How to Redact Legal Documents Properly

TL;DR — Key Takeaways

• Just because you can’t see it, doesn’t mean it’s not there. Metadata and invisible-to-the-eyeball text can still be present throughout digital files.
  
• Human error and software flaws are both areas of concern for effective and consistent redaction.

• Improper redacting practices leave you liable for releasing sensitive data, potentially resulting in massive damages.
  
• Future-proofing your security and compliance protocols includes educating your team on redaction pitfalls and leveraging dedicated software. 

From the 2014 leak of sensitive NSA data by the New York Times to Meta’s 2023 disclosure of millions of Facebook users’ data in the Cambridge Analytica lawsuit, sloppy redaction practices can wreak havoc for companies, individuals, and governments.^1,2

Redaction is the process of removing specific types and details of information to protect privacy and adhere to lawful and ethical practices when handing over sensitive documents to outside parties. 

Correctly and safely redacting files presents challenges, but proven practices and reliable tools can protect your data, ensure compliance, maintain your reputation, and deliver accurate results.

Importance of Proper Legal Document Redaction

Delivering the right information when, how, and to whom you intend is critical to managing your clients’ best interests and achieving successful case outcomes. Unintentionally sharing data in documents given to opposing counsel, the courts, or even client family members can leave you open to litigation, damages, and loss of reputation. 

Common Types of Information That Require Redaction 

Before delivering documents in your possession, be aware of what data typically needs to be redacted for compliance purposes in addition to strategic considerations. 

• PII or personally identifiable information, like name, address, biometrics, ID numbers
• PHI or personal health information, including clinical, billing, medical records, etc.
• Financial data, particularly complete account numbers 
• Attorney-client communication and work product
• Trade secrets, competitive information, internal decision-making processes 

Additionally, some document and circumstance combinations may require redaction of: 

• Law enforcement sensitive data
• Names of minor children (initials only)
• Medical record numbers, diagnoses, treatment details, and admission dates
• Student names, grades, transcripts, and contact information 
• Employment and salary history
• Race, gender, and political opinions
• Faces, license plates, and victim and witness identities
• Confidential sources in body camera and CCTV footage

When Redaction Is Legally Required

There are multiple sources of laws that regulate what specific information can be shared legally. 

First, establish whether the legal documents, parties, or matters at hand fall under federal entities and laws. The most common for the legal industry are:

• HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule
• Federal Rules of Civil Procedure Rule 5.2
• Federal Rules for Criminal Procedure Rule 49.1
• CJIS (Criminal Justice Information Services) 

For financial documents and needs, these acts each identify redaction needs: 

• PCI-DSS (Payment Card Industry Data Security Standard)
• Gramm-Leach-Bliley Act (GLBA), AKA Financial Services Modernization Act of 1999
• Fair Credit Reporting Act (FCRA)

Less commonly, lawyers may encounter federal redaction requirements from: 

• FERPA (Family Educational Rights and Privacy Act)
• U.S. National Security Agency (NSA) 
• Freedom of Information Act (FOIA)

In addition to federal frameworks, you may need to consider state and international guidelines, such as: 

• GDPR (General Data Protection Regulation) from the European Union (EU)
• CCPA (California Consumer Privacy Act) 
• California’s new Race Blind Charging Guidelines

How to Redact Legal Documents Properly

Whether you engage a full-service redaction partner or not, it’s essential to understand how the process works and what oversight is necessary to protect your interests. 

Step 1 — Identify All Sensitive and Protected Information

Based on which sets of privacy and data restrictions apply, establish or select a master list of protected information categories and fields. 

In addition to data that is more formulaic or easily entered into search/find parameters, indicate more complex contents like internal business practices that need to be excluded. Identify keywords and clarify the level of redaction needed for these areas.

Step 2 — Choose an Approved Redaction Method 

Your redaction procedures should cover both digital and physical content. With paper documents, the most effective method is to cut out sections that need to be redacted and then scan or copy the pages. Using a marker or covering copy with tape or paper isn’t entirely secure, as there have been instances where text has been visible due to a difference in ink tone and coverage, or a lack of 100% opacity in the paper or tape covers.

For digital files, note that the methods for handling, securing, and accessing data shift rapidly. Some software that has been deemed safe for redaction use in the past has proven to be less effective or has been overcome by hackers (or even by general computer users). 

Vet software and tools that: 

• Are expressly created for legal redaction
• Utilize established cybersecurity frameworks 
• Are monitored and updated as security protocols and practices change
• Employ external audits in their compliance and security standards monitoring

Step 3 — Use Redaction Tools Correctly 

Redacting isn’t an intuitive or a “what you see is what you get” process. Importantly, the goal isn’t to hide data from eyesight, since hidden or changed text can often be easily recovered. Instead, proper redaction relies on full removal of text with no history of changes.

This can mean different things in practice. For instance, with digital files, do not: 

• Make the text color the same as the background color (i.e., white on white)
• Highlight text in black
• Put black boxes or lines over text
• Ignore metadata or hidden layers

Instead, use dedicated software that: 

• Fully removes rather than hides text
• Does not retain a history of changes that can be accessed to show past versions
• Accesses all metadata and hidden text to redact what is necessary

Step 4 — Verify the Redacted Document for Accuracy and Safety

Perform a final legal document review to ensure that all relevant text has been redacted accurately. This includes: 

• Reviewing privileged information redaction to ensure it’s thorough without overstepping
• Using pattern recognition and search features to confirm target data is fully redacted
• Testing across formats and devices to ensure the permanence of scrubbed data
• Checking manual paper redactions carefully—human error level increases over time

Common Redaction Mistakes to Avoid

Ensure that your redaction partners understand how easily incorrect information can be retained in improperly prepared files. 

Leaving Metadata or Hidden Text Visible

Don’t assume it doesn’t exist just because you can’t see it. Metadata may contain names, identification numbers, key dates, diagnoses, and other sensitive personal data. Files must be scrubbed to remove sensitive data from any such invisible markers prior to being handed off. 

In addition to traditional metadata, look out for: 

• Multiple file layers with some layers hidden from view 
• Comments and annotations
• Embedded files and attachments
• Unreferenced data (unlinked to the main page tree but existing within the internal structure)
• Unsanitized files with versioning/data from previous saves
• Data from interactive form fields, even when the file has been flattened and saved

Other types of hidden text that are machine-readable or retrievable include: 

• Images or text placed outside of the visible area or margins 
• Text placed underneath another object on the page
• Images or text shrunk down to a minuscule size in inconspicuous locations
• Text set to have 0% opacity or the same color as the background

Using Improper Tools That Can Be Reversed

Formats such as Word processing documents allow recipients to make changes and access past versions or file histories, entirely undoing the redaction process. This is particularly important to note if you’ve used highlighting or color-changing to disguise text. 

A correctly prepared PDF is the preference for most document sharing, which means following the guidelines above (i.e., fully removing redacted content vs. obscuring it). Unlike formats such as .docx and .xlsx, a PDF serves as a simple, static file. It can be read across multiple devices and platforms with minimal changes and without a version or edit history.

Not Following Compliance Standards

PHI and PII standards can be tricky to implement without compromising the integrity or usefulness of a document. Under some standards, you may be directed to show partial data, such as: 

• Birth year without month or day
• Last four digits of a Social Security number
• Last 3 – 5 characters of other types of identification numbers
• Last name with first initial only
• State of residence without street address

Keep in mind that many redaction projects will fall under multiple compliance structures. In these cases, your software or team will need to ensure that the strictest or most comprehensive rule is followed for the most secure legal documents. 

Final Takeaways for Secure, Reliable Legal Document Redaction

Keeping client and firm data secure is a delicate balance when files are frequently shared with opposing counsel, the courts, insurance firms, and other third parties. As such, your team needs to fully understand the pitfalls of inadequate redaction practices and how easily incorrect data can be retained in files.

While best practices and careful monitoring will help you avoid the risks of inadequate redaction, consider engaging dedicated redaction professionals and software services for thorough redaction you can consistently count on. 

And to start out with transcripts that have every word in place, depend on court reporting from U.S. Legal Support. Our network of 5,000+ independent professionals is nationwide and covers every practice area and specialty—plus, we offer comprehensive litigation and trial support services.  

Sources: 

1. CaseGuard. The Embarrassment of Failing to Redact PDFs Properly. https://caseguard.com/articles/the-embarrassment-of-failing-to-redact-pdfs-properly/
2. PDF Association. A case study in PDF forensics: The Epstein PDFs. https://pdfa.org/a-case-study-in-pdf-forensics-the-epstein-pdfs/

Julie Feller

Julie Feller is the Vice President of Marketing at U.S. Legal Support where she leads innovative marketing initiatives. With a proven track record in the legal industry, Juie previously served at Abacus Data Systems (now Caret Legal) where she played a pivotal role in providing cutting-edge technology platforms and services to legal professionals nationwide.