• United States



UK Editor

New York-barred attorneys required to complete cybersecurity, privacy, and data protection training

Nov 14, 20223 mins
ComplianceData PrivacyLegal

New requirements highlight lawyers’ technical competence duty to meet professional, ethical, and contractual obligations to safeguard client information.

Lady Justice statue with scales, law books. [regulation / compliance / legal liability / fairness]
Credit: Simpson33 / Getty Images

New York-barred attorneys will be required to complete one continuing legal education (CLE) credit hour of cybersecurity, privacy, and data protection training as part of their biennial learning requirement beginning July 1, 2023. New York is the first jurisdiction to stipulate this specific requirement as the state aims to emphasize the technical competence duty of lawyers to meet professional, ethical and contractual obligations to safeguard client information.

Lawyers have ethical obligations and professional responsibilities around cybersecurity

A New York Courts document outlined a new category of CLE credit – Cybersecurity, Privacy and Data Protection – that has been added to the CLE Program Rules. This category is defined in the CLE Program Rules 22 NYCRR 1500.2(h) and clarified in the Cybersecurity, Privacy, and Data Protection FAQs and Guidance document. “Providers may issue credit in cybersecurity, privacy, and data protection to attorneys who complete courses in this new category on or after January 1, 2023,” it stated. It also noted changes to both Experienced and Newly Admitted Attorney Biennial CLE requirements to include one credit hour of training in cybersecurity, privacy and data protection.

The new requirements are based on fresh rules around cybersecurity, privacy, and data protection for legal practitioners, effective from January 2023. “Cybersecurity, privacy and Data protection-ethics must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication,” it read. These may include:

  • Sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communication
  • Protection of confidential, privileged, and proprietary client and law office data and communication
  • Client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks, and privacy implications
  • Security issues related to the protection of escrow funds
  • Inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyberattacks
  • Supervision of employees, vendors and third parties as it relates to electronic data and communication

Furthermore, cybersecurity, privacy, and data protection-general must relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication, vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication, applicable laws relating to cybersecurity and data privacy, and law office cybersecurity, privacy and data protection policies and protocols.

Increasing cybersecurity, data protection concentration of legal regulators

Jonathan Armstrong, lawyer and partner at compliance firm Cordery, tells CSO that there is an increasing focus on cybersecurity, data protection, and privacy standards among legal regulators. “The [UK] Solicitors Regulation Authority (SRA), for example, had a cybersecurity break out session last week at the COLP/COFA conference for law firm compliance officers. I think it could catch on in other countries,” he says.

Similar requirements in the UK (and EU) have come under the spotlight recently with the Information Commissioner’s Office (ICO) investigating data security issues at law firms. “This happened in the ACS:Law case where there was an ICO fine first and then a SRA suspension for the lawyer involved. More recently, we’ve had the ICO fine for Tuckers, which also mentioned SRA obligations in the Enforcement Notice. The ICO noted Tuckers’ failure to comply with the SRA code of conduct but has not applied any increase to the penalty percentage of 3.25% in this instance.”

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author