New York Could Become the First State to Require Cybersecurity CLE
New York attorneys could soon have to complete cybersecurity training courses to satisfy their continuing legal education (“CLE”) requirement. The House of Delegates of the New York State Bar Association (“NYSBA”) has approved a report proposing that NYSBA’s Executive Committee recommend to the New York State Continuing Legal Education Board that the biennial CLE requirement be amended to require one credit on cybersecurity. The Committee on Technology and the Legal Profession (the “Committee”), which submitted the report, recognized the mounting cybersecurity risks faced by law firms and in-house legal departments entrusted with their clients’ most sensitive data. Legal employers electronically holding their employees’ and clients’ private information, such as social security numbers, tax information, and financial account information, already are required to implement reasonable safeguards to protect such information, including workforce training, under the New York State Stop Hacks and Improve Electronic Data Security (the “SHIELD”) Act. The vote to adopt the new training requirement could occur as soon as this month; and if it is adopted, the requirement will exemplify the move in New York State to protect the public against cybersecurity risks to sensitive data.
Cybersecurity threats for attorneys and law firms are real and growing. Citing an October 2019 New York Law Journal article entitled “Eight NY Law Firms Reported Data Breaches as Problems Multiply Nationwide,” the Committee noted in its report that “the number of law firm data breaches” in New York alone “doubled in 2018.” Even in 2014, the NYSBA Committee on Professional Ethics recognized in Opinion 1019 that attorneys could “no longer assume that their document systems are of no interest to cyber-crooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm’s document system.” With many employees working remotely during the COVID-19 pandemic, the number of external access points, which likely increased exponentially, is even greater today than it was just a year ago, further escalating the cyber risks that attorneys face and the need for training and other safeguards discussed here. The Committee’s recognition of the threats should come as no surprise; indeed, in 2018, 23% of attorneys responding to an ABA survey reported suffering a security breach at some point. In 2020, law firms have reportedly been the target of ubiquitous ransomware attacks impacting all organizations whose systems are open to the Internet.
In addition, the data security protections in the SHIELD Act are now effective and applicable to “any person or business,” including law firms and legal departments, that “owns or licenses computerized data” that includes a New York resident’s “private information.” These persons or businesses “shall develop, implement and maintain reasonable safeguards to protect” such information’s “security, confidentiality and integrity.” As we previously discussed here, such safeguards may include cybersecurity training for employees.
Moreover, the Committee observes in the report that “[m]andatory CLE was initially conceived, supported and implemented as a way to enhance both lawyer competence and public trust in the profession.” The legal profession and attorneys specifically are in a particularly unique position in relation to sensitive data. In addition to their or their employer’s own data, attorneys might have their clients’ data on their system(s) as well. Given that trust, New York attorneys need to “keep abreast of the benefits and risks associated with technology” that they “use to provide services to clients or to store or transmit confidential information,” according to Comment  to New York Rule of Professional Conduct 1.1. Also, under New York Rule of Professional Conduct 1.6(c), attorneys “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to, information” that certain enumerated rules protect. The duty of confidentiality found in New York Rule of Professional Conduct 1.6 requires attorneys to “take reasonable care to affirmatively protect a client’s confidential information.” NYSBA Comm. on Prof’l Ethics, Op. 842 (2010). Staying abreast of cybersecurity issues and threats will aid attorneys in meeting this duty.
Regardless of whether the CLE requirement is implemented, it is therefore a best practice, an ethical obligation, and/or a legal requirement under the SHIELD Act for attorneys in a law firm or in a legal department to take an active role in information security, which should include participating in available workforce training in cybersecurity. Such training should encompass, for example, discussions of phishing, vishing, and other social engineering methods and should be updated periodically to account for new, sophisticated, and constantly evolving modes of cyberattack.
Brian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Shawndra G. Jones was a member of the New York State Bar Association’s (“NYSBA’s”) Committee on Technology and the Legal Profession when the Committee submitted the above-referenced report and is currently the Vice-Chair of the Committee. She is also a Co-Chair of NYSBA’s Committee on Continuing Legal Education and a Delegate to NYSBA’s House of Delegates.