Ride the Lightning

New York: First State to Require CLE in Cybersecurity, Privacy and Data Protection

August 9, 2022

LawSites reported on August 8 that New York is first U.S. state to requires that attorneys take continuing legal education courses in cybersecurity, privacy and data protection.

All attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications.

Only two other U.S. states require technology training as part of a lawyer’s continuing education requirement, Florida and North Carolina. Those states’ CLE requirements permit training in a range of technology topics, which can include cybersecurity, but New York’s mandate is the first to focus its requirement on cybersecurity, privacy and data protection.

The recommendation for the mandate came from the New York State Bar Association’s Committee on Technology and the Legal Profession, which said in its 2020 report that it chose the specific requirement over a general one because of the importance of protecting client and law firm data.

“The Committee agreed that such a general requirement may result in attorneys not actually focusing on what the Committee believes to be one of the most pressing and urgent issues facing our legal profession: cybersecurity protection of confidential and proprietary client and law firm electronic information and assets, which includes protecting client and law firm monies maintained in escrow and operating accounts, all of which are subject to phishing, scams, impersonation, fraud and other wrongful artifices,” the committee’s report said.

“The Committee believes that requiring attorneys to take one credit in cybersecurity will sensitize and educate lawyers on how to secure confidential and proprietary client and law firm electronic information, and when and how to notify clients and/or law enforcement, as appropriate, in the event of a cyber incident.”

The recommendation was adopted June 10, 2022, in a joint order issued by the judicial departments of the Appellate Division of the New York State Supreme Court, and the new requirement will take effect on July 1, 2023.

The order creates two types of cybersecurity training, one focused on ethics and the other on practice. It describes the ethics training as follows:

Cybersecurity, Privacy and Data Protection-Ethics must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication and may include, among other things: sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communication; protection of confidential, privileged and proprietary client and law office data and communication; client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications; security issues related to the protection of escrow funds; inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and supervision of employees, vendors and third parties as it relates to electronic data and communication.

The rule describes the practice-related training this way:

Cybersecurity, Privacy and Data Protection-General must relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication (including sending, receiving and storing electronic information; cybersecurity features of technology used; network, hardware, software and mobile device security; preventing, mitigating, and responding to cybersecurity threats, cyber attacks and data breaches); vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy and data protection policies and protocols.

Certainly, given what we’ve seen in providing cybersecurity services to law firms, there is generally a limited understanding of what cybersecurity measures may be ethically required to “reasonably” safeguard confidential data. I applaud the New York mandate and hope Virginia – and other states – will follow suit.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson