New Cybersecurity CLE Requirements Announced for New York Attorneys

In June 10, the New York State Supreme Court’s Appellate Division issued a joint order adopting amendments to its continuing education requirements. Under these requirements, attorneys that are newly admitted to the New York State Bar must complete Continuing legal education (CLE) requirements, and some of these trainings must now include cybersecurity education.

This order was adopted based on the recommendations contained in a report released in June 2020 by the New York State Bar Association’s Committee on Technology and the Legal Profession. The Committee’s report recommends the inclusion of at least one cybersecurity credit  to be included in the “ethics and professionalism” category of CLE requirements, but would not “add to the minimum 24-hour biennial rule for experienced attorneys or the 32-hour biennial requirement for new attorneys.”

The report states that the Committee believes “that requiring attorneys to take one credit in cybersecurity will sensitize and educate lawyers on how to secure confidential and proprietary client and law firm electronic information, and when and how to notify clients and/or law enforcement, as appropriate, in the event of a cyber incident.”

Under the current requirements, “Newly Admitted attorneys (admitted to the New York Bar for two years or less) are required to complete 32 credit hours in transitional accredited programs during the first two years of admission – 16 credit hours in each year as follows: 3 in Ethics and Professionalism credit, 6 in Skills, and 7 in Law Practice Management and/or Areas of Professional Practice.”

Under the adopted requirements, the joint order mandates a minimum of one “cybersecurity, privacy, and data protection general” course. According to the definitions released in the joint statement, these courses must “relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication; Vetting and assisting vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; Applicable laws relating to cyber security…and data privacy, and; Law office cyber security, privacy, and data protection policies and protocols.”

Additionally, a maximum of three “cybersecurity, privacy, and data protection ethics” can be utilized to satisfy the ethics hourly credit. This is defined as relating to “lawyers’ ethical obligations at professional responsibilities regarding the protection of electronic data and communication.”

This new requirement may signal the shift amongst professional industries, such as lawyers, to not only analyze cybersecurity laws and regulations, but comply with them themselves to ensure a better over cyber health.

* * * * * * *

To read our coverage on New York State Department of Financial Services (NYFDS) request for public comment on their proposed amendments to their cybersecurity requirements for financial services companies, the Cybersecurity Requirements for Financial Services Companies (Part 500), click here.

For ADCG’s Breach Report and more news updates discussing: the FTC announcing new Data Privacy Rules; Troy Hunt, security researcher, releasing a new email spamming tool to dupe scammers; and Data Privacy advancing in Africa, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Our new podcast episodes are released Thursdays, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!