A lawyer duty of confidentiality includes taking reasonable steps to protect a customer’s electronically stored information. New York State has taken a small but bold step that may help attorneys better understand their obligation by seeking to add cybersecurity to its continuing legal education (CLE) credit requirements. Given the increase in data breaches at law firms and businesses around the world, coupled with attorneys’ concerns about the security of their own legal technology, I would expect other law societies to State is following New York’s lead and law schools are also starting to teach students more about cybersecurity.
The Empire State and cyber attacks
In June 2020, the New York State Bar Association (NYSBA) approved its technology and legal profession committee report recommending a CLE cybersecurity requirement for New York attorneys, pending final approval from the New York CLE Board of Directors. This was probably spurred initially by the New York SHIELD (Stop hacks and improve electronic data security), which imposed stricter data security requirements on all New York City businesses (including law firms) hosting private citizen data.
The nature of work-from-home arrangements that allow attorneys to practice from the comfort of their kitchen tables on laptops, tablets and cellphones further underscores the need for mandatory CLE cybersecurity credits. But frankly, there’s probably no more compelling reason than actual cyberattacks – on law firms and legal services similar — to convince a state bar that it should help ensure that its lawyers are better informed. And make no mistake about it: cybersecurity issues are anything but new to the New York Bar. In 2014, a NYSBA Ethics Notice made it clear that cybersecurity was a major concern for lawyers due to criminal elements targeting client data such as “trade secrets, business plans and personal data”. Unfortunately, leaving it up to individual lawyers to take the initiative and learn cybersecurity on their own, knowing full well that they are scrambling to meet deadlines and billable hours in addition to their extracurricular activities (like bonds family and welfare needs), seems like a futile exercise – according to committee co-chair Mark A. Berman, making cybersecurity training voluntary has turned out to be simply ineffective.
ABA Guidelines and Industry Cyber Security Issues
While the NYSBA may be the first state bar to take official action to ensure attorneys have some cybersecurity sense, the American Bar Association (ABA) formally addressed this topic ago. four years. It focused on data security knowledge and even described steps for lawyers to protect client information from the growing threat of cyber attacks.
Regardless of the ABA guidelines, lawyers are nevertheless deeply concerned about cybersecurity, in particular ransomware attacks. According to Bloomberg Law 2021 Legal Technology Survey, the vast majority of all law firm respondents and 96% of all internal respondents indicated that their organizations are somewhat or very concerned about ransomware attacks.
The ABA’s recommendations and the fact that most lawyers have data security concerns show that the NYSBA is on the right track in recommending mandatory cybersecurity training. But what about other state bars? Shouldn’t they take the initiative and demand that their lawyers also take cybersecurity training?
The need for savvy cybersecurity lawyers nationwide
Data breaches and cybersecurity attacks occur not only nationally but globally, so cyberattack incidents against law firms and organizations are by no means unique to New York City. In fact, according to a Legal Technology 2020 Investigation Report administered by the ABA, 29% of respondents from law firms suffered some form of data breach (an increase of 3 percentage points from the previous year).
As more law firms and businesses fall victim to high-profile cybersecurity breaches and exorbitant ransomware payments, other state bars are also likely to consider mandatory cybersecurity CLE credits. Of course, this does not mean that all lawyers will become experts in technology law. But that means that by taking these courses, they will gain a better understanding of the threats posed by social engineering, malware, ransomware, phishing, and other cybersecurity dangers.
Preparing the next generation of avocados
Providing more cybersecurity courses and training, both to students who want to learn the basics and to students who want to pursue a career in cybersecurity and privacy law, will enable law schools to remain competitive and to prepare law graduates to get started after taking the oath. . Institutions such as the Francis King Carey School of Law at the University of Maryland have already programs specifically intended to teach law students the nuances of data security, and this trend will continue.
Cyber attacks are on the increase and it will only get worse. As encouraging as it may be that New York has taken steps to ensure that cybersecurity attorney skills are no longer an option but an obligation, it is also fitting that law schools are already helping to train more future trained lawyers. cybersecurity to meet the demands of legal practice in the age of big data. The legal industry will be sure to keep a close watch on the success of the Empire State’s initiative, as other state bars eventually follow suit.
Access additional insights from our Bloomberg Law 2022 series here, including articles covering trends in litigation, regulation and compliance, transactions and contracts and the future of the legal industry.
Bloomberg Law subscribers can find related content on our Practical advice: confidentiality, cybersecurity and technology page.
If you are reading this on the Bloomberg terminal, please run BLAW OUT