Photo of Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.”  Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.”  

Continue Reading HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework

On March 3, 2023, the United States Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems (“PWSs”) “when conducting PWS sanitary surveys or through other state programs.”  EPA’s memorandum “interprets the regulatory requirements relating to the conduct of sanitary surveys to require that

On March 7, 2023, the United States Transportation Security Administration (“TSA”) announced the issuance of new cybersecurity requirements for airport and aircraft operators on an emergency basis.  “The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.”

Continue Reading TSA Issues New Cybersecurity Requirements for Airport and Aircraft Operators

In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders.  Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.”  These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules.  The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”

Continue Reading FTC Publishes Blog Post on Data Security Practices for Complex Systems

The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments.  This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).

Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards

On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework.”  Originally released in 2014, the NIST Cybersecurity Framework (“CSF” or “Framework”) is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.”  Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity.  The NIST CSF was previously updated in 2018, and NIST now seeks public comment on the latest changes outlined in the Concept Paper.

Continue Reading NIST Requests Comments on Potential Significant Updates to the Cybersecurity Framework

The New York Department of Financial Services (“NYDFS”) published the latest draft of its Proposed Second Amendment to its landmark Cybersecurity Regulation (23 NYCRR 500) on November 9, 2022.  The proposed second amendment comes after an initial comment period on an earlier-released draft amendment released on July 29, 2022.  NYDFS is accepting comments on the proposed second amendment through January 9, 2023. 

Continue Reading New York Department of Financial Services Proposed Second Amendment to Cybersecurity Regulation – Comments Close January 9, 2023

On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.

Continue Reading CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act

In early February, the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a joint cybersecurity advisory observing “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally” during 2021.  The report—which was coauthored by cybersecurity authorities in the United States (CISA, the Federal Bureau of Investigation, and the National Security Agency), Australia (the Australian Cyber Security Centre), and United Kingdom (the National Cyber Security Centre)—emphasizes that the continued evolution of ransomware tactics and techniques throughout the past year “demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”
Continue Reading CISA Issues Joint Cybersecurity Advisory on 2021 Ransomware Trends and Recommendations

On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228).  The FTC provided a list of recommended remedial actions for companies using the Log4j software.  The FTC’s warning references obligations under the FTC Act and Gramm Leach Bliley Act (“GLBA”) to take reasonable action to remediate vulnerabilities, and hints at potential inquiries and enforcement actions against companies and vendors that fail to do so.  As the FTC notes in its warning, the “FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
Continue Reading FTC Warns Companies to Remediate the Log4j Vulnerability and Hints at Potential Enforcement Actions