New York attorneys could soon have to complete cybersecurity training courses to satisfy their continuing legal education (“CLE”) requirement. The House of Delegates of the New York State Bar Association (“NYSBA”) has approved a report proposing that NYSBA’s Executive Committee recommend to the New York State Continuing Legal Education Board that the biennial CLE requirement be amended to require one credit on cybersecurity. The Committee on Technology and the Legal Profession (the “Committee”), which submitted the report, recognized the mounting cybersecurity risks faced by law firms and in-house legal departments entrusted with their clients’ most sensitive data. Legal employers electronically holding their employees’ and clients’ private information, such as social security numbers, tax information, and financial account information, already are required to implement reasonable safeguards to protect such information, including workforce training, under the New York State Stop Hacks and Improve Electronic Data Security (the “SHIELD”) Act. The vote to adopt the new training requirement could occur as soon as this month; and if it is adopted, the requirement will exemplify the move in New York State to protect the public against cybersecurity risks to sensitive data.

Cybersecurity threats for attorneys and law firms are real and growing. Citing an October 2019 New York Law Journal article entitled “Eight NY Law Firms Reported Data Breaches as Problems Multiply Nationwide,” the Committee noted in its report that “the number of law firm data breaches” in New York alone “doubled in 2018.” Even in 2014, the NYSBA Committee on Professional Ethics recognized in Opinion 1019 that attorneys could “no longer assume that their document systems are of no interest to cyber-crooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm’s document system.” With many employees working remotely during the COVID-19 pandemic, the number of external access points, which likely increased exponentially, is even greater today than it was just a year ago, further escalating the cyber risks that attorneys face and the need for training and other safeguards discussed here. The Committee’s recognition of the threats should come as no surprise; indeed, in 2018, 23% of attorneys responding to an ABA survey reported suffering a security breach at some point. In 2020, law firms have reportedly been the target of ubiquitous ransomware attacks impacting all organizations whose systems are open to the Internet.

In addition, the data security protections in the SHIELD Act are now effective and applicable to “any person or business,” including law firms and legal departments, that “owns or licenses computerized data” that includes a New York resident’s “private information.” These persons or businesses “shall develop, implement and maintain reasonable safeguards to protect” such information’s “security, confidentiality and integrity.” As we previously discussed here, such safeguards may include cybersecurity training for employees.

Moreover, the Committee observes in the report that “[m]andatory CLE was initially conceived, supported and implemented as a way to enhance both lawyer competence and public trust in the profession.” The legal profession and attorneys specifically are in a particularly unique position in relation to sensitive data. In addition to their or their employer’s own data, attorneys might have their clients’ data on their system(s) as well. Given that trust, New York attorneys need to “keep abreast of the benefits and risks associated with technology” that they “use[] to provide services to clients or to store or transmit confidential information,” according to Comment [8] to New York Rule of Professional Conduct 1.1. Also, under New York Rule of Professional Conduct 1.6(c), attorneys “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to, information” that certain enumerated rules protect. The duty of confidentiality found in New York Rule of Professional Conduct 1.6 requires attorneys to “take reasonable care to affirmatively protect a client’s confidential information.” NYSBA Comm. on Prof’l Ethics, Op. 842 (2010). Staying abreast of cybersecurity issues and threats will aid attorneys in meeting this duty.

Regardless of whether the CLE requirement is implemented, it is therefore a best practice, an ethical obligation, and/or a legal requirement under the SHIELD Act for attorneys in a law firm or in a legal department to take an active role in information security, which should include participating in available workforce training in cybersecurity. Such training should encompass, for example, discussions of phishing, vishing, and other social engineering methods and should be updated periodically to account for new, sophisticated, and constantly evolving modes of cyberattack.

Brian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Shawndra G. Jones was a member of the New York State Bar Association’s (“NYSBA’s”) Committee on Technology and the Legal Profession when the Committee submitted the above-referenced report and is currently the Vice-Chair of the Committee. She is also a Co-Chair of NYSBA’s Committee on Continuing Legal Education and a Delegate to NYSBA’s House of Delegates.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.