On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cyber security, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.
The required one hour of cyber security, data privacy and data protection training may be related to attorneys’ ethical obligations with respect data protection and count toward their ethics and professionalism CLE requirements. Alternatively, the credit may be related to general cyber security, data privacy and data protection issues and count toward attorneys’ general CLE requirements.
General cyber security, privacy and data protection credits must relate to the practice of law, and may include, among other subjects:
- technological aspects of protecting client and law office electronic data and communications (including sending, receiving and storing electronic information; cyber security features of technology used by law firms; network, hardware, software and mobile device security; preventing, mitigating and responding to cyber security threats, cyber attacks and data breaches);
- vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication;
- applicable laws relating to cyber security (including data breach laws) and data privacy; and
- law office cyber security, privacy and data protection policies and protocols.
Ethics-related cyber security, privacy and data protection credits must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communications, and may include, among other topics:
- sources of attorneys’ ethical obligations and professional responsibilities and their application to electronic data and communications;
- protection of confidential, privileged and proprietary client and law office data and communication;
- client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications;
- security issues related to the protection of escrow funds;
- inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and
- supervision of employees, vendors and third parties as it relates to electronic data and communication.
