New York has become the first state in the United States to mandate continuing legal education (CLE) coursework for attorneys specifically addressing cybersecurity, privacy, and data protection.
Under this new requirement, all practicing attorneys must complete one hour of focused training every two years. This required training must cover either the ethical obligations surrounding cybersecurity, privacy, and data protection, or the technological and practice management aspects of safeguarding electronic data and client communications.
While only two other states, Florida and North Carolina, currently mandate technology training as part of their lawyer continuing education requirements, the scope of their requirements allows for a broader range of technology topics. New York’s regulation is the first to center its requirement specifically on these crucial data security topics. The state had previously adopted the duty of technology competence for lawyers in 2015.
The recommendation for this significant change originated from the New York State Bar Association’s Committee on Technology and the Legal Profession. In its 2020 report, the Committee explained that it chose a targeted requirement over a general technology training rule due to the critical importance of protecting client and law firm data.
The Committee’s report stated, “The Committee agreed that such a general requirement may result in attorneys not actually focusing on what the Committee believes to be one of the most pressing and urgent issues facing our legal profession: cybersecurity protection of confidential and proprietary client and law firm electronic information and assets, which includes protecting client and law firm monies maintained in escrow and operating accounts, all of which are subject to phishing, scams, impersonation, fraud and other wrongful artifices.”
The Committee expressed confidence that “requiring attorneys to take one credit in cybersecurity will sensitize and educate lawyers on how to secure confidential and proprietary client and law firm electronic information, and when and how to notify clients and/or law enforcement, as appropriate, in the event of a cyber incident.”
The Appellate Division of the New York State Supreme Court’s judicial departments adopted the recommendation on June 10, 2022, in a joint order. The new requirement takes effect on July 1, 2023.
The order confirms that the one credit cybersecurity requirement does not increase the overall number of CLE hours mandated for New York attorneys, which remains at 32 hours for newly admitted attorneys and 24 hours for all others.
Defining the Training Requirements
The order establishes two distinct categories of cybersecurity training: one focused on ethics and the other on practice.
Cybersecurity, Privacy and Data Protection-Ethics training must pertain to a lawyer’s ethical obligations and professional responsibilities concerning the protection of electronic data and communication. Relevant topics may include, among other things: the sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communication; protection of confidential, privileged, and proprietary client and law office data and communication; client counseling and consent regarding electronic data, communication, and storage protection policies, protocols, risks, and privacy implications; security issues related to the protection of escrow funds; inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches, and cyber attacks; and supervision of employees, vendors, and third parties as it relates to electronic data and communication.
Cybersecurity, Privacy and Data Protection-General training must relate to the practice of law. This may include, among other things, the technological aspects of protecting client and law office electronic data and communication (including sending, receiving, and storing electronic information; cybersecurity features of technology used; network, hardware, software, and mobile device security; preventing, mitigating, and responding to cybersecurity threats, cyber attacks, and data breaches); vetting and assessing vendors and other third parties relating to policies, protocols, and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy, and data protection policies and protocols.
The rule permits attorneys to apply up to three hours of the ethics training toward their total biennial ethics and professionalism requirement, which is six years for new attorneys and four years for other attorneys.
The committee that developed this recommendation was cochaired by Mark A. Berman, Ganfer Shore Leeds & Zauderer LLP, and Gail L. Gottehrer, vice president, global labor, employment & government relations, Fresh Del Monte. More analysis on this topic can be found on Human&Legal.
