sides and put the white out tape rather than just marking through it.

So these are just a couple of things that we have been working on, and frankly, if we find any more vulnerabilities we are going to try to either create a free tool or get something that’s affordable and get it out there, because it’s just too hard and there is just too much vulnerabilities now to not do this.

So we are kind of doing this, yes, we are a for profit, but it’s more like, how can we help our industry get the tools out there and get them in the right hands.

(00:25:02)

Jim Calloway: Well, we certainly appreciate all the help you have given to the legal profession, and I am really glad we had you as a guest, because we haven’t probably talked in several years so it’s good to catch up, even if we are doing it in front of a radio audience.

Donna Payne: Yes, it’s definitely a pleasure and I welcome any chance I have to talk to both of you.

Jim Calloway: Okay. We are talking about everything moving to the cloud, including our software and new versions of software, is that going to change things as far as metadata is concerned?

Donna Payne: We switched — as we moved from binary file types to the new file types, we actually lost some of the metadata that was making us vulnerable before, and I think cloud versions have less of the traditional metadata types. Some of it’s exposed now and so it’s not hidden.

So I think it’s just different, and it’s really important, I guess even critical to say that some time at least in understanding about what type of information can be saved in cloud versions. And it evolved, cloud version mean they can up updated every time the software is updated, so we just have to remain vigilant and we can’t just set something once and then forget about it. We have to keep just being aware of what’s available in our cloud versions of software, whether it’s Microsoft or any other type that’s available.

And I might actually recommend that if you have someone who can create a checklist of information and just kind of a standard for every incoming document, here is what we do with it and here is our Firm Policy and every outgoing document, here is what we do with that document, so just basically a checklist so everyone is on the same page as far as how document should be handled.

Firm Policy is a really good idea, and also just stressing that if a document is likely to become part of a litigation matter to retain the metadata, and so really it’s cleaning the copies of the file or cleaning files that you are bringing into your repository rather than doing something proactively to remove the metadata.

Sharon Nelson: Well, we sure want to thank you for being our guest today Donna. You have such a huge wealth of knowledge on this subject and I think the queen of metadata is an appropriate title, and it should come with purple robes. I know you have given a lot of good advice to our audience that I hope that they will take to heart. So thank you again for being with us today.

Donna Payne: Thank you for having me, Jim and Sharon. It’s absolutely 100% my pleasure.

Sharon Nelson: And that does it for this edition of The Digital Edge: Lawyers and Technology. And remember, you can subscribe to all of the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com/”legaltalknetwork.com or on iTunes. And if you enjoyed our podcast, please write us on iTunes.

Jim Calloway: Thanks for joining us. Goodbye Ms. Sharon.

Sharon Nelson: Happy trails cowboy!

Outro: Thanks for listening to The Digital Edge, produced by the broadcast professionals at Legal Talk Network. Join Sharon Nelson and Jim Calloway for their next podcast covering the latest topic related to lawyers and technology. Subscribe to the RSS feed on  HYPERLINK “http://www.legaltalknetwork.com/”legaltalknetwork.com or in iTunes.

The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.