Beginning July 1, 2023, all Experienced and Newly Admitted Attorneys licensed in the state of New York will be required to certify one Continuing Legal Education credit per person per registration period on the new subject of Cybersecurity, Privacy and Data Protection. This new category will have two parts, Ethics and General. In encouraging continuing education providers to develop robust CLE presentations on this material, the New York State Unified Court System Continuing Legal Education Board issued guidance, noted below, and states it welcomes relevant and timely programs.
This new CLE requirement comes at a time when privacy laws are exploding in number, complexity, and geographic diversity across state, federal, and international jurisdictions, and on a wide array of concerning topics. Businesses and professionals from every corner of the economy are impacted by digital systems, electronic systems data, and internet commerce. The question is no longer merely, what can technology do? but also, what should technology do? as the ethical responsibilities attendant to the handling of client, employee, user, individual, and customer data become mandatory for all. The New York Bar's response to this new economy and business environment seeks to keep pace with these rapid transformations.
As stated at nycourts.gov:
"New York State Continuing Legal Education Board
Guidance Relating to the New Cybersecurity, Privacy and Data Protection Category of CLE Credit
The Cybersecurity, Privacy and Data Protection category of CLE credit has two parts: Ethics and General (New York State CLE Program Rules, section 1500.2[h]).
Below are program ideas intended to assist providers when planning Cybersecurity Ethics and Cybersecurity General courses. Providers are not limited to the subjects listed and are encouraged to develop relevant and timely programs.
Program Areas for Cybersecurity Ethics
Awareness/Application
The rules governing attorney conduct, including New York’s Rules of Professional Conduct and the ABA Model Rules, as they apply to electronic data and communication
Ethics opinions relating to electronic data and communication, including ethics opinions of bar associations and other groups
Norms relating to lawyers’ professional obligations to clients, law office, court and third parties regarding securing and protecting electronic data and communication
Hypotheticalsaddressingethicalissuesrelatingtocybersecurityinlegalpractice (teaching about or discussion of the circumstances encountered when securing, protecting and maintaining electronic data and communication)
Protecting Client
Ethical obligations relating to confidentiality and how they apply to securing, protecting and maintaining clients’ confidential, privileged and proprietary electronic data and communication
Ethical obligation to secure and protect escrow funds from cyber threats, cyber attacks and data breaches
Professional responsibility to safeguard and secure clients’ electronic data and communication
Communicating and Obtaining Consent from Client
Responsibility to communicate with client about how and where client information will be stored, maintained, and related privacy implications
Responsibility to communicate with client about law office’s electronic data and communication protection protocols and policies
Obtaining informed consent from client regarding electronic communication and data storage policies and practices
Protecting Law Office
Ethical obligations relating to confidentiality and how they apply to securing, protecting and maintaining law office’s confidential, privileged and proprietary electronic data and communication (including remote work)
Professional responsibility to safeguard and secure law office’s electronic data and communication
Ethical obligation to secure and protect escrow funds from cyber threats
Storing, Maintaining and Destroying
Ethical obligations and professional responsibilities as they relate to storing confidential, privileged and proprietary electronic data and communication
Ethical obligations and professional responsibilities relating to maintaining and destroying electronic data and communication
Law Office Electronic Data and Communication Policies and Protocols
Creating, adopting and updating electronic data and communication protection policies and protocols for law office (including scope of cybersecurity insurance coverage)
Creating, adopting and updating cyber incident response plans for law office (including awareness of security best practices and industry standards, and evaluating how best to protect client and law office electronic data and communication);
Supervising law office staff in securing, maintaining and destroying confidential, privileged and proprietary client and law office electronic data and communication
Supervision
1. Ethical obligations and professional responsibilities of supervising employees, vendors and third parties relating to electronic data and communication
Inadvertent Disclosure/Law Office Failure
Ethical obligations surrounding inadvertent disclosure of confidential data and communication by electronic means (duty to client, court, opposing counsel, third parties)
Duty to refrain from revealing confidential information by electronic means (e.g., social media usage)
Data Breach/Cyber Attack/Cyber Threat
Ethical obligations to client surrounding a data breach, cyber attack, or cyber threat including disclosure to client
Ethical obligations to court, opposing counsel and third parties surrounding a data breach, cyber attack or cyber threat
Program Areas for Cybersecurity General
Understanding Technology
Understanding fundamental issues of securely sending, receiving and storing client and law office electronic data and communication (including securing internet access, understanding encryption of files, best practices in addressing cybersecurity risks, understanding and using security measures)
Understanding and using cybersecurity features of various technologies to protect client and law office electronic data and communication (including encryption, authentication, passwords, virtual private networks, firewalls)
Understanding how to reduce the possibility of cyber attacks affecting law office (including when using networks, platforms, mobile devices, software, hardware, backups, remote connections) and knowledge of computer hygiene (including hardware and software updates)
Understanding the appropriate questions to ask vendors, third parties and technology staff concerning platforms, hardware and software to protect and secure confidential client and law office information (including remote security management, virtual private networks, firewall settings, back-up systems, mobile device security, “dark web” monitoring)
Understanding Threats
Identificationandawarenessofcybersecuritythreatsaffectingclients,legal professionals and legal organizations (including phishing schemes, malware, hacking, social engineering schemes)
Cybersecurity scams directed at legal professionals and legal organizations
Inadvertent Disclosure/Law Office Failure
1. Technological aspects of how to prevent inadvertent disclosure of confidential client and law office information when working with and storing electronic data and communication
Remote Work
Understanding and using security measures to protect client and law office electronic data and communication when working remotely (including passwords, authentication, encryption, network security)
Technological aspects of protecting client and law office electronic data and communication when using personal or business mobile devices (including misplacing mobile devices, passwords, authentication, encryption, network security)
Vendors/Third Parties
1. Vetting and assessing vendors or third parties regarding their policies, protocols and practices on securing and protecting electronic data and communication
Cyber Incident Response Planning
Technologicalaspectsofcyberincidentresponseplanning(including:avoiding data loss; detecting data intrusion; establishing, securing and updating backup systems; and monitoring for cyber threats, cyber attacks and data breaches)
Conducting risk assessments, data recovery, and post-breach investigations
Laws
Applicable laws relating to cybersecurity (data breach notification laws, other federal, state and local laws) and administrative rules and regulations
Applicablelaws,rulesandregulationsrelatingtoprivacyanddataprotection
Discussion of the New York SHIELD Act (New York “Stop Hacks and Improve
Electronic Data Security” Act) including application and compliance requirements"
/Passle/5dc1896e8cb6240888194e3d/SearchServiceImages/2024-04-04-15-12-33-953-660ec3613b22c29c5ffe6262.jpg)
/Passle/5dc1896e8cb6240888194e3d/MediaLibrary/Images/2024-03-29-15-19-52-795-6606dc18d92744ecb4e32fb0.jpg)
