Photo of Caleb Skeath

Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA.  While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements.  Under CIRCIA, the final rule must be published by September 2025.

The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert.  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements.  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. Continue Reading CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting

On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework.  Originally released in 2014 and updated in 2018 and now 2024, the NIST Cybersecurity Framework (“CSF” or “Framework”) “offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.”  Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity.  NIST had proposed some potentially significant updates to the Framework in a Concept Paper published on January 19, 2023, which this Version 2.0 follows. Continue Reading NIST Publishes the Cybersecurity Framework 2.0

Earlier this month, the New York Department of Financial Services (“NYDFS”) announced that it had finalized the Second Amendment to its “first-in-the-nation” cybersecurity regulation, 23 NYCRR Part 500.  This Amendment implements many of the changes that NYDFS originally proposed in prior versions of the Second Amendment released for public comment in November 2022 and

On August 21, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), and National Institute of Standards and Technology (“NIST”) issued a joint quantum-readiness factsheet (the “Factsheet”) to inform organizations—particularly those that support critical infrastructure sectors—about quantum computing threats and to urge these organizations to begin planning for future migration to

On August 4, 2023, the Securities and Exchange Commission’s (“SEC”) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure was published in the Federal Register, confirming the dates on which these new requirements will enter into force.  Covington has previously published a detailed summary of this rule, which imposes significant new disclosure requirements for publicly traded companies and, in certain instances, foreign private issuers.  As discussed in greater detail in that alert, the new rule requires U.S. public companies to report material cybersecurity incidents on Form 8-K within four business days of their determination that a material cybersecurity incident has occurred.  Foreign private issuers will be required to furnish information on Form 6-K about material cybersecurity incidents that they disclose or otherwise publicize to any stock exchange or to security holders in a foreign jurisdiction. Continue Reading Compliance Dates for SEC’s New Cyber Disclosure Rules Confirmed

Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated Proposed Second Amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (Proposed Second Amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed

According to a recently-released meeting agenda, the Securities and Exchange Commission’s (“SEC”) upcoming July 26, 2023 meeting will include consideration of adopting rules to enhance disclosures regarding cybersecurity risk management, governance, and incidents by publicly traded companies. 

The SEC initially proposed these rules in March 2022.  If adopted as proposed, the new rules would

On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”).  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):

  • Defending critical infrastructure;
  • Disrupting and dismantling threat actors;
  • Shaping market forces to drive security and resilience;
  • Investing in a resilient future; and
  • Forging international partnerships to pursue shared goals.

Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.Continue Reading White House Releases Implementation Plan for the National Cybersecurity Strategy

Earlier this week, the Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda indicating that two previously-proposed cyber rules might not be approved until October 2023 (although the agenda’s timeframe is an estimate and the rules could be finalized sooner, or later). The proposed rules in question address disclosure requirements regarding cybersecurity

On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act.  The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more personal data than necessary to participate in online activities.  The settlement is consistent with the FTC’s policy statement on ed tech issued last May (see our summary of the policy statement here).Continue Reading FTC Announces COPPA Settlement Against Ed Tech Provider Including Strict Data Minimization and Data Retention Requirements