The New York State Bar Association (NYSBA) has approved a report from the NYSBA Committee on Technology and the Legal Profession that recommends amending the mandatory continuing legal education (CLE) rule to include cybersecurity training. If approved by the CLE board, the new rule would require New York attorneys to take one CLE cybersecurity credit every two years and would make New York State the first to implement a specific cybersecurity requirement.
The recommendation comes on the heels of the SHIELD Act, a law that took effect this past March and requires businesses (including law firms) to use reasonable safeguards to protect New York residents’ personal information, and the COVID-19 pandemic, which has forced nearly everyone to move business online. As lawyers do more work from home on personal devices and networks without the safety net of their corporate security systems, it’s more important than ever for them to understand the cybersecurity risks and safeguards that need to be in place.
What are an attorney’s ethical obligations regarding cybersecurity?
The ethical guidelines that every attorney must adhere to certainly cover cybersecurity in broad terms. Protecting client information is a top priority, for example, whether that information is on paper or online. There are also many ethics obligations focused on communications and confidentiality, including safeguarding confidences competently and acting responsibly if an unauthorized disclosure occurs. Generally, lawyers are expected to implement reasonable administrative, technical, and physical safeguards to protect their clients. These safeguards are particularly important when dealing with PHI and are mandated by HIPPA:
Administrative safeguards are the policies and procedures that help protect against a breach, including documentation processes, training requirements, data maintenance policies and more. These administrative protections also ensure that the physical and technical safeguards are implemented correctly.
Physical Safeguards make sure data is physically protected. Security systems, video surveillance, locks on the doors and even rules about mobile device usage are physical safeguards.
Technical safeguards are the technologies and related policies that lawyers and firms enlist to protect data from unauthorized access.
The American Bar Association has issued some guidance on data privacy and cybersecurity obligations that echo these safeguards, noting that attorneys are expected to develop and implement data privacy and security programs, monitor for data breaches and understand the basic features of relevant technology to competently service their clients. The new potential CLE requirement will help ensure that NY attorneys are familiar with these obligations and hopefully better equipped to fulfill them. Cybersecurity is becoming an increasingly important part of any law practice, and it’s critical that attorneys have the tools and knowledge to uphold their ethical responsibilities in the digital age. Our Octillo team works with law firms of various sizes and scope to implement data security programs designed to protect the security, confidentiality, and integrity of private information.
*Attorney Advertising. Prior results do not guarantee future outcomes.