Covington & Burling LLP operates as a limited liability partnership worldwide, with the practice in England and Wales conducted by an affiliated
limited liability multinational partnership, Covington & Burling LLP, which is formed under the laws of the State of Delaware in the United States
and authorized and regulated by the Solicitors Regulation Authority with registration number 77071..
Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.
In his white-collar practice, Web helps clients navigate both government and internal investigations. He specializes in complex civil and criminal investigations related to alleged government contracts fraud and other cybersecurity-related allegations under the False Claims Act, FTC Act, and equivalent state laws. Additionally, Web assists clients in responding to a variety of cyber incidents, ranging from intrusions and extortion by advanced persistent threats to business email compromises and large-scale data breaches. Web also helps clients investigate insider threat activity and potential noncompliance with regulatory and contractual cybersecurity requirements.
In his advisory and transactional practice, Web assists clients across a wide range of industries and critical infrastructure sectors manage risk in an evolving regulatory landscape. He regularly advises on cybersecurity compliance and best practices, information security program development, incident response preparedness, insider threat risks, third-party risk management, and international cyber regulations, among other areas. Web also advises clients on a variety of government and industry standards, including the NIST Cybersecurity Framework 2.0, NIST SP 800-53, NIST SP 800-171, FedRAMP and state equivalents (e.g., GovRAMP, TX-RAMP), CJIS, ISO/IEC standards (e.g., ISO 27001), SOC2 Type 2, and other sector-specific requirements (e.g., HIPAA Security Rule, PCI DSS, DFARS Clause 252.204-7012, NERC Critical Infrastructure Protection).
In addition to his regular practice, Web counsels pro bono clients on data breach, immigration, and criminal law matters.
Web previously served in government in different roles at the Department of Homeland Security (DHS), including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency (CISA)—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.
Advised cloud service providers and software developers regarding federal and state investigations into alleged noncompliance with government cybersecurity regulations, including under FedRAMP and similar state programs.
Advised multiple Fortune 500 clients following data and cybersecurity incidents, including supply chain and third-party compromises, regarding subsequent internal investigations, state and federal notification obligations, and associated regulatory and litigation risks.
Counseled multiple clients, including leading software development company and digital currency exchange, through FTC investigations into alleged unfair or deceptive acts or practices related to cybersecurity and data privacy practices.
Provided strategic advice and day-to-day management of insider threat investigations for several multinational clients.
Advised numerous clients of varying sizes and regulatory postures, including Fortune 100 technology and finance companies as well as startups and small businesses, regarding:
Cyber and data security requirements and best practices;
Cybersecurity and national security policy; and
Critical infrastructure regulation.
Advised on cybersecurity and data protection terms related to M&A deals and tech transactions in the U.S. and other markets on behalf of various clients, including Fortune 100 technology company, prominent private equity firm, and pioneering biotech startup.
Provided cybersecurity and data privacy counsel to Fortune 500 pharmaceutical company regarding novel health app and connected medical device implementation.
Provided strategic advice to multiple companies regarding potential obligations under the upcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) regulations, as well as for clients that maintain assets designated by DHS as critical infrastructure at greatest risk from cyber-attack.
Assisted multiple clients in submitting public comments in response to proposed critical infrastructure cybersecurity regulations.