Yesterday, the FTC published a blog post outlining what companies should expect if they find themselves as the subject of an FTC data security investigation.  In addition to highlighting the different phases of the FTC’s investigative process, the FTC’s discussed the types of information that it seeks as well as the questions it wants answered.  The FTC highlights that it would consider a company’s cooperation with “criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion” as part of the “steps the company took to help affected consumers[,]” and such cooperation with law enforcement would lead the FTC to “likely . . . view that company more favorably than a company that hasn’t cooperated.”  Notably, the FTC does not provide any guidance on what actions qualify as “cooperation with law enforcement” or whether withholding privileged information — such as internal or third-party forensic reports — would be viewed less favorably than a company that discloses such information. 

Speaking yesterday at Georgetown Law’s Cybersecurity Institute, Assistant Attorney General Leslie Caldwell referenced the blog post in highlighting the collaboration between the FTC and the Justice Department in forming this policy.  In particular, Caldwell referred to the work completed by the Justice Department’s Cybersecurity Unit, a new arm of the Criminal Division created in December 2014.   The Cybersecurity Unit is tasked with influencing cybersecurity legislation and ensuring effective utilization of law enforcement resources in prosecuting cybercrime, as well as educating the private sector on lawful cybersecurity practices and the role of law enforcement.

In addition to highlighting the importance of cooperating with law enforcement, the FTC outlines its approach to data security investigations.  The post states that the FTC compares “what a company says about its data security practices” to “what it actually does” to determine if the company’s data security practices are “reasonable in light of the sensitivity and volume of consumer information the company holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”  For data breach investigations, the post states that the FTC will often request information on the breach itself, the protections in place at the time of the breach, and the company’s response.  As an agency “focused on the security of consumer information entrusted to the company,” the FTC is particularly interested in likely consumer harm resulting from a breach, as well as consumer complaints regarding security issues.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb Skeath
Show more Show less