New York Mandates Cybersecurity

New York is the First State to Mandate Cybersecurity CLE: Legal Technology Trends

Couldn’t wait to cover this, so I decided to make it my Saturday post. According to Bob Ambrogi, New York is the first state to mandate that attorneys take continuing legal education (CLE) courses in cybersecurity, privacy and data protection.

As Bob reported in his excellent LawSites blog here, under the new requirement, all attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications.

Only two other U.S. states mandate technology training as part of a lawyer’s continuing education requirement, Florida (which did so in 2016) and North Carolina (which did so in 2018). While those states’ CLE requirements allow for training in a range of technology topics, which can include cybersecurity, New York’s is the first to focus its requirement on these topics.


New York had previously, in 2015, adopted the duty of technology competence for lawyers.

The recommendation for the change came from the New York State Bar Association’s Committee on Technology and the Legal Profession, which said in its report, issued in 2020, that it chose the specific requirement over a general one because of the importance of protecting client and law firm data.

The recommendation was adopted June 10, 2022, in a joint order issued by the judicial departments of the Appellate Division of the New York State Supreme Court, and the new requirement will take effect on July 1, 2023.

The order creates two types of cybersecurity training, one focused on ethics and the other on practice. Under the order, the one-credit cybersecurity requirement does not increase the overall numbers of CLE hours required for New York attorneys, which is 32 hours for new attorneys and 24 for all other attorneys.

Bob provides descriptions for both types of cybersecurity training – and more – in his blog post here. I hope this starts – and continues – a trend for states to require technology or cyber CLE. With only three states requiring either so far, we have a long way to go.

So, what do you think? Are you surprised that New York is the first state to mandate Cybersecurity CLE? Do you think other states will follow suit?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply