New York Becomes First State To Mandate CLE In Cybersecurity, Privacy, And Data Protection

New York has become the first U.S. state to mandate that attorneys take continuing legal education courses in cybersecurity, privacy and data protection.

Under the new requirement, all attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications.

Only two other U.S. states mandate technology training as part of a lawyer’s continuing education requirement, Florida and North Carolina. While those states’ CLE requirements allow for training in a range of technology topics, which can include cybersecurity, New York’s is the first to focus its requirement on these topics.

New York had previously, in 2015, adopted the duty of technology competence for lawyers.

Related: 40 States Have Adopted the Duty of Technology Competence.

The recommendation for the change came from the New York State Bar Association’s Committee on Technology and the Legal Profession, which said in its report, issued in 2020, that it chose the specific requirement over a general one because of the importance of protecting client and law firm data.

“The Committee agreed that such a general requirement may result in attorneys not actually focusing on what the Committee believes to be one of the most pressing and urgent issues facing our legal profession: cybersecurity protection of confidential and proprietary client and law firm electronic information and assets, which includes protecting client and law firm monies maintained in escrow and operating accounts, all of which are subject to phishing, scams, impersonation, fraud and other wrongful artifices,” the committee’s report said.

“The Committee believes that requiring attorneys to take one credit in cybersecurity will sensitize and educate lawyers on how to secure confidential and proprietary client and law firm electronic information, and when and how to notify clients and/or law enforcement, as appropriate, in the event of a cyber incident.”

The recommendation was adopted June 10, 2022, in a joint order issued by the judicial departments of the Appellate Division of the New York State Supreme Court, and the new requirement will take effect on July 1, 2023.

Under the order, the one-credit cybersecurity requirement does not increase the overall numbers of CLE hours required for New York attorneys, which is 32 hours for new attorneys and 24 for all other attorneys.

The order creates two types of cybersecurity training, one focused on ethics and the other on practice. It describes the ethics training as follows:

Cybersecurity, Privacy and Data Protection-Ethics must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication and may include, among other things: sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communication; protection of confidential, privileged and proprietary client and law office data and communication; client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications; security issues related to the protection of escrow funds; inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and supervision of employees, vendors and third parties as it relates to electronic data and communication.

The rule describes the practice-related training this way:

Cybersecurity, Privacy and Data Protection-General must relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication (including sending, receiving and storing electronic information; cybersecurity features of technology used; network, hardware, software and mobile device security; preventing, mitigating, and responding to cybersecurity threats, cyber attacks and data breaches); vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy and data protection policies and protocols.

The rule allows lawyers to apply up to three hours of the ethics training to their total biennial ethics and professionalism requirement, which is six years for new attorneys and four years for other attorneys.

The committee that recommended the change was cochaired by Mark A. Berman, Ganfer Shore Leeds & Zauderer LLP, and Gail L. Gottehrer, vice president, global labor, employment & government relations, Fresh Del Monte.