• United States



Embedded Data Continues to be the Gift that Keeps on Giving

Jul 23, 20082 mins
Core Java

It seems not a week goes by that we don’t hear about yet another instance in which company confidential information is compromised because someone failed to carefully review an Office document (e.g., Word, Excel, and PowerPoint) before disseminating it publicly.  The most common problem is failing to remove information contained in embedded comments or available through “track changes.”  There are many examples.  Consider a vendor who sends a pricing proposal to a potential customer.  The proposal uses a vendor template.  When the customer receives the proposal, it turns on the track changes functionality and is able to see not only the name of the last customer, but also the pricing the vendor proposed to that customer.

In another example, in the midst of a negotiation, a vendor sends its customer a redline of a proposed contract.  Unbeknown to the vendor, the redline also includes confidential comments from its lawyer analyzing the risks of the engagement.

While Microsoft and several third party vendors provide tools for ensuring comments, information contained in tracked changes, and other embedded data are cleansed from documents before they are distributed, few companies use them on a routine basis.  Given the threat, businesses should explore deploying such tools and educating their employees on the importance of ensuring their internal/confidential comments and other information are not inadvertently made public in their documents.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author