Beginning July 1, 2023, attorneys barred from New York law will be required to complete one continuing legal education (CLE) credit hour of cybersecurity, privacy, and data protection training as part of their training requirements every two years. New York is the first jurisdiction to do so. a special requirement, as the state seeks to emphasize technical competence, the duty of lawyers to fulfill professional, ethical and contractual obligations to protect client information.
Lawyers have ethical obligations and professional responsibility regarding cyber security
A New York court document outlined a new CLE credit category – Cyber Security, Privacy and Data Protection – that was added to the CLE program rules. This category is defined in CLE Program Rules 22 NYCRR 1500.2(h) and is explained in the Cybersecurity, Privacy, and Data Protection Frequently Asked Questions and Guidelines document. “Providers may issue cybersecurity, privacy and data protection credits to attorneys who have completed courses in this new category on or after January 1, 2023,” it said. He also noted changes to the two-year CLE requirements for experienced and new attorneys to include one credit hour of training in cybersecurity, privacy and data protection.
The new requirements build on the new cyber security, privacy and data protection rules for legal practitioners, which came into force in January 2023. “Cyber security, privacy and ethics of data protection should relate to the ethical obligations and professional responsibility of lawyers regarding the protection of electronic data. and communication,” it says. They may include:
- Sources of ethical obligations and professional responsibility of lawyers and their application to electronic data and communication
- Protection of confidential, privileged and closed data and communication of clients and legal offices
- Advising and consenting clients on electronic data protection, communication and storage policies, protocols, privacy risks and implications
- Security issues related to the protection of escrow funds
- Inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data leaks and cyber attacks
- Supervision of employees, suppliers and third parties related to electronic data and communications
In addition, cybersecurity, privacy and data protection should generally apply to the practice of law and may include, but are not limited to, the technological aspects of protecting electronic data and communications of clients and legal offices, vetting and evaluating vendors and other third parties, related policies, protocols and methods for protecting electronic data and communications, applicable laws relating to cybersecurity and data privacy, and law office cybersecurity, privacy, and data protection policies and protocols.
Increasing cyber security, concentration of legal regulators on data protection
Jonathan Armstrong, a lawyer and partner at compliance firm Cordery, tells CSO that legal regulators are paying increasing attention to cybersecurity, data protection and privacy standards. “The [UK] For example, the Solicitors Regulation Authority (SRA) held a cyber security session at the COLP/COFA conference for law firm compliance professionals last week. I think it can catch on in other countries,” he says.
Similar requirements in the UK (and the EU) recently came under the spotlight when the Information Commissioner’s Office (ICO) investigated data security at law firms. “This happened in the ACS:Law case where there was first an ICO fine and then an SRA suspension for the lawyer involved. We recently had an ICO fine for Tuckers which also mentioned the SRA’s obligations in the Enforcement Notice. The ICO noted Tuckers’ failure to comply with the SRA Code of Conduct but did not apply any increase in the 3.25% penalty percentage in this case.’
Copyright © 2022 IDG Communications, Inc.