On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.
The New York State Bar Association’s (“NYSBA”) Committee on Technology and the Legal Profession initially recommended the new requirement in a 2020 report. In a joint order, the judicial departments of the Appellate Division of the New York State Supreme Court formally adopted the recommendation.
The required one hour of cybersecurity, data privacy and data protection training may be related to attorneys’ ethical obligations with respect data protection and count toward their ethics and professionalism CLE requirements. Alternatively, the credit may be related to general cybersecurity, data privacy and data protection issues and count toward attorneys’ general CLE requirements.
Ethics-related cybersecurity, privacy and data protection credits must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communications, and may include, among other topics:
- sources of attorneys’ ethical obligations and professional responsibilities and their application to electronic data and communications;
- protection of confidential, privileged and proprietary client and law office data and communication;
- client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications;
- security issues related to the protection of escrow funds;
- inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and
- supervision of employees, vendors and third parties as it relates to electronic data and communication.
General cybersecurity, privacy and data protection credits must relate to the practice of law, and may include, among other subjects:
- technological aspects of protecting client and law office electronic data and communications (including sending, receiving and storing electronic information; cybersecurity features of technology used by law firms; network, hardware, software and mobile device security; preventing, mitigating and responding to cybersecurity threats, cyber attacks and data breaches);
- vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication;
- applicable laws relating to cybersecurity (including data breach laws) and data privacy; and
- law office cybersecurity, privacy and data protection policies and protocols.