Cybersecurity learning for lawyers
What do you get when you cross lawyers’ continuing professional education with the increasing number of data breaches that are occurring today? In New York state, lawyers will soon be mandated to include cybersecurity, privacy, and data protection into their continuing legal education. Although New York is the first state in the U.S. to make such a specific request (Florida and North Carolina mandate general technology training) it’s likely that other states and global jurisdictions will follow their example.
What are CLE’s? – Continuing Legal Education (CLE) is training lawyers must take to maintain their state licenses to practice law. For example, in California, where I practice, attorneys must complete 25 hours of Minimum Continuing Legal Education (MCLE) every three years and file a report with the State Bar. The requirements generally include legal ethics, competence issues, and the recognition and elimination of bias in the legal profession and society.
The purpose of CLEs are to offer attorneys education beyond the minimum the State Bar requires to help stay current with new laws or expand their legal expertise after their initial admission to the bar.
A positive sign that NY has mandated cybersecurity and privacy training as part of CLE
Remember the highly publicized data breach at Equifax in 2017? Hackers gained entry to the company software and stole personal information, such as Social Security numbers and driver’s license numbers, of 145 million people. The breach was made possible by lax security protocols that delayed the fixing of a vulnerable patch in the software and allowed nefarious actors to wander freely in the company’s databases. Although the data breach at Equifax was uncommonly large in the number of people affected, the ability to break into software systems and wreak havoc with confidential information is a real threat, especially for small and medium size businesses that may not have devoted adequate resources to cybersecurity. According to a study by the cybersecurity company Surfshark, data breaches rose by 70% globally in the third quarter of 2022.
By mandating cybersecurity and privacy as a way to uplevel attorney training, The New York State Bar Association signals its importance in the practice of law, recognizes the hazards the digital age presents and the need for attorneys to keep pace in order to more effectively counsel their clients.
The new one-credit requirement for lawyers offers foundational topics and knowledge related to data protection. It includes two types of cybersecurity training, one focused on ethics and the other on practice.
The ethics part is in keeping with lawyers’ basic ethical responsibility to take reasonable care in preventing disclosure of clients’ personal information. It will cover lawyers’ ethical obligations and responsibilities to, for example, counsel clients about protecting electronic data, communication and storage protection polices and protocols, security issues related to escrow funds, and inadvertent disclosure of confidential information via social media.
The practice-related training pertains to becoming better educated about how technology is integrated and protected into the practice of law. It will include, for example, learning about the technological aspects of sending receiving, and storing electronic information, cybersecurity features of technology used, and applicable laws that relate to cybersecurity.
The new CLE requirement for New York State lawyers is part of a growing awareness that professionals can benefit from privacy and data protection training. Whatever your field, there are an increasing number of venues to improve skills. Conferences are a great way to go to learn new skills and networks with privacy professionals. Some organizations find it effective to designate an individual or team to champion privacy by, for example, assisting with tactical aspects of privacy program operations, building a culture of privacy, and enhancing accountability.
Training for privacy and cybersecurity is not a one-and-done event. Technology, along with associated privacy and security issues are constantly evolving, which means that they require ongoing attention and advocacy. The new CLE requirement from The New York State Bar Association is a promising start!