New York CLE Requirement Updates and Changes: Cybersecurity, Privacy and Data Protection

New York attorneys now have a new CLE requirement to comply with. Starting on July 1st, 2023, all NY lawyers must complete 1 CLE credit hour in Cybersecurity, Privacy and Data Protection as part of their biennial MCLE requirements. Courses may cover ethics topics, general cybersecurity topics, or a combination of both. Lawyers may begin coursework covering this new requirement on January 1st, 2023. It is worth noting that any course that fulfills the requirement completed prior to January 1st, 2023 does not count toward it.

The New York State Unified Court System defines Cybersecurity, Privacy and Data Protection – Ethics courses as relating to an attorney’s ethical obligation to protect electronic data and communication. Among other things, courses can relate to protecting clients, communicating and obtaining consent form clients, protecting your firm, storing, maintaining and destroying electronic data, firm policies surrounding electronic data, and attorney supervision of firm employees and third-party vendors. Data breaches and inadvertent disclosures are also critical topics courses may cover.

Cybersecurity, Privacy and Data Protection – General courses are defined as relating to the technological aspects of protecting client and firm electronic data and communication. They may include fundamentals of sending, receiving and storing client data, understanding threats, inadvertent disclosures, and cybersecurity issues surrounding remote work. The evaluation of third-party vendors, cyber incident response planning and applicable laws surrounding cybersecurity are also acceptable topics for this category.

The New York State CLE Program Rules provide more information on how Cybersecurity, Privacy and Data Protection are defined.

NY Cybersecurity, Privacy and Data Protection CLE Requirements for Experienced Attorneys

If an attorney has been admitted to the New York State Bar for two or more years, they are considered an experienced attorney. Experienced attorneys must complete at least 1 CLE credit hour of Cybersecurity, Privacy and Data Protection coursework as part of their CLE requirement. This credit may be in the Ethics track, or in the General track as outlined above. A course may also combine ½ credit hour of Cybersecurity Ethics and ½ credit hour of Cybersecurity General information.

This new requirement does not increase the number of CLE credits experienced attorneys must complete during a reporting period. They are still responsible for completing 24 credit hours of coursework every two years. Experienced New York attorneys may complete all of their 3 credit ethics requirement with Cybersecurity, Privacy and Data-Ethics coursework.

If an experienced attorney cannot complete the requirement on time, they may file for an extension. Any credits completed over the 1 credit Cybersecurity, Privacy and Data Protection requirement may be included in the 6 credit-maximum carryover to the next reporting period.

When do Experienced New York Attorneys Have to Comply?

Experienced New York Attorneys may start completing Cybersecurity, Privacy and Data Protection courses starting January 1st, 2023. The compliance period for this new category of courses begins on July 1st, 2023. Please note that any Cybersecurity, Privacy and Data Protection coursework completed prior to January 1st, 2023 does not count towards the new requirement.

New York State Bar Cybersecurity, Privacy and Data Protection CLE Requirements for Newly Admitted Attorneys

If a lawyer has been a member of the New York State Bar for two years or less, they are considered a newly admitted attorney. Newly admitted attorneys must complete at least 1 CLE credit hour of Cybersecurity, Privacy and Data Protection coursework as part of their CLE requirement. This credit may be in the Ethics track, or in the General track as outlined above. A course may also combine ½ credit hour of Cybersecurity Ethics and ½ credit hour of Cybersecurity General information.

This new requirement does not increase the number of CLE credits newly admitted attorneys must complete during a reporting period. They are still responsible for completing 32 credit hours of coursework every two years, with 16 credit hours taken in each year of the reporting period. Newly admitted attorneys may complete a maximum of 3 credits of their 6 credit ethics requirement with Cybersecurity-Privacy and Data Protection-Ethics coursework.

The 1 credit of Cybersecurity, Privacy and Data Protection coursework may be completed in either the first year’s 16 credit requirement for newly admitted attorneys, or in the second. The requirement does not have to be completed in both years of the reporting period. Any Cybersecurity, Privacy and Data-Ethics credits earned over the 1 credit requirement may not be carried over to the next two year reporting period.  Any Cybersecurity, Privacy and Data-General credits earned over the 1 credit requirement may be carried over to the next reporting period.

When Do Newly Admitted New York Attorneys Have to Comply?

Newly admitted attorneys may start earning Cybersecurity, Privacy and Data Protection CLE credits staring January 1st, 2023. The requirement becomes effective on July 1st, 2023. Newly admitted attorneys admitted to the New York State Bar prior to July 1st, 2023 do not have to complete Cybersecurity, Privacy and Data Protection credits in their current biennial cycle. They may wait until the next cycle.

What CLE Courses Should New York Attorneys Look For to Earn Cybersecurity, Privacy and Data Protection Credits?

NBI is committed to providing New York attorneys with the credits they need to fulfill the new Cybersecurity, Privacy and Data Protection requirement. Lawyers in New York will be able to explore courses that meet this new requirement from our course catalog as they become available.

The New York CLE requirements page has more information on all New York MCLE requirements. This useful FAQ has additional answers about the new Cybersecurity, Privacy and Data Protection requirement.

Brad Kelly is NBI's Content Strategist, Writer and Editor. He provides attorneys with timely, relevant information that helps them advance their law practices. In his free time he enjoys hiking, cycling and renovating old houses.