A lawyer’s duty of confidentiality includes taking reasonable steps to protect a client’s electronically stored information. The state of New York has taken a small yet bold step that could lead to lawyers better understanding their obligation by seeking to add cybersecurity to its continuing legal education (CLE) credit requirements. Considering the rise in law firm and corporate data breaches worldwide, coupled with lawyers’ concerns about the security of their own legal technology, I expect other state bars to follow New York’s example—and law schools to start teaching students more about cybersecurity as well.
The Empire State and Cyberattacks
In June 2020, the New York State Bar Association (NYSBA) approved its Committee on Technology and the Legal Profession’s report recommending one cybersecurity CLE requirement for New York lawyers, pending final approval by the New York CLE Board. This was probably spurred initially by New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act, which imposed tougher data security requirements for all New York businesses (including law firms) hosting private citizen data.
The nature of work-from-home arrangements that make it possible for lawyers to practice from the comfort of their kitchen tables on laptops, tablets, and mobile phones further underscores the need for mandatory cybersecurity CLE credits. But truth be told, there’s probably not a more convincing reason than actual cyberattacks—on law firms and legal departments alike—to convince a state bar that it should help ensure its lawyers are better informed. And make no mistake about it: Cybersecurity concerns are anything but novel to the New York Bar. In 2014, a NYSBA ethics opinion clearly stated that cybersecurity was a major concern for lawyers because of criminal elements targeting client data such as “trade secrets, business plans and personal data.” Unfortunately, leaving it to individual lawyers to take the initiative and learn cybersecurity on their own, knowing full well that they are scrambling to meet deadlines and billable hour requirements in addition to their extra-curricular activities (like family obligations and well-being needs), seems to be an exercise in futility—according to Committee Co-Chairman Mark A. Berman, making cybersecurity training voluntary has proven to be simply ineffective.
ABA Guidance and Industry Cybersecurity Concerns
Although the NYSBA may be the first state bar to take an official step to ensure lawyers have some cybersecurity acumen, the American Bar Association (ABA) formally addressed this very topic four years ago. It emphasized data security knowledge and even outlined steps for lawyers to protect client information from the growing threat of cyberattacks.
Independent of ABA guidelines, lawyers are nonetheless deeply concerned about cybersecurity—particularly ransomware attacks. According to Bloomberg Law’s 2021 Legal Technology Survey, the vast majority of all law firm respondents and 96% of all in-house respondents reported that their organizations are either somewhat or very concerned about ransomware attacks.
Both the ABA’s recommendations and the fact that most lawyers harbor data security concerns demonstrate that the NYSBA is on the right track in recommending mandating cybersecurity training. But what about other state bars? Shouldn’t they take the initiative and mandate that their lawyers take cybersecurity training as well?
The Need for Cybersecurity-Savvy Lawyers Nationwide
Data breaches and cybersecurity attacks occur not just nationally but globally, so cyberattack incidents against law firms and organizations are by no means unique to New York. In fact, according to a 2020 Legal Technology Survey Report administered by the ABA, 29% of law firm respondents have experienced some form of data breach (a 3 percentage point increase from the prior year).
As more law firms and corporations fall victim to high-profile cybersecurity breaches and exorbitant ransomware payments, other state bars will likely consider mandatory cybersecurity CLE credits as well. Granted, this is not to suggest that all lawyers will become tech law experts. But it does mean that by taking these courses, they will gain a better understanding of the threats posed by social engineering, malware, ransomware, phishing, and other cybersecurity perils.
Prepping the Next Generation of Lawyers
Offering more cybersecurity courses and training, both to students who want to learn just the basics and to students who wish to make cybersecurity and privacy law practice a career, will keep law schools competitive and prepare law graduates to hit the ground running after taking the oath. Institutions such as the University of Maryland’s Francis King Carey School of Law already have programs specifically geared towards teaching law students the nuances of data security, and this trend will continue.
Cyberattacks are on the rise, and it’s only going to get worse. As encouraging as it may be that New York has taken action to make lawyer cybersecurity proficiency no longer an option but an obligation, it’s also fitting that law schools are already helping to develop more cybersecurity-trained future lawyers to meet the demands of legal practice in the era of big data. The legal industry will be sure to keep a close eye on the success of the Empire State’s initiative as other state bars eventually follow suit.
Access additional analyses from our Bloomberg Law 2022 series here, including pieces covering trends in Litigation, Regulatory & Compliance, Transactions & Contracts, and the Future of the Legal Industry.
Bloomberg Law subscribers can find related content on our Practical Guidance: Privacy, Cybersecurity & Technology page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.