December 2022 in Brief: Legal Opinions & Ethics

Ethics and Professional Responsibility

New York Is the First State to Require Cybersecurity CLE

By Keith R. Fisher

Pursuant to a June 2022 joint order of the Judicial Departments of the Appellate Division of the New York State Supreme Court, attorneys in that state will be required every two years to complete one hour of training in cybersecurity, data privacy, and data protection (“C-DP2”). According to the order, which amends various sections of Part 1500 of Title 22 of the Official Compilation of the Codes, Rules, and Regulations of the State of New York (the “Regulations”), the effective date of the new training requirement is January 1, 2023.

The requisite training may relate specifically to attorneys’ ethical obligations with respect to data protection; if so, the training will count towards ethics and professional CLE requirements. Another option is to opt for training that is not ethics-specific, in which case the hour will count only toward general CLE requirements.

The Appellate Division adopted the cybersecurity CLE requirement based on a recommendation in a report by the New York State Bar Association’s Committee on Technology and the Legal Profession. The report focused on the dangers posed to the legal profession by increases in hacking and law office data breaches. New York is the first state to adopt such a specific requirement dealing with the three identified topics, although Florida and North Carolina already require some technology training as part of their CLE obligations.

Newly admitted New York lawyers may count the one hour of C-DP2 toward the thirty-two-hour CLE requirement that must be met during the first two years of practice. All other lawyers may count it towards a biennial twenty-four-hour CLE requirement. For newly minted lawyers, an hour of general cybersecurity training may count toward the seven-hour requirement each year with respect to “law practice management, areas of professional practice, and/or cybersecurity, privacy, and data protection-general.” Alternatively, if new members of the bar take ethics-related C-DP2 training, it will count toward the three-hour requirement each year for ethics and professionalism; of the six hours of CLE required to be dedicated to that area in the first two years of practice, up to three hours in total may relate to C-DP2.

According to new definitions added to § 1500.2(h) of the Regulations, generalized cybersecurity, privacy, and data protection credits must relate to the practice of law, and may include, inter alia:

technological aspects of protecting client and law office electronic data and communications (including sending, receiving and storing electronic information; cybersecurity features of technology used by law firms; network, hardware, software and mobile device security; preventing, mitigating and responding to cybersecurity threats, cyber attacks and data breaches); vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy and data protection policies and protocols.

For C-DP2 training to count as “ethics-related,” it must relate specifically “to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communications” and may include, inter alia:

• sources of attorneys’ ethical obligations and professional responsibilities and their application to electronic data and communications;
• protection of confidential, privileged and proprietary client and law office data and communication;
• client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications;
• security issues related to the protection of escrow funds;
• inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and
• supervision of employees, vendors and third parties as it relates to electronic data and communication.

To be sure, one hour of C-DP2 training annually, viewed objectively, is not likely to be particularly effective in combating the proliferation of phishing, data breaches, and other cyberattacks targeting the practice of law. The new requirement may therefore be merely a first step towards a larger CLE requirement for New York lawyers in the future. It also seems likely that other states may follow New York’s lead and adopt similar measures.

Legal Opinions

Delaware Supreme Court Finds General Partner Acted in Good Faith Based on Reliance on Legal Opinions as a Condition Precedent for the Exercise of Call Right

Boardwalk Pipeline Partners, LP v. Bandera Master Fund LP, 2022 WL 17750348 (Delaware Supreme Court)

By Tarik J. Haskins, Partner, Morris Nichols Arsht & Tunnell

In a recent opinion, the Delaware Supreme Court reversed a Court of Chancery decision that found that a general partner of a master limited partnership (the “Partnership”) breached the Partnership’s limited partnership agreement (the “Partnership Agreement”) when the general partner exercised its contractual call right, which resulted in a monetary damages award of almost $700 million dollars. Under the terms of the Partnership Agreement the general partner of the Partnership (the “General Partner”) possessed a call right entitling the General Partner to purchase the Partnership’s limited partnerships units that the General Partner and its affiliates did not own if certain conditions precedent were satisfied. The plaintiffs alleged that the following conditions precedent were not satisfied: (i) obtaining a legal opinion that “the Partnership’s status as an association not taxable as a corporation and not otherwise subject to an entity-level tax for federal, state or local income tax purposes has or will reasonably likely in the future have a material adverse effect on the maximum applicable rate that can be charged to customers” (the “Opinion Condition”) and (ii) a determination by the General Partner that the legal opinion is acceptable to the General Partner. The Court of Chancery agreed with the plaintiffs, finding that the General Partner improperly exercised the call right because the opinion the General Partner received from Baker Botts to satisfy the Opinion Condition was not issued in good faith and the wrong entity determined the acceptability of the opinion. In addition, the Court of Chancery found that the General Partner was not exculpated from damages under the Partnership Agreement.

On appeal, the Partnership, the General Partner, and other defendants (collectively, the “Boardwalk Parties”) argued that the Court of Chancery erred when it determined that (i) the sole member of the limited liability company General Partner was not the correct decision-maker to determine the acceptability of the opinion, and (ii) that the General Partner was not entitled to exculpation from damages under the terms of the Partnership Agreement.

The majority opinion agreed with the Boardwalk Parties, finding that the sole member of the General Partner was the correct decision-maker to determine the acceptability of the opinion. The majority opinion reasoned that based upon the express terms of the Partnership Agreement and the General Partner’s limited liability company agreement, the authority to determine the acceptability of the opinion was vested in the sole member of the General Partner.

The majority opinion also found that a contractual conclusive presumption set forth in the Partnership Agreement protected the General Partner from liability. The Partnership Agreement included a provision that provided that the General Partner will be conclusively presumed to have acted in good faith if it relies on advice of counsel. The majority opinion found that the conclusive presumption applied based on the General Partner’s reliance on an opinion it received from Skadden Arps. The Skadden Arps opinion determined that (i) the sole member of the General Partner was the correct decision-maker to determine the acceptability of the opinion and (ii) it was reasonable for the sole member of the General Partner to find that the Baker Botts opinion was acceptable, as such term was used in the Partnership Agreement. Based on the conclusive presumption set forth in the Partnership Agreement, the majority opinion concluded that the General Partner is presumed to have acted in good faith and is therefore immune from damages. The majority opinion did not address other arguments made by the Boardwalk Parties, including whether the Baker Botts opinion was issued in bad faith. The Delaware Supreme Court remanded the case for further proceedings consistent with its opinion.

In a concurring opinion, the concurring judges agreed with the majority opinion’s judgment but determined that the record supports the conclusion that the Baker Botts opinion was issued in good faith and, at a minimum, was not rendered in bad faith. The concurring opinion noted that the trial court’s determination that the Baker Botts opinion was not rendered in good faith “has the potential to fundamentally alter the legal environment in which opinions of counsel are prepared.” The concurring opinion stated that the trial court misapplied existing law with respect to the standard of review of legal opinions. The concurring opinion urged that the existing standard stated in Williams Cos. Inc. v. Energy Transfer Equity LP, 2016 WL 3576682 (Del. Ch. June 24, 2016), provided the correct standard of review, which required a reviewing court to apply a deferential standard that focused on the good faith of counsel as opposed to the legal opinion itself. Thus, the concurring opinion is instructive for practitioners who deliver legal opinions.