New York-barred attorneys will be required to complete one continuing legal education (CLE) credit hour of cybersecurity, privacy, and data protection training as part of their biennial learning requirement beginning July 1, 2023. New York is the first jurisdiction to stipulate this specific requirement as the state aims to emphasize the technical competence duty of lawyers to meet professional, ethical and contractual obligations to safeguard client information.
Lawyers have ethical obligations and professional responsibilities around cybersecurity
A New York Courts document outlined a new category of CLE credit – Cybersecurity, Privacy and Data Protection – that has been added to the CLE Program Rules. This category is defined in the CLE Program Rules 22 NYCRR 1500.2(h) and clarified in the Cybersecurity, Privacy, and Data Protection FAQs and Guidance document. “Providers may issue credit in cybersecurity, privacy, and data protection to attorneys who complete courses in this new category on or after January 1, 2023,” it stated. It also noted changes to both Experienced and Newly Admitted Attorney Biennial CLE requirements to include one credit hour of training in cybersecurity, privacy and data protection.
The new requirements are based on fresh rules around cybersecurity, privacy, and data protection for legal practitioners, effective from January 2023. “Cybersecurity, privacy and Data protection-ethics must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication,” it read. These may include:
- Sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communication
- Protection of confidential, privileged, and proprietary client and law office data and communication
- Client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks, and privacy implications
- Security issues related to the protection of escrow funds
- Inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyberattacks
- Supervision of employees, vendors and third parties as it relates to electronic data and communication
Furthermore, cybersecurity, privacy, and data protection-general must relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication, vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication, applicable laws relating to cybersecurity and data privacy, and law office cybersecurity, privacy and data protection policies and protocols.
Increasing cybersecurity, data protection concentration of legal regulators
Jonathan Armstrong, lawyer and partner at compliance firm Cordery, tells CSO that there is an increasing focus on cybersecurity, data protection, and privacy standards among legal regulators. “The [UK] Solicitors Regulation Authority (SRA), for example, had a cybersecurity break out session last week at the COLP/COFA conference for law firm compliance officers. I think it could catch on in other countries,” he says.
Similar requirements in the UK (and EU) have come under the spotlight recently with the Information Commissioner’s Office (ICO) investigating data security issues at law firms. “This happened in the ACS:Law case where there was an ICO fine first and then a SRA suspension for the lawyer involved. More recently, we’ve had the ICO fine for Tuckers, which also mentioned SRA obligations in the Enforcement Notice. The ICO noted Tuckers’ failure to comply with the SRA code of conduct but has not applied any increase to the penalty percentage of 3.25% in this instance.”