Skip to Main Content
Publications | November 12, 2019
6 minute read

Getting Redactions Right Matters Now More Than Ever

Lawyers routinely handle thousands of records, both hard copy and electronic, that contain privileged or otherwise confidential information. And, while lawyers have always had an obligation to protect client confidences, the heightened global concern over data privacy and proliferation of legal regulations to safeguard private personal information has minimized the margin for error when handling client records—especially when those records need to be shared in response to discovery requests or government investigative demands.

Yet, despite the ethical and legal obligations to protect privileged and confidential data, mistakes in handling privileged and confidential information continue to make headlines.

These are just a few examples:

In January 2019, Paul Manafort’s lawyers filed an improperly redacted response to Special Counsel Robert Mueller’s determination that Manafort had breached his plea agreement. The improperly redacted PDF file revealed Manafort’s contacts with Konstantin Kilimnik, a Ukrainian the FBI believes to be a Russian intelligence agent. 

In November 2018, Facebook’s lawyers submitted an improperly redacted document in its litigation with Six4Three, an app for finding bikini photos. The improperly redacted PDF file revealed that Facebook had considered charging the company for access to its user data.

In August 2018, the United States Postal Service, in response to a Freedom of Information request, produced an unredacted copy of the entire civilian personnel file of Congresswoman Abigail Spanberger, a former CIA officer, who at the time was a Congressional candidate. The file contained her SF-86 security clearance application with her social security number and answers to highly personal background questions over such matters as drug and alcohol use and health information.  

A lawyer’s failure to properly redact information can result in the disclosure of a client’s privileged or highly personal and potentially embarrassing information. Serious repercussions can result: waiver of attorney-client privilege, a malpractice lawsuit and possible professional disciplinary action that can lead to suspension or disbarment.

Given these high stakes, what should lawyers do to get redactions right? Everything they can, of course. 

First, recognize that confidential information, privileged or otherwise, is likely to be found in any collection of documents received from a client. So, there needs to be a process in place for identifying confidential information, properly redacting it (or, in some cases and especially with privileged information, withholding it) and conducting a quality control check before production to an opposing party or government agency. 

Second, build available technology into the process. Standard eDiscovery software can assist with the identification and redaction of confidential information. Keyword searches can be used to identify potentially privileged information as well as other types of confidential information. For example, searches can be set up to look for firm names, firm email domains, individual attorney names, and other words or phrases that could implicate privilege or work product, such as “Work Product,” “Attorney-Client Privileged,” “Lawsuit,” etc. As for confidential search terms, possible search terms would be “social security,” “SS#,” “DOB,” “telephone number,” etc. If the case involves protected health information, searches could be set up for doctor names, hospital names, related email domains and any known medical conditions. These terms can also be highlighted in the documents to assist human review.

With respect to certain types of personally identifying information, eDiscovery software can also be used to automatically redact that information when it is found. Social security numbers, telephone numbers and dates of birth have a standard pattern. Most eDiscovery software allows for what is in essence a sophisticated keyword search known as “regular expressions,” or “regex.” These searches look for patterns like ###-##-#### for social security numbers or ###-###-#### for telephone numbers. Once found, the software will automatically redact these patterns. Also, with standard forms, the software can be instructed to redact information in the same location on every form. Using these auto-redaction features saves both time and money. 

Where auto redaction is not possible, eDiscovery software facilitates the redaction process by providing tools that easily allow for the drawing of redaction boxes. These redaction boxes can be customized to include text such as “Redacted,” “Attorney-Client/Work Product,” or “Personal Identifying Information,” or whatever else might be appropriate for the case. The software also allows for one-click “full page” redactions, one-click “full document” redactions, and one-click removal of redactions — all of these features are tremendous time savers to which anyone who did redactions in the early age of eDiscovery can attest. 

Finally, conduct a rigorous quality control before any documents are produced. All documents that are marked for production that contain hits for the privileged/confidential keyword searches but do not contain redactions, should be subjected to human review. eDiscovery software can be used to quickly segregate these documents for the quality control (QC) process. 

A random sample of documents marked for production that do not contain hits for keyword searches should also be subjected to human review. Keyword searches can be both overinclusive and underinclusive. This QC step provides the opportunity to find where the searches have been underinclusive. Again, the eDiscovery software can be used to quickly segregate these documents and create a random sample for human review. 

To complete the QC process, a random sample of documents marked for production and containing redactions should be subjected to human review. This QC step will allow the opportunity to double check how well the eDiscovery software did in the case of auto redactions and how well the human reviewers did with manual redactions. As in the previous QC step, the eDiscovery software can be used to quickly segregate these documents and create a random sample for human review. 

Another step that does not depend on technology should also be taken in every case where there is a likelihood that confidential information will inadvertently be disclosed. A protective order should be entered that allows the producing party to “clawback” any documents that should have been withheld or redacted. The protective order should also provide that non-producing parties may not argue waiver based on the production of privileged information. In federal court, the parties should ask the court to enter an order under Federal Rule of Evidence 502(d). A 502(d) Order provides that the unintentional production of privileged information shall not operate as a waiver in the current proceeding or any subsequent federal or state proceeding. This precludes any satellite litigation over whether the production was inadvertent or not. However, the 502(d) Order does not cover the situation where a party intentionally turns over privileged information — for example, where there is a strategic advantage in doing so — and then later invokes the 502(d) Order to preclude further use of the information. Nor will the Order preclude a nonproducing party from arguing that information is not truly privileged. In state court proceedings, the parties should attempt to get an order similar to the 502(d) Order with the understanding it will not have the same binding effect outside of the current proceeding as the 502(d) Order does. 

One parting thought. As much as lawyers need to embrace technology to assist them with the more mundane, tedious tasks involved in the practice of law, in the case of redaction of confidential information, it is unlikely that the human element will be obviated any time soon. There just is no substitute for human review during the quality control process. Moreover, because it is the human lawyer who has the ethical obligation to protect the client’s confidential information and the human lawyer who may be subject to disciplinary or other legal action for disclosing the client’s confidential information or that of another individual, the human lawyer should be reluctant, at best, to stake their reputation and livelihood solely on technology.