Ethics and Professional Responsibility
New York Is the First State to Require Cybersecurity CLE
Pursuant to a June 2022 joint order of the Judicial Departments of the Appellate Division of the New York State Supreme Court, attorneys in that state will be required every two years to complete one hour of training in cybersecurity, data privacy, and data protection (“C-DP2”). According to the order, which amends various sections of Part 1500 of Title 22 of the Official Compilation of the Codes, Rules, and Regulations of the State of New York (the “Regulations”), the effective date of the new training requirement is January 1, 2023.
The requisite training may relate specifically to attorneys’ ethical obligations with respect to data protection; if so, the training will count towards ethics and professional CLE requirements. Another option is to opt for training that is not ethics-specific, in which case the hour will count only toward general CLE requirements.
The Appellate Division adopted the cybersecurity CLE requirement based on a recommendation in a report by the New York State Bar Association’s Committee on Technology and the Legal Profession. The report focused on the dangers posed to the legal profession by increases in hacking and law office data breaches. New York is the first state to adopt such a specific requirement dealing with the three identified topics, although Florida and North Carolina already require some technology training as part of their CLE obligations.
Newly admitted New York lawyers may count the one hour of C-DP2 toward the thirty-two-hour CLE requirement that must be met during the first two years of practice. All other lawyers may count it towards a biennial twenty-four-hour CLE requirement. For newly minted lawyers, an hour of general cybersecurity training may count toward the seven-hour requirement each year with respect to “law practice management, areas of professional practice, and/or cybersecurity, privacy, and data protection-general.” Alternatively, if new members of the bar take ethics-related C-DP2 training, it will count toward the three-hour requirement each year for ethics and professionalism; of the six hours of CLE required to be dedicated to that area in the first two years of practice, up to three hours in total may relate to C-DP2.
According to new definitions added to § 1500.2(h) of the Regulations, generalized cybersecurity, privacy, and data protection credits must relate to the practice of law, and may include, inter alia:
technological aspects of protecting client and law office electronic data and communications (including sending, receiving and storing electronic information; cybersecurity features of technology used by law firms; network, hardware, software and mobile device security; preventing, mitigating and responding to cybersecurity threats, cyber attacks and data breaches); vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy and data protection policies and protocols.
For C-DP2 training to count as “ethics-related,” it must relate specifically “to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communications” and may include, inter alia:
- sources of attorneys’ ethical obligations and professional responsibilities and their application to electronic data and communications;
- protection of confidential, privileged and proprietary client and law office data and communication;
- client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications;
- security issues related to the protection of escrow funds;
- inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and
- supervision of employees, vendors and third parties as it relates to electronic data and communication.
To be sure, one hour of C-DP2 training annually, viewed objectively, is not likely to be particularly effective in combating the proliferation of phishing, data breaches, and other cyberattacks targeting the practice of law. The new requirement may therefore be merely a first step towards a larger CLE requirement for New York lawyers in the future. It also seems likely that other states may follow New York’s lead and adopt similar measures.