Redaction Risks and Best Practices for Attorneys

Every day, lawyers deal with high volumes of sensitive data including personally identifiable information (PII), protected health information (PHI), intellectual property, trade secrets, financial information, and much more. At the same time, lawyers are frequently required to submit documents to third parties such as opposing counsel, courts, regulatory authorities, and, in some cases, citizens. Attorneys must always balance disclosing legally required information with safeguarding sensitive data, and that’s where redaction comes in.

Read on to discover the redaction risks that apply to attorneys and learn the best practices for performing redactions quickly and effectively without having to manually redact the same information over and over again.

What does redacted mean in law?

Redaction is a process used to prepare a document for publication or release to a third party by removing confidential information. Attorneys must regularly use redaction both to protect sensitive data and comply with legal requirements in many situations, including:

• Court filings: Must have all PII and financial data redacted. 
• Discovery phase: Often requires redaction as attorneys from both sides exchange documents relevant to the case. 
• Confidential settlements: Before these agreements can be disclosed to other parties or the public, they must be redacted to protect the interests of the parties involved.
• Communications between attorneys and clients: These must often be made available to opposing counsel or the court. However, these communications must have all confidential or privileged information redacted to protect the security of attorney-client privilege.

In each of these situations, attorneys must take steps to ensure that the redaction process is effective. When an ineffective redaction method is used, third parties may still be able to retrieve information, either by simply reversing the technical process or by looking at a document’s metadata. A failing which can cause serious legal, financial, and reputational repercussions. 

‍

Why redacting confidential information is so important for attorneys

‍
Attorneys are required by law to guarantee that client information is redacted. For example, the Federal Rules of Civil Procedure require attorneys to redact certain personally identifiable information in court filings. These must include only the last four digits of a Social Security or tax ID number, the year of an individual's birth, a minor's initials, or the last four digits of a financial account, according to Rule 5.2(a), titled “Redacted Filings”.

When lawyers fail to redact information effectively, they may be in violation of a variety of ABA Model Rules of Professional Conduct. At the very least, a lawyer who fails to take reasonable steps to redact privileged or other confidential client information breaches Rule 1.6 on Confidentiality of Information.

Rule 1.6(a) establishes that a “lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is implicitly authorized to carry out the representation, or the disclosure is permitted” by a separate provision. Rule 1.1 states that a lawyer “shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”

Disclosure of confidential information that is unauthorized by the client or by the law could lead to disciplinary action against an attorney and could also render them liable, in certain circumstances, to a civil action arising from the misuse of confidential information.

Protect yourself against the risks of accidental disclosure – unlock the power of one-click redaction and save time with Redactable. 

‍

What kind of information needs to be redacted from legal documents?

‍

‍
Redactions should be made to sensitive material that could be exploited to perpetrate fraud or expose private information. Generally, this includes social security numbers, driver’s license or professional license numbers, protected health information and other medical information, financial documents and files, proprietary information or trade secrets, judiciary records, Individuals’ addresses, dates and months of birth, and other personally identifiable information (PII).
‍

PII (Personally Identifiable Information)

Personally identifiable information (PII) is any information that may be used to accurately identify a specific individual. Social Security numbers, mailing addresses, email addresses, and phone numbers are all examples of PII. As enterprises collect more types of data, such as account log-in IDs, biometric records, and geolocation data, the category continues to grow.

PII is divided into two categories: sensitive and non-sensitive. Information that could directly identify a person is classified as sensitive PII. Non-sensitive PII is information that must be coupled with information from other sources to identify a person. Commonly available information such as date of birth, gender, race, or zip code is an example of non-sensitive PII.

Whether it's medical information stored in electronic health record (EHR) systems, financial data held by financial services businesses, or personal data used by insurance underwriters to establish rates, personal information is critical for delivering excellent services in many industries. Organizations are required by law to have measures in place to handle PII and prevent data from falling into the wrong hands.

‍Material requested under the Freedom of Information Act (FOIA)

The Freedom of Information Act (FOIA) has given the public the ability to seek data from any federal agency since 1967. Material requested under FOIA must be disclosed unless it falls under one of nine exclusions, which protect interests like personal privacy, national security, and law enforcement.

If you work for a government agency that receives FOIA requests, you already know that it's your job to identify records in response to the request and then review them to see which documents – and which sections – can be safely released. If you come across information that is considered too sensitive to divulge, you can redact it before delivering the records to the requestor. However, this presents a dilemma. Because electronic documents can be quickly redacted, it can be impossible to tell whether only a few words or several entire pages have been concealed.

The 1996 revisions to the FOIA addressed this issue by requiring agencies to identify the position of deletions in the published section of the record and show where on the record any deletions were made, unless doing so would jeopardize an exemption-protected interest.

‍Protected Health Information (PHI)

‍PHI must be redacted before being shared with others to prevent violations of important regulations such as the Health Insurance Portability and Accountability Act (HIPAA). Redaction under HIPAA is covered in the Privacy Rule, which regulates the use and disclosure of personal health information.

Under the HIPAA Privacy Rule, patients and medical professionals can access their medical records for treatment, payment, and health care. However, this requirement does not apply just to healthcare institutions; in fact, health records must occasionally be shared with covered corporations. Health plans, health care providers, health care clearinghouses, business associates, and health insurers are all "Covered Entities."

Covered Entities can use and share health information without patients' permission in the following circumstances:

• When federal law requires it for public health reasons
• When law enforcement agencies require it
• For the purpose of clinical research
• Operating in the healthcare industry (quality assurance, compliance monitoring)
• When victims of abuse and cases of violence are reported
• During activities relating to health supervision
• When it's a judicial or administrative problem

Covered Entities are held accountable for proper handling and de-identification of personal information before disclosure. Therefore, redaction is necessary to remove personal health-related information from medical records before sharing.

GDPR‍

GDPR applies to all EU countries and is intended to safeguard EU residents from corporations that use personal data recklessly. It gives the data subject—that is, the owner of the data—control over how much of their personal information can be shared, where it can be shared, and how it can be shared.

GDPR was enacted in response to the concept of the 'right to be forgotten,' which allows any individual to contact a company and request that their personal information be deleted from all of its systems within a specified time frame.

‍Redaction allows you to comply with GDPR without suppressing relevant data or destroying an entire record.  By utilizing redaction on essential documents, you can go a long way toward meeting GDPR standards and strengthening stakeholder trust.

‍

‍Common redaction errors that attorneys should avoid‍

Attorneys faced with redacting vast amounts of information can be tempted to use shortcuts that seem to get the job done but actually leave the data intact. The following is a partial list of typical mistaken techniques that attorneys should avoid:

• Changing the font color does not equal redaction: The words may appear to disappear when the text font is changed to white, but this is merely a cosmetic change and is easily reversible. 

• Leaving metadata behind: All word processors (including Microsoft Word, Corel WordPerfect, WordStar, and others) retain a lot of metadata that can store the history of every edit along with other information. This metadata can show anything present in the file at any given moment, including text that has apparently been removed or modified, even if the file has been re-saved. Although this is a valuable tool for tracking revisions, if this information is not purged from the document, it can be viewed by anybody, even after it has been converted to PDF.

• The cover-up: Ink-marking or covering sections of a document to be scanned with semi-translucent tape or paper can sometimes reveal enough information for someone to see what was thought to be hidden. Especially, if the same information appears multiple times in a document.

Redaction best practices for attorneys

Electronic files present a significantly more difficult problem than paper documents when it comes to secure redaction. In today’s digital world, this can become a liability for attorneys. So, how do you protect yourself?

Here are a few best practices for attorneys to follow when redacting legal documents:

• Understand the difference between covering text and permanently redacting information. When text is redacted by overlaying graphic components (typically black rectangles) on text in a PDF or word processor format, the original text remains in the file and can be revealed by simply erasing the overlaying visuals.
• Remove the metadata. As mentioned above, simply editing/removing text is not enough to generate a secure document. 
• Maintain an audit trail for all your redactions. Always keep track of who redacts what information and when. This ensures transparency in the redaction process and is crucial for demonstrating compliance. In the legal sector, you may need to use your audit trail as evidence in court that proper redaction procedures were followed.
• Ensure that everyone in your firm understands redaction. Your staff, contractors, and third-party vendors must be trained in good redaction protocols. Provide training on redaction techniques so that everyone understands the importance of protecting document security
• Keep redacted documents secure. Protecting information security must go even further than redaction. Redacted documents should be stored either in encrypted digital folders or locked filing cabinets.
• Study the rules and regulations for each redaction situation. It’s important to know exactly what information must be removed and what is safe to disclose. This depends on the specific redaction situation you are dealing with. Do your research to ensure that you don’t accidentally disclose protected information. 
• Use a tool designed for permanent redaction. To effectively redact electronic documents, all pertinent text or image data must be removed from the file. This requires more than just adding a black box over the top of the data — you need software developed specifically for expunging electronic documents. You need Redactable, the solution that uses AI to automatically and thoroughly remove confidential information from thousands of documents at the click of a button.  

‍Manually redacting sensitive data to prevent accidental disclosure can be time-consuming, frustrating, and error-prone. 

With Redactable, the process is quick, simple, and thorough. 

The difference is in the AI technology, which makes it simple to identify every instance of sensitive material in a document and ensure that it is entirely removed from the original file, along with any associated text and metadata files.

Redactable helps you quickly and easily make permanent redactions to important legal documents to ensure all confidential data is truly erased. Using Natural Language Processing (NLP), Redactable is capable of scanning thousands of documents and redacting them instantly and securely, giving you back valuable time and resources to focus on higher-value activities. 

Redactable also provides a number of other features, such as:

• Redaction of both electronic documents and scanned physical documents thanks to optical character recognition (OCR)
• An easy-to-use interface and workflow
• Seamless collaboration on large redaction projects
• 98% faster redaction than Adobe’s tools
• Automatic audit trails to track redaction throughout the process
• Easy import of documents from DropBox and other cloud storage services
• Flexible scaling for any size of project

Try Redactable out for yourself for free today.