U.S. markets open in 2 hours 12 minutes
  • S&P Futures

    -28.25 (-0.76%)
  • Dow Futures

    -207.00 (-0.70%)
  • Nasdaq Futures

    -71.75 (-0.63%)
  • Russell 2000 Futures

    -15.60 (-0.93%)
  • Crude Oil

    -0.92 (-1.17%)
  • Gold

    -8.50 (-0.51%)
  • Silver

    -0.30 (-1.56%)

    -0.0055 (-0.57%)
  • 10-Yr Bond

    0.0000 (0.00%)
  • Vix

    +5.10 (+18.65%)

    -0.0116 (-1.07%)

    +1.0010 (+0.70%)

    -83.36 (-0.44%)
  • CMC Crypto 200

    -8.59 (-1.93%)
  • FTSE 100

    -62.95 (-0.90%)
  • Nikkei 225

    -722.28 (-2.66%)

Epic Fail: This Common Redaction Error Exposes Confidential Info

(Photo: Shutterstock.com)
(Photo: Shutterstock.com)

(Photo: Shutterstock.com)

The black redaction box is meant to protect sensitive information from public view. It’s supposed to be an impenetrable curtain. But sometimes that curtain is surprisingly easy to raise.

And when that happens, it can mean trouble for attorneys and their clients.

Lawyers who fail to properly redact information in confidential documents could run afoul of the American Bar Association’s rule on safeguarding client property, which has been adopted by most states.

“A client’s information is their property. When they transfer it to us, we have a duty to maintain that information. Once it’s out, it’s out. And the exposure for an attorney in that situation is monumental. The damages could be in the hundreds of millions of dollars,” said Eric Bland, a legal malpractice attorney at Bland Richter in Columbia, South Carolina. Aside from risking potential civil liability, lawyers also could face disciplinary action when they fail to properly redact court documents, as evidenced by a 2013 case involving a Chicago lawyer and a 2014 case out of Kentucky.

Redaction errors exposing confidential information are coming to light with increasing frequency: Earlier this year, The South Florida Sun-Sentinel unveiled what was supposed to have been confidential information in a school district report about Parkland, Florida, high school shooter Nikolas Cruz, which raised the ire of a local judge. “By court order, the district was supposed to black out nearly two-thirds of the report because it disclosed information that Cruz was entitled to keep private under federal and state law,” the newspaper reported. “But the method used to post the report on the district’s website made it possible for anyone to read the blacked-out portions by copying and pasting them into another file.”

In 2014, The New York Times reportedly failed to properly redact a PDF file of leaked National Security Administration documents and inadvertently released the name of an NSA agent.

More recently, reporting about an SEC settlement with alleged fraudsters, a reporter for this publication downloaded from the federal PACER database an affidavit from one of the defendants in the matter. The PDF file contained about 100 pages of financial transactions that were blacked out in the PDF file. When the affidavit was copied and pasted into another application’s text file for uploading, however, the black redaction boxes vanished, revealing all the private financial information that was supposed to be hidden. A clerk at the federal courthouse where the document in question was filed said that the party filing the document was responsible for ensuring that it was properly redacted. The attorney who filed the affidavit did not respond to interview requests.

Bruce Schneier, a security technologist and a special adviser to IBM Security, said in an interview that redaction mistakes happen simply because “people don’t know how to use the technology.”

“This requires specialized expertise,” he added. “If you don’t have it, you don’t realize you’ve screwed up.”

After a military incident that exposed classified information in connection with the death of an Italian secret agent, the National Security Agency in 2005 released guidelines for properly redacting documents and noted that the “most common mistake is covering text with black.”

The NSA report states: “The key concept for understanding the issues that lead to the inadvertent exposure is that information hidden or covered in a computer document can almost always be recovered. The way to avoid exposure is to ensure that sensitive information is not just visually hidden or made illegible, but is actually removed from the original document.”

Tech experts recommend using a redaction tool that allows users to burn a permanent black box into an image or text.

Of course, there’s always the old-school option of using a dark marker to manually cover over confidential information. But even that method might not be good enough, according to Mark Crandley, a partner in the litigation department of Barnes & Thornburg in Indianapolis.

He wrote in a 2015 article, “The Perils of Redaction: Simple Steps to Protect Confidential Information,” that “many scanners are sensitive enough to perceive covered words even when the naked eye cannot.”

So what then? Find scissors and start cutting.

“The surest means to redact hard copy documents is to physically cut the confidential language from the document,” Crandley wrote.

Some Basic Tips for Properly Redacting Word to PDF Files:

• Delete the sensitive information before converting the text or Word document to a PDF file.

• Create PDFs as image files with no text.

• If you use a redaction tool such as Adobe Acrobat, be certain that the software is the correct and updated version. Know that most office tools such as Microsoft Word also contain hidden metadata that can be accessed. Converting a Word document to PDF does not automatically remove all metadata.

Sources: NSA Information Assurance Directorate 2005; interviews.

Read more:

Lawyer's 'Inadvertent' E-Discovery Failures Led to Wells Fargo Data Breach

Attorneys Weigh in as Judge in Parkland Shooting Case Threatens to Hold Sun Sentinel in Contempt

WindTalker Wants to Protect the Water, Not the Glass, With Redaction Software