Covington & Burling LLP operates as a limited liability partnership worldwide, with the practice in England and Wales conducted by an affiliated
limited liability multinational partnership, Covington & Burling LLP, which is formed under the laws of the State of Delaware in the United States
and authorized and regulated by the Solicitors Regulation Authority with registration number 77071..
Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.
Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.
Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.
In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).
Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.
Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.
Advised numerous clients across industry sectors, including companies in the technology, pharmaceutical/healthcare, manufacturing, food and beverage, and financial sectors, on conducting cybersecurity maturity or compliance assessments under privilege, including retention and supervision of consultants and briefing of findings to senior leadership.
Advised clients on cybersecurity incident preparedness, including reviewing and revising incident response plans and procedures, conducting tabletop exercises, training personnel on attorney-client privilege, and negotiating pre-incident engagement agreements with vendors.
Developed and maintained a comprehensive 50-state chart and summary of U.S. state data breach notification laws, including providing periodic updates to clients on state law developments and advising clients on notification obligations and strategies.
Advised numerous Fortune 100 clients following data and cybersecurity incidents such as ransomware, data theft and extortion, business email compromise (BEC), and malicious insider incidents, with deep experience in oversight and management of internal and forensic investigations, assessment of state and federal notification obligations, development of communication strategies, engagement with law enforcement and threat actors, evaluation of potential insurance recoveries and claims against third parties, and evaluation of associated regulatory and litigation risks.
Advised numerous clients in responding to business-to-business (B2B) cybersecurity incidents, including engaging with business counterparties, assessing notification obligations and developing communication strategies tailored to business relationships, and pursuing and defending against potential claims regarding third parties.
Advised a national automotive lending company on multiple third-party cybersecurity incidents, including evaluating and executing on national notification strategies to regulators and individuals and responding to inquiries from the New York Department of Financial Services.
Advised numerous companies in highly regulated industry sectors, including financial, healthcare, pharmaceutical, and medical companies, on responding to cybersecurity incidents, including evaluation and execution of notification strategies.
Advised a large technology and transportation company on responding to a highly publicized cybersecurity incident, including responding to and successfully resolving multiple Federal Trade Commission and state Attorney General inquiries.
Advised multiple companies on responding to the MoveIT incident, including evaluating notification obligations and designing and executing notification strategies.
Represented Merck in its response to the 2017 NotPetya incident, including coverage litigation against Merck’s insurers that resulted in a summary judgment verdict for Merck and subsequent settlement.
Represented a multinational technology company in successfully settling or resolving multiple Federal Trade Commission and state Attorney General inquiries regarding cybersecurity, data privacy, and advertising issues related to connected devices.
Represent multinational technology and e-commerce clients in responding to and successfully resolving Federal Trade Commission inquiries regarding cybersecurity, data privacy, and advertising issues.
Advised multiple clients on strategies for preparing for compliance with forthcoming cybersecurity requirements, including the CCPA cybersecurity audit requirements and CIRCIA incident reporting requirements.
Advised numerous clients across industry sectors, including the pharmaceutical/healthcare, financial, and technology sectors, on compliance with the Department of Justice’s Data Security Program, including CISA Security Requirements for restricted transactions.
Advised a subsidiary of a large technology client on standing up a cybersecurity program in compliance with the New York Department of Financial Services cybersecurity regulations and related state laws.
Advised multiple pharmaceutical and medical device manufacturers on compliance with cybersecurity-related GxP obligations and FDA guidance on medical device cybersecurity, including conducting assessments and third-party reviews focused on specific compliance issues.
Advised numerous national and multinational financial companies on compliance with the New York Department of Financial Services cybersecurity regulations, the Computer Security Incident Notification Rule, and the GLBA Interagency Guidelines and Interagency Guidance.
Advised multiple large technology clients on compliance with cybersecurity-related settlement agreements with the Federal Trade Commission and state Attorneys General, including successful completion of required independent third-party assessments.
Advised multiple clients on negotiation of cybersecurity provisions in vendor agreements and development of standard or template terms, including terms regarding cybersecurity controls, reporting and responding to cybersecurity incidents, and privilege protections, as well as compliance with specific third-party risk management regulatory requirements.
Advise numerous clients on compliance with regulatory and statutory cybersecurity obligations at the U.S. federal and state levels, including guidance on “reasonable” cybersecurity measures.
Advise educational technology clients regarding compliance with FERPA, COPPA, and other federal and state educational privacy laws, including the development of new educational technology offerings and negotiation of agreements involving educational data.
Assist with internal investigations of potential employee misconduct, including unauthorized use of or access to systems or networks, for multinational clients.
University of Pennsylvania Carey Law School, J.D., 2014
cum laude
University of Pennsylvania Law Review, Senior Editor
Levy Scholar
American University, B.A./B.S., 2010
magna cum laude
Bar Admissions
District of Columbia
Virginia
Pro Bono
Advise multiple clients on responding to the Blackbaud cybersecurity incident, including developing and executing notification strategies and advising on potential claims.
Advise clients on cybersecurity governance and incident preparedness, including drafting, reviewing, and revising cybersecurity policies and incident response plans.
Provide guidance on FERPA and state educational privacy law requirements to educational technology providers, education-focused non-profits, and educational institutions.
Memberships and Affiliations
Certified Information Systems Security Professional (CISSP)
Back
