New York’s first-in-the-nation requirement for lawyers to earn data privacy and security continuing education credit is timely now that states are passing laws holding companies to account for the way they manage clients’ digital information, says Lisa Sotto, an attorney with Hunton Andrews Kurth.
Other states can be expected to follow the lead of the state, which in June received a recommendation from the New York State Bar Association to require lawyers to have at least one credit hour every two years covering data privacy and security as either an ethical obligation or from a practice-area or technological standpoint.
“I would expect that other bars would follow suit,” Sotto told Legal Dive. Sotto’s firm specializes in helping clients prevent and manage security incidents and in complying with data privacy and security requirements. “We have 45 people who do nothing but data privacy and data security and cybersecurity. It is our practice 100%.”
Two-track approach
Under the New York requirement, the two training tracks are more specialized than the mandate in most states for lawyers to have some technical competence. Some 40 states impose a duty of technical competence on lawyers, according to a LawNext compilation, but that’s a broad duty that covers knowing how to perform digital tasks.
By adding this more focused approach, the New York requirement is an acknowledgement that data privacy and security are issues of growing importance to organizations, both from a compliance perspective and from an incident prevention and response perspective.
“A cyber incident is pretty inevitable these days,” said Sotto, whose firm has been brought in to help manage some high-profile breaches, including the Colonial Pipeline breach in 2021 that led to short-term gas shortages in the Northeast and the Yahoo! breach that put half a billion accounts at risk.
Both in-house legal departments and law firms face an increasingly complex compliance environment. In the U.S., five states have data privacy and security laws on the books: California, Colorado, Connecticut, Utah and Virginia.
California’s law, which lawmakers amended two years ago, gives consumers considerable control over what data an organization can keep, what controls to maintain for use of the data by other organizations and so on. It even goes so far as to prescribe what consumer opt-out and other types of buttons are to look like.
The laws in Colorado, Connecticut, Utah and Virginia, which are all based on a similar template, differ from the California law in significant ways, adding to the challenge of complying with the different approaches.
“In some cases we need opt-in consent and in other places you need opt-out consent or no consent at all,” Sotto said. “In some cases there are … exceptions in the right to delete. In other states there are no exceptions. So, [complying] is a complex exercise right now.”
Although it’s unlikely to pass this session of Congress, lawmakers have been working on the first U.S. comprehensive data privacy and security law, called the American Data Privacy and Protection Act, which would provide long-sought uniformity across the country.
“Everyone wants a federal law,” Sotto said.
Outside the U.S., organizations must comply with the General Data Protection Regulation (GDPR) if they engage with people in the European Union and similar laws in a dozen or so other countries.
“Having to actually comply with [all these laws] is an issue that is tying lawyers up in knots,” Sotto said.
At a minimum, the New York requirement is a first step in helping lawyers come to these challenges with a minimum set of tools.
