September 25, 2022

Volume XII, Number 268

Advertisement

September 23, 2022

Subscribe to Latest Legal News and Analysis

September 22, 2022

Subscribe to Latest Legal News and Analysis

New York Becomes First State to Require CLE in Cybersecurity, Privacy and Data Protection

On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.

The New York State Bar Association’s (“NYSBA”) Committee on Technology and the Legal Profession initially recommended the new requirement in a 2020 report. In a joint order, the judicial departments of the Appellate Division of the New York State Supreme Court formally adopted the recommendation.  

The required one hour of cybersecurity, data privacy and data protection training may be related to attorneys’ ethical obligations with respect data protection and count toward their ethics and professionalism CLE requirements. Alternatively, the credit may be related to general cybersecurity, data privacy and data protection issues and count toward attorneys’ general CLE requirements.

Ethics-related cybersecurity, privacy and data protection credits must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communications, and may include, among other topics:

  • sources of attorneys’ ethical obligations and professional responsibilities and their application to electronic data and communications;

  • protection of confidential, privileged and proprietary client and law office data and communication;

  • client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications;

  • security issues related to the protection of escrow funds;

  • inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and

  • supervision of employees, vendors and third parties as it relates to electronic data and communication.

General cybersecurity, privacy and data protection credits must relate to the practice of law, and may include, among other subjects:

  • technological aspects of protecting client and law office electronic data and communications (including sending, receiving and storing electronic information; cybersecurity features of technology used by law firms; network, hardware, software and mobile device security; preventing, mitigating and responding to cybersecurity threats, cyber attacks and data breaches);

  • vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication;

  • applicable laws relating to cybersecurity (including data breach laws) and data privacy; and

  • law office cybersecurity, privacy and data protection policies and protocols.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 227
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement