Photo of Caleb Skeath

Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Contact:Read more about Caleb SkeathEmail

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), in partnership with the Federal Bureau of Investigation (“FBI”), National Security Agency, Environmental Protection Agency, and cybersecurity authorities in Australia, Canada, Germany, Netherlands, and New Zealand, published new cybersecurity guidance (the “Guidance”) related to operational technology (“OT”), i.e., systems and devices that interact with a physical environment that are commonly used in manufacturing, utilities, oil and gas production, transportation, and other industrial operations.  The Guidance, which will be of interest to any organizations that have an OT environment, is intended to help critical infrastructure entities develop and implement an OT asset inventory and taxonomy to protect their critical assets and improve incident response preparedness.  It comes in advance of upcoming cyber incident reporting requirements for critical infrastructure in the U.S. under the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) and in the EU under the revised Network and Information Systems Directive (“NIS2 Directive”).  The Guidance is the latest in a series of joint releases from CISA, FBI and other U.S. and international partners on various security-related topics largely intended for critical infrastructure, including AI data security, product security bad practices, quantum computing cyber threats, and secure software development.Continue Reading CISA Publishes OT Asset Inventory Guidance for Critical Infrastructure

Oklahoma recently enacted Senate Bill 626, which substantially amends the state’s data breach notification law to broaden the scope of notification obligations and add a new regulator notification requirement along with a new “safe harbor”-style provision that provides liability protections if certain security measures are implemented.  The changes to Oklahoma’s law follow changes to other state data breach notification laws within the past year, including New York’s addition of a 30-day deadline for notice to individuals (added in early 2025) and Pennsylvania’s addition of a regulator notification requirement and obligations to provide free credit monitoring (added in mid-2024).  Key updates from Oklahoma’s bill, which will go into effect on January 1, 2026, are discussed in further detail below.Continue Reading Oklahoma Substantially Amends Its Data Breach Notification Statute

The U.S. Federal Energy Regulatory Commission (“FERC”) recently issued Order No. 907 (the “Order”), approving a new Critical Infrastructure Protection (“CIP”) Reliability Standard, CIP-015-1.  The new standard will require covered entities that maintain certain bulk electric systems (“BES”) to implement Internal Network Security Monitoring (“INSM”) for network traffic within their “electronic security perimeter,” i.e., the logical border surrounding the network of interconnected devices that comprise a BES Cyber System.  However, as discussed below, these requirements will not go into effect for approximately three years, and many covered entities will have an additional two years before they are required to comply.Continue Reading FERC Finalizes New Internal Network Security Monitoring Requirements for Bulk Electric Systems

On June 30, 2025, the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) warned U.S. critical infrastructure organizations and other companies that the threat of cyber attacks from Iran-affiliated cyber actors is heightened

Continue Reading U.S. Government Issues Cybersecurity Warning to Critical Infrastructure Operators and Others

On June 23, 2025, the New York State Department of Financial Services (“NY DFS”) issued guidance to NY DFS-regulated individuals and entities regarding the impact of “ongoing global conflicts” to the financial sector. The guidance follows a bulletin from the U.S. Department of Homeland Security about the “heightened threat environment” in the United States, which specifically references cyber attacks. The NY DFS guidance highlights three key areas of focus: cybersecurity, sanctions, and virtual currency, and may be helpful for organizations across industries globally:Continue Reading New York State Department of Financial Services Issues Guidance on Cybersecurity, Sanctions, and Virtual Currency Following Escalation of Iran Conflict

On June 6, 2025, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the “Order”) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration.  Specifically, the Order (i) directs that existing federal government regulations and policy be revised to focus on securing third-party software supply chains, quantum cryptography, artificial intelligence, and Internet of Things (“IoT”) devices and (ii) more expressly focuses cybersecurity-related sanctions authorities on “foreign” persons.  Although the Order makes certain changes to prior cybersecurity related Executive Orders issued under previous administrations, it generally leaves the framework of those Executive Orders in place.  Further, it does not appear to modify other cybersecurity Executive Orders.[1]  To that end, although the Order highlights some areas where the Trump administration has taken a different approach than prior administrations, it also signals a more general alignment between administrations on core cybersecurity principles.Continue Reading White House Issues New Cybersecurity Executive Order

On May 22, 2025, the Cybersecurity and Infrastructure Security Agency (“CISA”), which sits within the Department of Homeland Security (“DHS”) released guidance for AI system operators regarding managing data security risks.  The associated press release explains that the guidance provides “best practices for system operators to mitigate cyber risks through the artificial intelligence lifecycle, including consideration on securing the data supply chain and protecting data against unauthorized modification by threat actors.”  CISA published the guidance in conjunction with the National Security Agency, the Federal Bureau of Investigation, and cyber agencies from Australia, the United Kingdom, and New Zealand.  This guidance is intended for organizations using AI systems in their operations, including Defense Industrial Bases, National Security Systems owners, federal agencies, and Critical Infrastructure owners and operators. This guidance builds on the Joint Guidance on Deploying AI Systems Security released by CISA and several other U.S. and foreign agencies in April 2024.Continue Reading CISA Releases AI Data Security Guidance

Earlier in April, the U.S. National Institute of Standards and Technology (“NIST”) published Special Publication (“SP”) 800-61, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, Revision 3 (“NIST SP 800-61”).  NIST SP 800-61 Revision 3 (“Revision 3”) is a significant change, as it not only represents the first update of the document since 2012, but also now maps the document’s recommendations and considerations for incident response to the six functions outlined in the recently-updated NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover.  As a result, Revision 3 includes significant new recommendations and guidance for incident response, and entities should consider reviewing and updating their incident response plans and procedures to incorporate these recommendations, particularly if an entity has aligned its cybersecurity program with the NIST Cybersecurity Framework or used the prior versions of NIST SP 800-61 as a basis for existing incident response plans or procedures.Continue Reading NIST Publishes Updated Incident Response Recommendations and Considerations

On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements.  The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach affecting New York residents.  Specifically, businesses now must disclose data breaches affecting New York residents within thirty days from the discovery of a breach.  Additionally, the amendment adds the New York Department of Financial Services (“NYDFS”) to the list of state regulators that must be notified whenever a breach requiring notification to New York residents occurs. Continue Reading New York Adopts Amendment to the State Data Breach Notification Law

On October 16, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) published guidance on Product Security Bad Practices (the “Guidance”) that identifies “exceptionally risky” product security practices for software manufacturers.  The Guidance states that the ten identified practices—categorized as (1) Product Properties, (2) Security Features, or (3) Organizational Processes and Policies—are “dangerous and significantly elevate[] risk to national security, national economic security, and national public health and safety.”

The Guidance offers recommendations to remediate each of the identified practices and states that adoption of the recommendations indicates software manufacturers “are taking ownership of customer security outcomes.”  Provided below are the ten practices and associated recommendations.Continue Reading CISA and FBI Publish Product Security Bad Practices