Elliot Golding is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

    Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

    Elliot has also managed dozens of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

    Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Alcohol and Drug Abuse Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

    Elliot is co-chair of the ABA E-Privacy Law Committee, vice-chair of the ABA Healthcare Technology Committee, vice-chair of the Privacy, Security and Emerging Technology Division for the ABA Section of Science & Technology Law, a member of the Bloomberg BNA Health Care Innovations Board, and a frequent speaker and writer of thought leadership pieces. He is also a Certified Information Privacy Professional (CIPP/US).

    Award Mouse thought multimedia interface book medal screen monitor
    • Served as primary outside counsel for a major health plan, assisting with a wide range of high priority, as well as day-to-day privacy and cybersecurity, issues.
    • Assisted a major health insurance company to investigate and respond to several potential breaches, including providing advice regarding government investigations, planning and overseeing remedial efforts, and defending client in resulting litigation.
    • Assisted a health plan to develop a program integrating medical products with the Internet of Things by collecting vital signs, alerting physicians and transmitting data to a consumer-facing cloud environment.
    • Drafted incident response plans and data breach response toolkits for healthcare clients; led tabletop exercises to test those plans.
    • Conducted comprehensive privacy and cybersecurity assessments for several large clients (in sectors such as healthcare, defense and transportation), which included performing data surveys and interviews, assessing governance and recommending improvements, providing vendor contracting advice and drafting policies and procedures (e.g., internal and external-facing privacy statements, security policies, document retention policies, etc.).
    • Assisted a major automobile company to identify personal information and other sensitive information within the organization and take steps to ensure the privacy and security of that data.
    • Advised a large cloud service provider regarding HIPAA and GLBA compliance, including designing and revising HIPAA privacy and security policies.
    • Assisted a large insurer/reinsurer to establish a data classification system as part of a complete privacy and security policy overhaul and provided detailed advice regarding implementation of best practices and compliance with wide-ranging state and federal laws (e.g., HIPAA, GLBA, FTC Act and state security breach and record disposal laws).

    Education

    • George Washington University Law School, J.D., magna cum laude, Order of the Coif
    • University of Virginia, B.A., with distinction

    Admissions

    • District of Columbia, 2010
    • Maryland, 2009

    Memberships and Affiliations

    • Certified Information Privacy Professional (CIPP/US)
    • Vice-chair, Privacy, Security and Emerging Technology Division, ABA Section of Science & Technology Law
    • Vice-chair, Healthcare Technology, ABA Section of Science & Technology Law
    • Co-chair, E-Privacy Law, ABA Section of Science & Technology Law
    • Member, Long Range Planning, ABA Section of Science & Technology Law
    • Member, American Health Lawyers Association
    • Member, Bloomberg BNA Health Care Innovations Board
    • Selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

    {{insights.date}} {{insights.source}} {{insights.type}}
    {{blog.displayDate}}
    {{blog.title}} {{blog.source}}

    • Modern Healthcare, Anthem’s $16M Breach Settlement Reminds Others to Assess Their Cyber Risks”, October 16, 2018
      Following Anthem’s record-breaking data breach settlement, Elliott Golding, a partner in the data privacy and cybersecurity practice group of Squire Patton Boggs, discusses proper risk assessments, the Office for Civil Rights and the National Institute of Standards and Technology.
    • Bloomberg Law’s Big Law Business, First Digital Contraceptive App Spawns New Legal Questions”, October 11, 2018
      The FDA approved a new digital contraceptive application, raising questions about potential legal risks associated with this app and those similar. Elliot Golding sheds light on these risks, including data privacy issues.
    • Becker’s Health IT & CIO Report, “Federal Court Reaffirms Individual Patients Cannot File HIPAA Lawsuits: 5 Things to Know”, June 26, 2018
      A US district court judge in Washington DC reaffirmed the precedent that individual patients cannot file lawsuits for alleged HIPAA violations. Elliot Golding provides his knowledge of court decisions in response.
    • Podcast interview, “Building Data Protections Into IoT Devices,” Information Security Media Group (ISMG), April 30, 2018
    • Bloomberg Law, “Dumb Devices Smarten Up, Widening Data Security Enforcement Net”, December 27, 2017
      Traditionally “dumb” products, such as toasters and light bulbs, are increasingly gaining internet connectivity, becoming “smart” internet of things devices with ongoing data security obligations. Elliot Golding speaks to Bloomberg Law on the sensitive nature and the large amounts of data being collected and the FTC’s enforcement stance.
    • Bloomberg Law, “Otsuka's Digital Drug: A Privacy Poison Pill?”, December 27, 2017
      The Food and Drug Administration last month approved Abilify MyCite, the first drug in the US embedded with a sensor that registers whether a patient has taken it. Elliot Golding discusses the benefits as well as possible data privacy challenges that such medical technology can pose with Bloomberg Law.
    • Bloomberg BNA, “FTC Issues Privacy Guidance on Child Voice Recordings”, October 23, 2017
      Companies will not face Federal Trade Commission enforcement actions for failing to obtain parental consent before collecting children’s voice recordings, if they are collected only to replace written commands and kept briefly, the agency said October 23. Elliot Golding speaks with Bloomberg BNA.
    • Bloomberg BNA, “Squire Patton Boggs Partner Elliot Golding on Health Privacy & Security”, June, 21, 2017
      Data breaches, directors and officers liability, and the Internet of Things will be the hot areas in health privacy and security-related litigation, Elliot Golding recently told Bloomberg BNA.
    • Law360,Health Industry Lagging On Cybersecurity, Task Force Says”, June 6, 2017
      In response to the release of the Health Care Industry Cybersecurity (HCIC) Taskforce Report, Elliot Golding, spoke to Law360 regarding the need for the healthcare industry to adopt "a proactive, risk-based approach to managing cybersecurity,” particularly given the rise of new connected technology.
    • Bloomberg BNA, “CardioNet $2.5M Settlement Is Wireless Health Privacy First,” April 24, 2017
      Wireless cardiac monitoring service, CardioNet Inc., has agreed to pay US$2.5 million for allegedly losing a laptop containing the health information of 1,391 individuals, the US Department of Health and Human Services Office for Civil Rights (OCR) announced. Elliot Golding discusses OCR settlements in the CardioNet case and its implications for the healthcare sector more broadly with Bloomberg BNA.
    • Privacy Advisor, “Squire Patton Boggs continues privacy build-out,” March 9, 2017
      Robin Campbell, CIPP/US, CIPM, and Elliot Golding, CIPP/US, have both transitioned to new positions at Squire Patton Boggs’ Washington DC office. Campbell is now co-chairing the Data Privacy & Cybersecurity Group at Squire Patton Boggs, where she will focus specifically on automotive issues. Golding took on the role of partner, with a healthcare focus. Squire Patton Boggs’ vast network of global offices and perspectives was a draw for both privacy pros.
    • Bloomberg BNA, “Horizon Healthcare to Pay N.J. $1.1M Over Stolen Laptops,” February 21, 2017
      New Jersey-based insurance provider Horizon Healthcare Services Inc. agreed to pay the state US$1.1 million to settle allegations that the theft of two laptops compromised the privacy of some 690,000 policyholders. Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs LLP in Washington DC, discusses with Bloomberg BNA.
    • Commercial Dispute Resolution, “Specialist partners join Squire Patton Boggs,” February 17, 2017
      Data protection and cybersecurity partners head to Squire Patton Boggs as regulation in the US and Europe tightens. Squire Patton Boggs has made a string of hires on both sides of the Atlantic, adding expertise to its specialist disputes practices. In Washington DC, the firm has hired a pair of data and cybersecurity partners.
    • Law360, “Squire Patton Boggs Snags Crowell & Moring Privacy Lawyers,” February 14, 2017 (Subscription required)
      Squire Patton Boggs LLP has made further inroads into one of the legal industry’s fastest growing practice areas with the addition of two partners to its data privacy and cybersecurity practice who join in their Washington DC offices.

    Speaking Engagements

    • Presenter, “We’ve Got Data: Now What?,” Lunch & Learn: Hot Topics in Data Privacy, FCPA and I-9 Compliance, Washington DC, October 24, 2018.
    • Presenter, “Medical Device Security and Privacy: Risks, Liability, and Recommendations,” Privacy + Security Forum, October 4, 2018.
    • Presenter, “Cybersecurity – Managing the Emerging Threat,” Association of Corporate Governance – Columbus, Columbus, OH, September 13, 2018.
    • Presenter, “Murder, Mayhem and Medical Devices: Liability for Patient Harm and Other Consequences when Internet-Connected Medical Devices are Hacked,” AHLA Physicians and Hospitals Law Institute, February 5-7, 2018.
    • Presenter, “Global Compliance Forum: Minimizing Risk to Protect Your Business Interests,” Squire Patton Boggs, November 1, 2017.
    • Presenter, “We’ve Got Data: Now What? Protecting Data in a Digital World,” ACC-Squire Patton Boggs, Tampa Bay, October 19, 2017.
    • Presenter, “Cybersecurity Update Panel,” Healthcare Executive Forum (HEF) webinar, July 11, 2017.
    • Presenter, “Cybersecurity and Service Providers: Strategies for Keeping Compliant when Dealing with Outside Vendors,” ACI Managed Care Disputes and Litigation, May 3, 2017.
    • Moderator, “Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More,” ABA Webinar, January 31, 2017.
    • Presenter, “Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture," Webinar, September 8, 2016.
    • Facilitator, “Cybersecurity Table Top for a Congressional Cyber Security Lab Program,” Wilson Center, Washington DC, June 10, 2016.
    • Panelist, “ABA Young Leaders on Cybersecurity, Privacy, & Information Law: Rapid-Fire Retrospectives on 2014 and Predictions for 2015,” ABA's PCL and SciTech Sections, teleconference, December 8, 2014.
    • Presenter, “Guess What? You're Now Subject to HIPAA (Yes, You!): The Broad Reach of HIPAA over Business Associates,” AllClear ID Data Breach Response Services Webinar, November 12, 2013.
    • Presenter, “How to Manage a Data Breach Crisis (and Prevent the Next One), ABA Section of Science and Technology Law,” Information Security Committee Fall Meeting, Washington DC, October 26-27, 2013.
    • Presenter, “Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny,” L2 Federal Resources Webinar, September 19, 2013.
    • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Washington DC, August 21-22, 2013.
    • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Alpharetta, GA, May 30-31, 2013.

    Publications

    • Author, “Health Tech Is the New Focus For Cybersecurity Policy,” Law360, May 22, 2018.
    • Co-author, “States Increase HIPAA Enforcement,” Triage Health Law, April 25, 2018.
    • Co-author, “States Increase HIPAA Enforcement,” Security & Privacy // Bytes, April 17, 2018.
    • Author, “Recent HHS Settlement Showcases that Alleged HIPAA Liability Attaches Even After a Business Closes its Doors,” Security & Privacy // Bytes, February 27, 2018.
    • Co-author, “Alleged HIPAA Violations Follow Company Post-Close,” Triage Heath Law, February 26, 2018.
    • Author, “HHS OCR Issues New Research Guidance,” Triage Health Law, January 19, 2018.
    • Co-author, “HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate,” Security & Privacy // Bytes, January 18, 2018.
    • Author, “FDA Issues Guidance on Clinical and Patient Decision Support Software,” Triage Health Law, December 20, 2017.
    • Co-author, “House Committee Chairman Asks HHS to Develop Health Case Cyber Risk Plan,” Triage Health Law, November 30, 2017.
    • Co-author, “HHS Task Force Identifies Critical Cybersecurity Recommendations,” Triage Health Law, June 22, 2017.
    • Co-author, “Highlights of HHS Privacy Guidelines for Cloud Providers,” Law360, October 2016.
    • Co-author, "Critical Next Steps: Addressing Health Privacy and Security Gaps Identified by ONC," Bloomberg BNA Health Care Policy Report, August 8, 2016.
    • Co-author, "FTC Data Security Authority Remains Murky Despite Wyndham," Law360, April 8, 2014.
    • Author, "NIST Eliminates Privacy Appendix from Cybersecurity Framework," The Secure Times by The Privacy and Information Security Committee, ABA Section of Antitrust Law, January 24, 2014.
    • Author, "Dismissal of $16 Million Class Action Based on Theft of Patient Information Where No Evidence that Data Was ‘Released’ May Provide Ammunition for Defending Breach Class Actions," The Secure Times by The Privacy and Information Security Committee, ABA Section of Antitrust Law, October 25, 2013.
    • Co-author, "FEATURE COMMENT: Regulating Cybersecurity on a Piecemeal Basis − Can the Executive Order Harmonize the Cyber Law Patchwork?" The Government Contractor, Vol. 55, No. 24, June 26, 2013.
    • Co-author, “Managed Behavioral Health Care Litigation, Managed Care Litigation,” 2012 Cumulative Supplement, Ch. 6, 1st Ed. (2012) and 2nd Ed., 2013.
    Award Mouse thought multimedia interface book medal screen monitor