Skip to Content (custom) - bh


Mandated Cyber and Privacy CLE for New York Attorneys – Will Other States Follow Suit?

  • Cyber Breach
  • 3 Mins

The majority of U.S. states require attorneys with active law licenses to complete continuing legal education (CLE) credits. The number of hours, reporting deadlines, and topic requirements differ between jurisdictions. It is not only important for attorneys to remain educated on practice-specific updates, but also industry-wide legal trends and ethical obligations. Doing so helps ensure they have the tools and information available to provide superior client representation.

The Duty of Technology Competence

Since the American Bar Association updated their model rules to include technology competence a decade ago, three states have incorporated technology training mandates into their CLE requirements. While Florida and North Carolina allow a variety of topics to satisfy this training mandate, New York recently instituted more specific requirements applying to cybersecurity, privacy, and data protection.

Living in the digital age has placed cybersecurity concerns at the forefront of operations for organizations situated in nearly every industry. Going digital means that hackers can have easier access to data unless the processes and tools that safeguard this data are updated. While the move to automated business processes and digital data management has been a key enabler for businesses, it comes with increased cybersecurity risks. The common adage in cybersecurity is, “It’s not if you will be breached, it’s when.

The privacy landscape is also growing and dynamic as new jurisdictions continue to pass laws placing additional obligations on organizations that manage consumer data. Keeping informed is crucial to understanding how new or amended legislation may affect business operations and compliance obligations. With confidentiality being the cornerstone of legal practice, there is a heightened expectation that attorneys understand trending cyber and data privacy risks, as well as tools that mitigate exposure. This education is necessary to remain ethical and effectively protect client and other proprietary information.

New York Updates

This June, the New York Supreme Court adopted CLE requirements that the New York State Bar Association’s Committee on Technology and the Legal Profession proposed. These changes account for the cyber and privacy concerns discussed above and will be effective on July 1, 2023. Attorneys must obtain one hour of CLE credit every two years on the ethical obligations, technology, or practice considerations relating to cybersecurity and privacy topics. This includes a focus on protecting client data and conversations, which is the foundation of attorney-client confidentiality.

The reasoning behind this update was to shift focus to pressing issues in the legal industry relating to data protection. Law firms and other legal organizations house a significant amount of proprietary client information including communications, case strategy, financial data, trade secrets, and more. If a hacker obtains access to a legal organization’s systems or email accounts, the fallout can be monumental. Accounting for applicable data privacy laws adds an extra layer of compliance duties relating to this information. Incorporating education on these topics is meant to help attorneys understand not only their obligations, but also the proper safeguarding of sensitive data and incident response best practices.


With cyber and privacy concerns trending throughout the legal industry, it is likely other states will copy New York’s CLE update. Keep tabs on Florida and North Carolina in the coming year, as they already have the generalized technology education requirement. It will also be interesting to see what the feedback is from New York attorneys after the initial reporting cycle that incorporates this update, and if that eventually leads to an increase in mandatory privacy or cybersecurity CLE hours. Even if other state bars are hesitant to mandate topics for education, there will definitely be an uptick in cyber and privacy CLE course offerings. At recent legal conferences, these topics have already begun to dominate sessions – and with good reason. All legal professionals need to understand trends in these areas to remain ethical and continue to safeguard sensitive client data.

The contents of this article are intended to convey general information only and not to provide legal advice or opinions.

Subscribe to Future Blog Posts