Elliot Golding is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed dozens of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

Elliot is a Certified Information Privacy Professional (CIPP/US). He co-chairs the E-privacy Committee and is the Vice Chair of the Health Information Technology Committee within the ABA Section of Science and Technology Law. In addition, he is a member of the American Health Lawyers Association and a member of the Bloomberg BNA Health Care Innovations Board.

Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Alcohol and Drug Abuse Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

Award Mouse thought multimedia interface book medal screen monitor
  • Served as primary outside counsel for a major health plan, assisting with a wide range of high priority, as well as day-to-day privacy and cybersecurity, issues.
  • Assisted a major health insurance company to investigate and respond to several potential breaches, including providing advice regarding government investigations, planning and overseeing remedial efforts, and defending client in resulting litigation.
  • Assisted a health plan to develop a program integrating medical products with the Internet of Things by collecting vital signs, alerting physicians and transmitting data to a consumer-facing cloud environment.
  • Drafted incident response plans and data breach response toolkits for healthcare clients; led tabletop exercises to test those plans.
  • Conducted comprehensive privacy and cybersecurity assessments for several large clients (in sectors such as healthcare, defense and transportation), which included performing data surveys and interviews, assessing governance and recommending improvements, providing vendor contracting advice and drafting policies and procedures (e.g., internal and external-facing privacy statements, security policies, document retention policies, etc.).
  • Assisted a major automobile company to identify personal information and other sensitive information within the organization and take steps to ensure the privacy and security of that data.
  • Advised a large cloud service provider regarding HIPAA and GLBA compliance, including designing and revising HIPAA privacy and security policies.
  • Assisted a large insurer/reinsurer to establish a data classification system as part of a complete privacy and security policy overhaul and provided detailed advice regarding implementation of best practices and compliance with wide-ranging state and federal laws (e.g., HIPAA, GLBA, FTC Act and state security breach and record disposal laws).


  • George Washington University Law School, J.D., magna cum laude, Order of the Coif
  • University of Virginia, B.A., with distinction


  • District of Columbia, 2010
  • Maryland, 2009

{{insights.date}} {{insights.source}} {{insights.type}}
{{blog.title}} {{blog.source}}

  • Bloomberg Law, Why Health Lawyers Should See Opportunities, Not Obstacles in Industry Uncertainty”, January 25, 2018
    Healthcare policy and uncertainty around regulatory changes and priorities will continue to drive demand for health law legal advice and expertise in 2018. Elliot Golding comments on the increasing use of data analytics to support outcomes in the industry.
  • Bloomberg Law, “Dumb Devices Smarten Up, Widening Data Security Enforcement Net”, December 27, 2017
    Traditionally “dumb” products, such as toasters and light bulbs, are increasingly gaining internet connectivity, becoming “smart” internet of things devices with ongoing data security obligations. Elliot Holding speaks to Bloomberg Law on the sensitive nature and the large amounts of data being collected and the FTC’s enforcement stance.
  • Bloomberg Law, “Otsuka's Digital Drug: A Privacy Poison Pill?”, December 27, 2017
    The Food and Drug Administration last month approved Abilify MyCite, the first drug in the US embedded with a sensor that registers whether a patient has taken it. Elliot Golding discusses the benefits as well as possible data privacy challenges that such medical technology can pose with Bloomberg Law.
  • Bloomberg BNA, “FTC Issues Privacy Guidance on Child Voice Recordings”, October 23, 2017
    Companies will not face Federal Trade Commission enforcement actions for failing to obtain parental consent before collecting children’s voice recordings, if they are collected only to replace written commands and kept briefly, the agency said October 23. Elliot Golding speaks with Bloomberg BNA.
  • Bloomberg BNA, “Squire Patton Boggs Partner Elliot Golding on Health Privacy & Security”, June, 21, 2017
    Data breaches, directors and officers liability, and the Internet of Things will be the hot areas in health privacy and security-related litigation, Elliot Golding recently told Bloomberg BNA.
  • Law360, “Health Industry Lagging On Cybersecurity, Task Force Says”, June 6, 2017
    In response to the release of the Health Care Industry Cybersecurity (HCIC) Taskforce Report, Elliot Golding, spoke to Law360 regarding the need for the healthcare industry to adopt "a proactive, risk-based approach to managing cybersecurity,” particularly given the rise of new connected technology.
  • Bloomberg BNA, “Ransomware Strike: What Impact on Corporate Liability?”, May 16, 2017
    The worldwide ransomware attack that affected banks, hospitals and other companies heightens corporate regulatory and litigation risks. Elliot Golding spoke to Bloomberg BNA about the WannaCry ransomeware strike. Although there is no such thing as 100 percent security, companies should look to see if they have taken steps to implement “reasonable security ” measures.
  • Bloomberg BNA, “CardioNet $2.5M Settlement Is Wireless Health Privacy First”, April 24, 2017
    Wireless cardiac monitoring service CardioNet Inc has agreed to pay US$2.5 million for allegedly losing a laptop containing the health information of 1,391 individuals, the US Department of Health and Human Services Office for Civil Rights (OCR) announced. Elliot Golding discusses OCR settlements in the CardioNet case and its implications for the healthcare sector more broadly with Bloomberg BNA.
  • Privacy Advisor, “Squire Patton Boggs continues privacy build-out”, March 9, 2017
    Robin Campbell, CIPP/US, CIPM, and Elliot Golding, CIPP/US, have both transitioned to new positions at Squire Patton Boggs’ Washington DC office. Campbell is now co-chairing the Data Privacy & Cybersecurity Group at Squire Patton Boggs, where she will focus specifically on automotive issues. Golding took on the role of partner, with a healthcare focus. Squire Patton Boggs' vast network of global offices and perspectives was a draw for both privacy pros.
  • Bloomberg BNA, “Horizon Healthcare to Pay N.J. $1.1M Over Stolen Laptops”, February 21, 2017
    New Jersey-based insurance provider Horizon Healthcare Services Inc. agreed to pay the state US$1.1 million to settle allegations that the theft of two laptops compromised the privacy of some 690,000 policyholders. Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs LLP in Washington DC, discusses with Bloomberg BNA.
  • Commercial Dispute Resolution, “Specialist partners join Squire Patton Boggs”, February 17, 2017
    Data protection and cybersecurity partners head to Squire Patton Boggs as regulation in the US and Europe tightens. Squire Patton Boggs has made a string of hires on both sides of the Atlantic, adding expertise to its specialist disputes practices. In Washington DC, the firm has hired a pair of data and cybersecurity partners.
  • Law360, “Squire Patton Boggs Snags Crowell & Moring Privacy Lawyers”, February 14, 2017
    (Subscription required)
    Squire Patton Boggs LLP has made further inroads into one of the legal industry’s fastest growing practice areas with the addition of two partners to its data privacy and cybersecurity practice who join in their Washington DC offices.

  • Speaker, “Global Compliance Forum: Minimizing Risk to Protect Your Business Interests,” Squire Patton Boggs, November 1, 2017
  • Presenter, “We’ve Got Data: Now What? Protecting Data in a Digital World,” ACC-Squire Patton Boggs, Tampa Bay, October 19, 2017. 
  • Presenter, “Cybersecurity Update Panel,” HFE Webinar, July 11, 2017.
  • Presenter, “Cybersecurity and Service Providers: Strategies for Keeping Compliant when Dealing with Outside Vendors,” ACI Managed Care Disputes and Litigation, May 3, 2017.
  • Moderator, "Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More," ABA Webinar, January 31, 2017.
  • Co-author, “Highlights Of HHS Privacy Guidelines For Cloud Providers,” Law360, October 2016.
  • Presenter, “Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture," Webinar, September 8, 2016.
  • Co-author, "Critical Next Steps: Addressing Health Privacy and Security Gaps Identified by ONC,"Bloomberg BNA Health Care Policy Report, August 8, 2016.
  • Facilitator, “Cybersecurity Table Top for a Congressional Cyber Security Lab Program,” Wilson Center, Washington DC, June 10, 2016.
  • Panelist, “ABA Young Leaders on Cybersecurity, Privacy, & Information Law: Rapid-Fire Retrospectives on 2014 and Predictions for 2015,” ABA's PCL and SciTech Sections, teleconference, December 8, 2014.
  • Co-author, "FTC Data Security Authority Remains Murky Despite Wyndham," Law360, April 8, 2014.
  • Author, "NIST Eliminates Privacy Appendix from Cybersecurity Framework," The Secure Times by The Privacy and Information Security Committee, ABA Section of Antitrust Law, January 24, 2014.
  • Presenter, “Guess What? You're Now Subject to HIPAA (Yes, You!): The Broad Reach of HIPAA over Business Associates,” AllClear ID Data Breach Response Services Webinar, November 12, 2013.
  • Presenter, “How to Manage a Data Breach Crisis (and Prevent the Next One), ABA Section of Science and Technology Law,” Information Security Committee Fall Meeting, Washington DC, October 26-27, 2013.
  • Author, "Dismissal of $16 Million Class Action Based on Theft of Patient Information Where No Evidence that Data Was "Released" May Provide Ammunition for Defending Breach Class Actions," The Secure Times by The Privacy and Information Security Committee, ABA Section of Antitrust Law, October 25, 2013.
  • Presenter, “Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny,” L2 Federal Resources Webinar, September 19, 2013.
  • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Washington DC, August 21-22, 2013.
  • Co-author, "FEATURE COMMENT: Regulating Cybersecurity on a Piecemeal Basis − Can the Executive Order Harmonize the Cyber Law Patchwork?" The Government Contractor, Vol. 55, No. 24, June 26, 2013.
  • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Alpharetta, GA, May 30-31, 2013.
  • Co-author, “Managed Behavioral Health Care Litigation, Managed Care Litigation,” 2012 Cumulative Supplement, Ch. 6, 1st Ed. (2012) and 2nd Ed., 2013.

Award Mouse thought multimedia interface book medal screen monitor