Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.
To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.
Background Note: According to a joint order signed on June 10, 2022, from the judicial departments of the Appellate Division of the New York State Supreme Court, New York state attorneys will be required to complete at least one credit of cybersecurity, privacy, and data protection training as part of their continuing legal education (CLE) requirements. The new requirement will take effect on July 1, 2023, and may be of interest to cybersecurity, information governance, and legal discovery professionals operating in the eDiscovery ecosystem seeking both educational and evangelistic opportunities for increasing awareness and understanding of cybersecurity, privacy, and data protection challenges and considerations.
Selected Article Extracts and Complete Joint Order
New York Becomes First State to Require CLE in Cybersecurity, Privacy and Data Protection
Extract from Privacy & Information Security Law Blog – Hunton Andrews Kurth
On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.
The New York State Bar Association’s (“NYSBA”) Committee on Technology and the Legal Profession initially recommended the new requirement in a 2020 report. In a joint order, the judicial departments of the Appellate Division of the New York State Supreme Court formally adopted the recommendation.
The required one hour of cybersecurity, data privacy and data protection training may be related to attorneys’ ethical obligations with respect data protection and count toward their ethics and professionalism CLE requirements. Alternatively, the credit may be related to general cybersecurity, data privacy and data protection issues and count toward attorneys’ general CLE requirements.
New York Becomes First State to Mandate CLE in Cybersecurity, Privacy and Data Protection
Extract from LawSites – Bob Ambrogi
The order creates two types of cybersecurity training, one focused on ethics and the other on practice. It describes the ethics training as follows:
Cybersecurity, Privacy and Data Protection-Ethics must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication and may include, among other things: sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communication; protection of confidential, privileged and proprietary client and law office data and communication; client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications; security issues related to the protection of escrow funds; inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and supervision of employees, vendors and third parties as it relates to electronic data and communication.
The rule describes the practice-related training this way:
Cybersecurity, Privacy and Data Protection-General must relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication (including sending, receiving and storing electronic information; cybersecurity features of technology used; network, hardware, software and mobile device security; preventing, mitigating, and responding to cybersecurity threats, cyber attacks and data breaches); vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy and data protection policies and protocols.
The rule allows lawyers to apply up to three hours of the ethics training to their total biennial ethics and professionalism requirement, which is six years for new attorneys and four years for other attorneys.
- Education in eDiscovery: An Overview from ComplexDiscovery
- Considering Cybersecurity? Updates and Overviews from ComplexDiscovery