author photo
By Cam Sivesind
Tue | Nov 8, 2022 | 11:14 AM PST

With the risk of data breaches growing—and a quarter of law firms reporting in a 2021 survey that they experienced their own breaches—attorneys barred in New York must now formally brush up on their cybersecurity training.

Bloomberg is reporting that the State of New York is the first U.S. jurisdiction to require attorneys to complete one credit hour of cybersecurity, privacy, and data protection training as part of their biennial Continuing Legal Education (CLE).

The new requirement will go into effect July 1, 2023. Here are details on the new requirement from the New York State Unified Court System.

Courses focused on privacy and data protection with a bent toward cybersecurity are commonplace; New York attorneys can begin earning their new CLE credit as soon as January 1, 2023.

With recent headlines revealing breaches discovered when attorneys mistakenly sent sensitive data (e.g., the Alex Jones trial and Donald Trump's lawyers' release of emails via Dropbox link related to Jan. 6 Committee proceedings), attorneys need to learn how to prevent and/or respond to internal mishaps and external cyberattacks. 

Kara Hilburger, Esq., has been a licensed attorney in New York State since 2008. She is Managing Director and Partner at Octillo Law, a technology law firm and one of the few firms in the United States with a recognized focus solely on data security and privacy compliance, incident response, and litigation.

Hilburger told SecureWorld News:

"As attorneys, we have an important ethical and professional duty to safeguard and protect the confidentiality of client information, including electronic information. Part of this obligation is to stay up to date with the fast-moving threat landscape, regardless of the area of law we practice or the size of our law firm. Failing to prioritize data security can lead to significant consequences for attorneys, including business interruption, data and financial loss, and reputational damage.

The current landscape requires lawyers to stay up to speed with changes in technology used to practice law and understand the need to protect and safeguard this information from threat actors. New York's new CLE requirement is undoubtedly an important milestone in the industry."

At K&L Gates LLP, members of its Data Protection, Privacy, and Security practice group had this to say:

"While New York is the first state to do so, we expect to start seeing more states adopt similar requirements," said Jane Petoskey, Esq., Associate Attorney. "New York's requirement aligns with ABA Formal Opinion 477R (2017), 483 (2018), and 498 (2021), which set forth formal guidance on attorneys' obligations related to cybersecurity responsibilities, as well as those arising from an electronic data breach or cyberattack."

Jake Bernstein, Esq., Partner, added, "Both the American Bar Association (ABA) and states' model rules of professional conduct already require attorneys to be aware of the risks that come with the benefits of the use of technology (see Model Rules 1.1, 1.6, 5.1, and 5.3), so as technology advances and security inherently becomes a greater issue, we expect more states to enforce more training related to attorneys' cybersecurity and privacy practices."

Here's more on the new CLE program rules related to the cybersecurity, privacy, and data protection requirement.