Lawyers throughout the nation are gearing up to polish and execute their visions for the new year. Talks of strategy, budgets, goals, and professional development are circling the halls and video calls at legal departments and law firms. For those planning out continuing legal education (CLE) opportunities via online trainings, in-person seminars, and conferences – here is one piece of advice. Do not forget about cyber education. The practice of law and cybersecurity is more intertwined than ever before and must be a top priority for all lawyers.

The Intersection Between Cyber and Legal

Lawyers cannot effectively practice law today without some degree of knowledge about cybersecurity law, potential threats, and best practices. At the foundation of legal practice is confidentiality, competence, and candid communication. Cyber risk should be another foundational piece of legal education and training, as the two are very intertwined.

While the move to automated business processes and digital data management has been a key enabler for businesses, it comes with increased cybersecurity risks. These risks can threaten a lawyer’s ability to act as effective counsel by inhibiting their ethical obligations. If a breach occurs, confidential data can be exposed publicly. Without knowledge of how technology operates and relevant security features, the ability to communicate over secure channels is compromised. This is why competence is key. In such a dynamic and dangerous cyber landscape education is necessary to remain competent and know how to manage cyber legal risk.

Cyber Education Best Practices

Remaining educated on cybersecurity risks and market trends will not only help lawyers protect sensitive client data, but also effectively advocate and advise for certain technology usage or strategy moves. For example, security issues will arise at every step of the discovery process – from determining where data resides and how it is stored to preservation, collection, and interception concerns. Having knowledge of the risks and solutions to solve issues at each stage will lessen the potential for case delays and breaches.

So, what type of cyber education should lawyers seek out to remain appropriately informed? While there is not one right answer to this question, a good first step is seeking out basic cyber knowledge. Stay up to date on trending attack methods. Understand the risks associated with the technology an organization is using or plans to obtain and take steps to change investments or add extra security measures to control threats. Some potential topics and courses to explore include cyber risks present in emerging technologies, incident response planning, information security laws, and cyber considerations during litigation.

The New York State Bar has officially recognized the importance of cyber education. New CLE requirements for lawyers take effect on July 1, 2023. They must obtain one hour of credit to satisfy their CLE requirement from the newly created Cybersecurity, Privacy and Data Protection category. This encompasses ethical obligations and general practice considerations that intertwine with these topics, providing a broad range of educational opportunities to explore. Credit earned earlier in the year 2023 will also apply.

Going Beyond the Bare Minimum

While more state bars will likely jump on the cyber-CLE bandwagon in time, lawyers in every state (and around the globe) should be incorporating cyber education into not only their CLE choices – but also everyday practices. The requirement could increase over an hour in New York and any other jurisdictions that follow suit due to the expanding cyber landscape and increased threat potential.

Here are additional ways lawyers can boost cybersecurity knowledge beyond taking CLE credit:

• Subscribe to industry reports relating to trending attack methods and breach numbers.

• Get alerts on cybersecurity case law, such as class actions resulting from large breaches.

• Keep informed on bar opinions relating to cybersecurity, emerging technologies, remote working, and similar topics.

• Thoroughly vet all technology investments to understand any cyber risks and turn to provider partners for advice on optimal solutions that foster efficiency while safeguarding client data and proprietary information. 

• Take advantage of internal cyber training and advocate for more when appropriate. Training offers benefits far beyond maintaining effectiveness as counsel and will be beneficial enterprise-wide. For example, oftentimes “cyber whistleblowers” that report problems to regulatory agencies or the public often do not have all the information relating to business risk decisions or complex technologies involved. The resulting investigatory response and reputation repair will utilize a lot of resources. This reality needs to be counterbalanced with valuable education that will promote transparency and expand cyber knowledge for everyone in the organization.

• Increase legal’s involvement with incident response planning. Proactive planning prior to a cyber incident can save precious time after one occurs and ensure smooth service delivery when it counts most. While incident response heavily relies on technical and forensic actions, legal implications are just as important and will come into play at every phase of the response. Breach notification, impact assessment, privacy law compliance, and regulatory reporting are a few areas where the legal team will have an integral role in response efforts.

Cyber education has never been more important for the legal community than it is now. With more people working remotely and using a variety of emerging technologies, the risks of data compromise are amplified. Lawyers need to take extra steps to remain ethical, protect sensitive information, and properly advise clients. Make sure to add this as a resolution for the coming year!