The New York State Bar Association (NYSBA) has approved a report from the NYSBA Committee on Technology and the Legal Profession that recommends amending the mandatory continuing legal education rule to require one credit in cybersecurity.
The credit would be included within the “Ethics and Professionalism” category and would not add to the minimum 24-hour biennial rule for experienced attorneys or the 32-hour biennial requirement for new attorneys. This amendment would be effective for four years and revisited at that time.
“Protecting our client information and complying with the Rules of Professional Conduct is paramount for New York attorneys,” said State Bar President Scott M. Karson. “If adopted by the Continuing Legal Education Board, New York State would become the first state to implement a cybersecurity requirement for lawyers. I commend the Committee for a terrific and timely report.”
Committee co-chair Mark A. Berman (Ganfer Shore Leeds & Zauderer) said that the greatest threat to lawyers is hacking. “The goal here is to protect client information and comply with the Rules of Professional Conduct,” said Berman.
He said that voluntary cybersecurity courses do not work. He has noted lower attendance in 2018 and 2019 at CLE programs on cybersecurity “as lawyers sent money into cyberspace, paid ransom to unlock their computers and leaked proprietary confidential information in breach of our ethical responsibilities.”
Berman explained that the majority of hacks are through social engineering. It is easier to trick a victim to reveal their password than for the hacker to guess unless a password is typically work (i.e. password).
He jokingly noted that he had a crystal ball as the report was conceived prior to the pandemic and most employees were working in their offices.
Now, most lawyers are working from home and more likely to use a mobile device. Berman said, “With a mobile phone, you don’t necessarily have the infrastructure of law firms or the protection of a firm’s network. You might also use home Wifi which may or not be secure.”
Florida and North Carolina have added technology requirements to their CLE requirements. The committee argued cybersecurity protection is a pressing issue for lawyers and should be emphasized through a one-credit requirement.
On July 26, 2019, New York’s governor signed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act, requiring businesses to implement safeguards for the “private information” of New York residents and broadening New York’s security breach notification requirements. The SHIELD Act applies to lawyers and law firms of all sizes. The security requirements took effect on March 21, 2020. The Attorney General can sue for data breaches or failure to comply with cybersecurity requirements.
The American Bar Association Formal Ethics Opinion 477R (May 22, 2017) declared that lawyers are required to make reasonable efforts to ensure their communications are secure and not subject to inadvertent or unauthorized cyber security breaches.
NYSBA’s Ethics Opinion 842 states that a lawyer must take reasonable care to affirmatively protect a client’s confidential information. It further states: “Cybersecurity issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cyber-crooks.”