The New York State Unified Court System recently published for public comment a proposal that would require state’s lawyers to take one hour of continuing legal education (CLE) on cybersecurity topics. The proposal, if adopted, would make New York the first state to explicitly require cybersecurity education for its attorneys.
New York officials want attorneys to successfully complete one CLE credit in a new category called “Cybersecurity, Privacy, and Data Protection.” The cybersecurity category would have two components:
- Ethics: Classes would include instruction on the ethical obligations relating to the protection of electronic data and communication.
- General: General cybersecurity classes would cover technological aspects of protecting client and law office electronic data and communication, and applicable laws relating to cybersecurity, privacy, and data protection.
Looking outside New York, it appears that very few states have mandated professional education on technology topics:
- In Florida, all lawyers must take 33 hours of CLE every three years, with three of those hours in classes on technology topics.
- In North Carolina, one hour of the required 12 hours of annual CLE must be on a technology topic.
- In Delaware, newly admitted lawyers must take a class Fundamentals of Law Practice Management and Technology.
Although few states have been active on the CLE front, many have adopted ethical rules that require attorneys to have a solid understanding of technology’s implications for their practices and client matters. We’ve written often about this duty (here, here, and here most recently).
The ethical obligation of technology competence was added to the ABA Model Rules of Professional Conduct in 2012 and has been adopted in 39 states so far. Comment 8 to ABA Model Rule 1.1 (Competence) states that a lawyer “shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
New York’s proposal for a mandatory cybersecurity CLE will help that state’s lawyers meet an obligation that they likely already have under Comment 8. According to the proposal:
Communication and data are being delivered more often by electronic means, and threats to that information are becoming more sophisticated and frequent. This training would cover, among other topics: cyber threats, cyber attacks, data breaches, the importance of securing and protecting electronic data and communication, appropriate cybersecurity and privacy policies and protocols, and compliance with professional and ethical obligations to protect confidential client and law firm data. Although some states have a general technology CLE requirement, it is believed that New York would be the first state to have a cybersecurity CLE requirement.
A decision by New York officials on a new cybersecurity CLE requirement is likely this year. The public comment period closed February 15, 2022. When public comments are published for review, they will be available on this webpage.
The general idea of mandating cybersecurity CLE has been under discussion in New York for quite a while now. The New York State Bar Association recommended mandatory cybersecurity CLE in 2020. At the time, NYSBA Committee on Technology and the Legal Profession co-chair Mark A. Berman, of Ganfer Shore Leeds & Zauderer in New York City, said at the time that voluntary cybersecurity courses do not attract enough interest to be effective.