Cybersecurity, data protection, and a lawyer’s duty of competence.

Given some of the looks and comments that I receive when broaching this topic at CLEs, I’m not certain that it’s an appropriate subject for a day typically reserved for “wellness” posts.  However, as I emerge from a summer blogging hiatus fueled by a disinterest in blogging, I’m less worried about sticking to the traditional schedule than I am in finding something – anything – to write about.  And today, “cybersecurity” not only presents itself as a topic, it does so in a manner that reinforces a notion that lies near and dear to this blog’s heart: competence includes tech competence.

Cybersecurity White Images – Browse 16,974 Stock Photos, Vectors, and Video  | Adobe Stock

To recap, V.R.Pr.C. 1.1 requires a lawyer to provide clients with competent representation. Under the heading “Maintaining Competence,” Comment [8] states:

  • “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.” (emphasis added).

The bolded language refers to “tech competence” and was added in 2018.  At the time, and as reported by LawSites, its addition made Vermont the 32nd state to adopt a duty of technology competence. The italicized language has existed since the rule was first promulgated in 1999.  I emphasized it to make clear that continuing legal education is a critical component of maintaining competence.

Which brings me to today’s point.

As reported by LawSites and the ABA Journal, New York recently became the first state to mandate CLE in cybersecurity and data privacy & protection.  From the LawSites post:

  • “Under the new requirement, all attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications. Only two other U.S. states mandate technology training as part of a lawyer’s continuing education requirement, Florida and North Carolina. While those states’ CLE requirements allow for training in a range of technology topics, which can include cybersecurity, New York’s is the first to focus its requirement on these topics.”

New York’s new rule is here. The ABA Journal notes that the rule allows lawyers to count up to 3 hours of cybersecurity CLE towards their required 4 hours of ethics CLE.  The ABA post goes on to state:

  • “The New York State Supreme Court’s Appellate Division adopted the cybersecurity CLE requirement based on a recommendation from the New York State Bar Association’s Committee on Technology and the Legal Profession. The NYSBA approved the committee reportin June 2020, according to the bar’s news center.”

This is important. The impetus for the new CLE requirement was not my counterpart in New York.  It was the bar association.  In other words, this isn’t bar counsel crying wolf over competence, tech competence, and the duty to take reasonable precautions to safeguard client data.

Am I saying that a breach is an ethics violation?



Again, a lawyer’s duty is to take reasonable precautions to safeguard client data. As I’ve always recognized, the fact that a lawyer or firm is breached or hacked does not necessarily mean that the precautions in place weren’t reasonable. Indeed, in yesteryear, the fact that a client’s paper documents ended up in unauthorized hands didn’t necessarily mean that the lawyer or firm charged with safeguarding those documents failed to take reasonable precautions.  For instance, it likely wouldn’t have been an ethics violation for a firm to fall victim to enterprising criminals who employed thermite to breach a secure cabinet within a secure room within a secure office within a secure building [i]

What I’m saying is this.

A lawyer’s professional obligations include providing clients with competent representation.  CLE is a way to maintain competence.  There’s now a jurisdiction that requires 1 hour of CLE in cybersecurity, privacy, and data protection.  That same jurisdiction allows lawyers to count up to 3 hours of cybersecurity CLE toward their required 4 hours of ethics CLE. In sum, no more eye-rolling at CLEs when I discuss cybersecurity and data protection.  The topic clearly goes to the duty of competence.

As always, let’s be careful out there.


[i] I’m obsessed with Better Call Saul.  This week’s series finale has left me thinking of ways to pay homage to the show.  My thermite analogy reminded me not of Better Call Saul, but of its predecessor, Breaking Bad. Specifically, the scenes in the Season 1 finale when Walt uses the innards of an old Etch-A-Sketch to make thermite that he and Jesse use to break into a warehouse to steal methylamine. In fact, the scenes themselves probably subconsciously caused me to use “thermite” in the analogy.