Beginning January 1, 2023, all attorneys in New York must take continuing legal education courses on cybersecurity topics as a condition of practicing law in New York. The new continuing legal education requirement, the first in the nation, was recently ordered by the New York Supreme Court, Appellate Division, which regulates the legal profession in that state.
New York is one of 40 jurisdictions that specifically mandates “technology competence” as a component of lawyer ethics obligations. However, all states require lawyers to employ reasonable data security measures to protect client confidential information. This requirement is found in American Bar Association Model Rule 1.6(c), which states:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Every state imposes a similar ethical obligation on its lawyers.
Topics covered by New York’s new cybersecurity training mandate include:
- vetting and assessing vendors and other third parties relating to policies, protocols, and practices on protecting electronic data and communication
- identifying the sources of lawyers’ ethical obligations and professional responsibilities to safeguard electronic information
- protection of confidential, privileged and proprietary client information
- client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks, and privacy implications
- inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches, and cyber attacks
- supervision of employees, vendors and third parties as it relates to electronic data and communication
- technological aspects of protecting client and law office electronic data and communication (including sending, receiving, and storing electronic information
- cybersecurity features of technology used)
- preventing, mitigating, and responding to cybersecurity threats, cyberattacks, and data breaches
- applicable laws relating to cybersecurity (including data breach laws) and data privacy
- law office cybersecurity. privacy and data protection policies and protocols
The required training includes substantive data security and privacy education, as well as training on professional ethical obligations surrounding client confidential information in electronic form.
Pressure for Cybersecurity Acumen Increasing
A lawyer’s obligation to employ reasonable data security measures extends beyond protections for clients of the firm. It also includes legal obligations to have in place data security protections for all personal information collected by the firm. These obligations arise from state data breach and information security laws that protect the personal information of state residents. In many cases, these laws create compliance obligations beyond state borders. The protections of data breach laws typically are tied to the person whose information is collected and not to the geographic location of the business (or law firm) that collected the information.
For example, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires all businesses to protect the personal information of New York residents. The SHIELD Act goes beyond nonspecific mandates for law firms to make “reasonable efforts” to protect personal information. It dictates how the personal information of New York residents should be safeguarded.
Most law firms and large corporate law departments — regardless of where they are located — will at some point collect personal information from New York residents, either through pleadings or electronic discovery materials.
Cyberinsurance is an increasingly popular tool to mitigate risks posed by data thieves and ransomware criminals. Cyberinsurance carriers are also pressuring law firms to strengthen protections around electronic information. Many are beginning to require law firms to provide evidence of Written Information Security Programs (WISPs), which outline the firm’s data security practices.
WISPs have been a feature of the data security landscape for more than a decade, and they are required by data security legislation in some states. In Massachusetts, for example, the Massachusetts Data Security Regulation requires every business that collects the personal information of Massachusetts residents to have in place minimum data security standards. The regulation sets out in detail the specific security safeguards each security program should contain.
A well-designed WISP raises information security awareness, establishes data security expectations, and explains in detail the steps the firm takes to protect personal and client confidential information possessed by the firm.
Need for Training Growing Outside New York
Other states have also taken steps toward creating technology training mandates, though not specifically in the area of cybersecurity. In Florida, for example, lawyers must take three hours (of the required 33 hours) in classes on technology topics. North Carolina mandates one hour (of the required 12 hours) of annual continuing legal education obligation on a technology topic. And in Delaware, newly admitted lawyers are required to take a Fundamentals of Law Practice Management and Technology class.
The demand for training on cybersecurity and ethics topics hasn’t been lost on continuing legal education providers. Today nearly all national CLE providers – the American Bar Association, American Law Institute Continuing Legal Education, Practising Law Institute, LawLine, and West LegalEdCenter, to name just a few – offer cybersecurity and “cybersecurity ethics” training. State and local bar associations, even technology vendors themselves, are also active in this space.
To assist law firms in their ethical obligation to carefully vet technology vendors, Esquire Deposition Solutions documents its data security practices through Service Organization Control (SOC) reports developed by the American Institute of Certified Public Accountants (AICPA). We also publish detailed explanations of the data security safeguards we employ to protect from unauthorized disclosure all information processed during our business operations.