New requirements highlight lawyers’ technical competence duty to meet professional, ethical, and contractual obligations to safeguard client information. Credit: Simpson33 / Getty Images New York-barred attorneys will be required to complete one continuing legal education (CLE) credit hour of cybersecurity, privacy, and data protection training as part of their biennial learning requirement beginning July 1, 2023. New York is the first jurisdiction to stipulate this specific requirement as the state aims to emphasize the technical competence duty of lawyers to meet professional, ethical and contractual obligations to safeguard client information.Lawyers have ethical obligations and professional responsibilities around cybersecurityA New York Courts document outlined a new category of CLE credit – Cybersecurity, Privacy and Data Protection – that has been added to the CLE Program Rules. This category is defined in the CLE Program Rules 22 NYCRR 1500.2(h) and clarified in the Cybersecurity, Privacy, and Data Protection FAQs and Guidance document. “Providers may issue credit in cybersecurity, privacy, and data protection to attorneys who complete courses in this new category on or after January 1, 2023,” it stated. It also noted changes to both Experienced and Newly Admitted Attorney Biennial CLE requirements to include one credit hour of training in cybersecurity, privacy and data protection.The new requirements are based on fresh rules around cybersecurity, privacy, and data protection for legal practitioners, effective from January 2023. “Cybersecurity, privacy and Data protection-ethics must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication,” it read. These may include:Sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communicationProtection of confidential, privileged, and proprietary client and law office data and communicationClient counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks, and privacy implicationsSecurity issues related to the protection of escrow fundsInadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyberattacksSupervision of employees, vendors and third parties as it relates to electronic data and communicationFurthermore, cybersecurity, privacy, and data protection-general must relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication, vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication, applicable laws relating to cybersecurity and data privacy, and law office cybersecurity, privacy and data protection policies and protocols. Increasing cybersecurity, data protection concentration of legal regulatorsJonathan Armstrong, lawyer and partner at compliance firm Cordery, tells CSO that there is an increasing focus on cybersecurity, data protection, and privacy standards among legal regulators. “The [UK] Solicitors Regulation Authority (SRA), for example, had a cybersecurity break out session last week at the COLP/COFA conference for law firm compliance officers. I think it could catch on in other countries,” he says.Similar requirements in the UK (and EU) have come under the spotlight recently with the Information Commissioner’s Office (ICO) investigating data security issues at law firms. “This happened in the ACS:Law case where there was an ICO fine first and then a SRA suspension for the lawyer involved. More recently, we’ve had the ICO fine for Tuckers, which also mentioned SRA obligations in the Enforcement Notice. The ICO noted Tuckers’ failure to comply with the SRA code of conduct but has not applied any increase to the penalty percentage of 3.25% in this instance.” Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe