Redaction Risks and Best Practices for Attorneys

Every day, lawyers deal with high volumes of sensitive data: their clients' personal information, including both personally identifiable information (PII) and protected health information (PHI), intellectual property, trade secrets, financial information, and much more. Simultaneously, lawyers are frequently obligated to submit information to opposing counsel, courts, regulatory authorities, and, in some cases, citizens seeking personal data or government documents. They are tasked with sharing necessary information without revealing confidential information. That’s where redaction comes in.

Redaction is the process of removing personally identifiable information from documents. This is necessary when confidential information must be removed from a document prior to being released to a third party. When an ineffective redaction method is used, such as masking information rather than permanently erasing it, or when they are unaware of essential metadata in a document, problems might arise. They may discover, too late, that the information in the document can be uncovered afterwards.

In this article, we'll discuss the redaction risks that apply to attorneys and best practices for performing redactions quickly and effectively without having to manually redact the same material over and over.

Why redacting confidential information is so important for attorneys

‍
Attorneys are required by law to guarantee that client information is redacted. For example, the Federal Rules of Civil Procedure require attorneys to redact certain personally identifiable information in court filings. Filings must only include the last four digits of a Social Security or tax ID number, the year of an individual's birth, a minor's initials, or the last four digits of a financial account number, according to Rule 5.2(a), titled “Redacted Filings”.

When lawyers fail to redact material properly, they may be in violation of a variety of ABA Model Rules of Professional Conduct. At the very least, a lawyer who fails to take reasonable steps to redact privileged or other confidential client information breaches Rule 1.6 on Confidentiality of Information.

Rule 1.6(a) establishes that a “lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is implicitly authorized to carry out the representation or the disclosure is permitted” by a separate provision. Rule 1.1 states that a lawyer “shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”

Disclosure of confidential information which is unauthorized by the client or by the law could lead to disciplinary action against an attorney and could also render them liable, in certain circumstances, to a civil action arising from the misuse of confidential information.

What kind of information needs to be redacted?

‍

‍
Redactions should be made to sensitive material that could be exploited to perpetrate fraud or expose private information. Generally, this includes social security numbers, driver’s license or professional license numbers, protected health information and other medical information, financial documents and files, proprietary information or trade secrets, judiciary records, Individuals’ addresses, dates and months of birth, and other personally identifiable information (PII).

‍

PII (Personally Identifiable Information)

Personally identifiable information (PII) is any information that may be used to accurately identify a specific individual. Social Security numbers, mailing addresses, email addresses, and phone numbers are all examples of PII. As enterprises collect more types of data, such as account log-in IDs, biometric records, and geolocation data, the category continues to grow.

PII is divided into two categories: sensitive and non-sensitive. Information that could directly identify a person is classified as sensitive PII. Non-sensitive PII is information that must be coupled with information from other sources to identify a person. Commonly available information such as date of birth, gender, race, or zip code is an example of non-sensitive PII.

Whether it's medical information stored in electronic health record (EHR) systems, financial data held by financial services businesses, or personal data used by insurance underwriters to establish rates, personal information is critical for delivering excellent services in many industries. Organizations are required by law to have measures in place to handle PII and prevent data from falling into the wrong hands.

‍

Material requested under the The Freedom of Information Act (FOIA)

The Freedom of Information Act (FOIA) has given the public the ability to seek data from any federal agency since 1967. It is also referred to as the law that informs citizens about their government.Any material requested under the FOIA must be disclosed unless it falls under one of the FOIA's nine exclusions, which protect interests like personal privacy, national security, and law enforcement.

If you work for a government agency that receives a FOIA request, you already know that it's your job to find records in response to the request and then review them to see which documents – and which parts of each – can be released.If you come across information that is considered too sensitive to divulge, you can redact it before delivering the rest of the records to those who have requested it; however, this presents a dilemma. Because electronic documents can be quickly redacted, it's impossible to tell whether a few words or several pages have been concealed.

The 1996 revisions to the FOIA addressed this issue by requiring your agency to identify the position of deletions in the published section of the record and show where on the record any deletions were made unless doing so would jeopardize an exemption-protected interest.

‍

Protected Health Information (HIPAA)

‍To prevent violations, PHI needs to be redacted before being shared with others. Redaction under HIPAA is covered in the Privacy Rule, which is responsible for regulating the use and disclosure of personal health information.

Patients and medical professionals can access their medical records for treatment, payment, and health care under the HIPAA Privacy Rule. However, this requirement does not apply just to health care institutions; in fact, health records must occasionally be shared with covered corporations. Health plans, health care providers, health care clearinghouses, business associates, and health insurers are all "Covered Entities".

Covered Entities can use and share health information without patients' permission in the following circumstances:

• When federal law requires it for public health reasons,
• When law enforcement agencies require it,
• For the purpose of clinical research,
• Operating in the healthcare industry (quality assurance, compliance monitoring),
• When victims of abuse and cases of violence are reported,
• During activities relating to health supervision,
• When it's a judicial or administrative problem.

Covered Entities are held accountable for proper handling and de-identification of personal information before disclosure. Therefore, redaction is necessary to remove personal health-related information from medical records before sharing.

‍

GDPR‍

GDPR is a regulation that beginning in 2018, applies to all EU countries, and is intended to safeguard EU individuals from corporations that use personal data recklessly. It gives the data subject — that is, the person who the data depicts or portrays – control over what personal data can be shared, where it can be shared, and how it can be shared.

GDPR was enacted in response to the concept of the 'right to be forgotten,' which allows any individual to contact your company and request that their personal information is deleted from all of your systems within a specified time frame.

‍
Redaction allows you to comply with GDPR without having to suppress relevant data or destroy an entire record. GDPR is not going away. You may go a long way toward meeting GDPR standards and restoring customer trust by utilizing redaction on essential documents.

‍

Common redaction errors that attorneys should avoid

‍

Using an incorrect method to redact the electronic file is a common redaction blunder. The following is a partial list of common misunderstandings and techniques that attorneys should avoid:

• Changing the font color does not equal redaction. The words appear to disappear when the text font is changed to white, but they do not! The remaining metadata can be utilized by even those with basic tech skills to reveal the text you were seeking to redact.

• Leaving metadata behind. All word processors (including Microsoft Word, Corel WordPerfect, WordStar, and others) keep a lot of metadata that can store revision history and other information. This metadata can show anything in the file at any moment, including text that has been removed or modified, even if the file has been re-saved. Although this is a valuable tool for tracking revisions, if this information is not purged from the document, it can be viewed by anybody, even after it has been converted to PDF.

• The cover up. Ink-marking or covering sections of a document to be scanned with semi-translucent tape or paper can sometimes reveal enough information for someone to see what was thought to be hidden. Especially, if the same information appears multiple times in a paper.

Redaction best practices for attorneys

‍

Electronic files present a significantly more difficult problem than paper documents when it comes to secure redaction. In today’s digital world, this presents a liability for attorneys. Here are a few best practices for attorneys to follow:

‍

• Understand the difference between covering text and permanently redacting information. When text is redacted by overlaying graphic components (typically black rectangles) on text in a PDF or word processor format, the original text remains in the file and can be revealed by simply erasing the overlaying visuals.
• Remove the metadata. As mentioned above, simply editing/removing text is not enough to generate a secure document. 
• Use a tool designed for permanent redaction. To effectively redact electronic documents, all essential text or image data must be removed from the document file, not just a black box. You'll need software developed for cleaning electronic documents to do so. 

‍

Redacting sensitive data to prevent accidental disclosure can be time-consuming, frustrating, and error-prone—or it can be quick, simple, and thorough. The difference is in the technology, which makes it easier to identify sensitive material inside a disclosure and then ensure that it is completely removed from the original file, along with any associated text and metadata files.

Redactable helps you quickly and easily make permanent redactions to ensure all confidential data is truly erased. To try it out for yourself, click here.