Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

    Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things and complying with the California Consumer Privacy Act. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

    Elliot has also managed hundreds of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

    Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; the California Consumer Privacy Act; 42 CFR Part 2 (Federal Confidentiality of Substance Use Disorder Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

    Elliot has several appointments in the American Bar Association’s Science & Technology Law Section, including serving as the co-chair of the E-Privacy Law Committee, co-chair of the Privacy, Security and Emerging Technology Division, vice-chair of the Biotechnology, Healthcare Technology, and Medical Device Committee, and a Council Member. He also serves as a member of the Bloomberg BNA Health Care Innovations Board, is a frequent speaker and writer of thought leadership pieces, and is a Certified Information Privacy Professional (CIPP/US).

    Award Mouse thought multimedia interface book medal screen monitor
    • Advised a leading, multinational technology company on privacy and security issues, including compliance with HIPAA and other US laws, as well as international laws (including the GDPR), and frequently provided compliance guidance regarding innovative product and service initiatives. This includes partnering with the client to create a mobile-centric Identity as a Service solution from scratch to help authenticate identity using biometrics and distributed ledger technology.
    • Assisted one of the preeminent grants management software providers in conducting a comprehensive privacy and cybersecurity review, negotiating data protection agreements, navigating cross-border data protection requirements and strengthening its processes. As an intermediary between numerous parties, including grant funders, grant applicants and other third parties, the client’s data handling raised many nuanced issues and we successfully partnered to ensure their data handling practices are deemed to be of utmost importance.
    • Served as primary outside counsel for a major health plan, assisting with a wide range of high priority, as well as day-to-day privacy and cybersecurity, issues.
    • Assisted a major health insurance company to investigate and respond to several potential breaches, including providing advice regarding government investigations, planning and overseeing remedial efforts, and defending client in resulting litigation.
    • Assisted a health plan to develop a program integrating medical products with the Internet of Things by collecting vital signs, alerting physicians and transmitting data to a consumer-facing cloud environment.
    • Drafted incident response plans and data breach response toolkits for healthcare clients; led tabletop exercises to test those plans.
    • Conducted comprehensive privacy and cybersecurity assessments for several large clients (in sectors such as healthcare, defense and transportation), which included performing data surveys and interviews, assessing governance and recommending improvements, providing vendor contracting advice and drafting policies and procedures (e.g., internal and external-facing privacy statements, security policies, document retention policies, etc.).
    • Assisted a major automobile company to identify personal information and other sensitive information within the organization and take steps to ensure the privacy and security of that data.
    • Advised a large cloud service provider regarding HIPAA and GLBA compliance, including designing and revising HIPAA privacy and security policies.
    • Assisted a large insurer/reinsurer to establish a data classification system as part of a complete privacy and security policy overhaul and provided detailed advice regarding implementation of best practices and compliance with wide-ranging state and federal laws (e.g., HIPAA, GLBA, FTC Act and state security breach and record disposal laws).
    • Conducted overall due diligence assessment of compliance practices for network advertiser, including under DAA, NAI, etc. Reviewed and provided feedback on applicable contracts, designed CCPA compliance program and provided other assistance. 
    • Evaluated and analyzed obligations under the NAI Code with respect to the use of a data broker that collected potential health-related data for targeted advertisements.
    • Assessed distribution of ad tech across multinational systems for an international ecommerce platform, where data and practices are shared between multiple legal entities, in order to assess and improve compliance efforts under CCPA and other US laws. This included understanding complex and layered advertising practices, creation and use of custom audience segments (both as publisher and advertiser), third party integration and involvement, assessing industry positions on evolving laws and regulations, and providing risk-conscious and practical guidance. Accompanying templates and documentation were provided as part of this exercise. 

    Education

    • George Washington University Law School, J.D., magna cum laude, Order of the Coif
    • University of Virginia, B.A., with distinction

    Admissions

    • District of Columbia, 2010
    • Maryland, 2009

    Memberships and Affiliations

    • Certified Information Privacy Professional (CIPP/US)
    • Co-Chair, Privacy, Security and Emerging Technology Division
    • Co-Chair, e-Privacy Committee
    • Vice-Chair, Biotechnology, Healthcare Technology, and Medical Devices Committee
    • Voting Member, Science and Technology Law Section Council
    • Member, Program Committee
    • Advisor, Uniform Law Commission, Online Privacy Protection Study Committee
    • Member, American Health Lawyers Association
    • Member, Bloomberg BNA Health Care Innovations Board
    • Selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world

    {{insights.date}} {{insights.source}} {{insights.type}}
    {{blog.displayDate}}
    {{blog.title}} {{blog.source}}

    • Bloomberg Law, “California Privacy Law Enforcement Risk Grows With New Rules,” August 2020.
      The rules explain in detail how businesses must carry out the law. For instance, businesses that tell their customers they don’t sell data, and then later wish to do so, would need to get consumers to opt-in twice. The rules also require companies to describe the process for verifying consumer requests to correct or delete data. “Most of the meat” of the law’s requirements are in the final regulations, said Elliot Golding, data privacy & cybersecurity partner at Squire Patton Boggs. Becerra had “more than enough” plain statute language for enforcement, but the rules give him an even stronger hand, he said.
    • OneTrust DataGuidance, “California: AG submits final CCPA regulations for approval,” June 2020.
      Elliot Golding, Partner at Squire Patton Boggs (US) LLP, told OneTrust DataGuidance, "There do not appear to be any material changes in the Regulations compared to the most recent March proposed draft. Along with the final Regulations submission, the AG published additional explanatory material and responses to public comments. Although such commentary may not carry the force of law, it does provide helpful guidance around how the AG could interpret ambiguous provisions."
    • Plan Advisor, “Shifting California Privacy Regulations Are Serious Business for Advisers,” February 14, 2020.
      According to a quartet of attorneys with the cybersecurity specialist law firm Squire Patton Boggs, the financial services industry is one of many business sectors that will feel the full brunt of the CCPA. For that reason, Glenn Brown, Lydia de la Torre, Elliot Golding and Ann LaFrance, all counsel or partners with the firm, say the financial services sector should remain engaged with the unfolding regulatory process surrounding the CCPA.
    • Bloomberg Law, “California Privacy Plan Aids Ad Tech Industry, Attorneys Say,” February 10, 2020.
      The updated proposed rules would also make clear that ad tech companies can continue to use individual data collected 90 days before that person requested the information not be sold to third parties. That change would make complying with the law easier, said Elliot Golding, data privacy and cybersecurity partner at Squire Patton Boggs.
    • Bloomberg Law, “Cyber Insurance Purchases Will Surge With California Privacy Law,” February 5, 2020.
      The provision will lead “to a barrage of litigation” that companies need to protect themselves from, said Elliot Golding, a partner at Squire Patton Boggs who counsels companies on privacy and cybersecurity matters.
    • Global Data Review News, “US Health Department Changing Substance Abuse Disclosure Rules,” September 20, 2019.
      The HHS’s proposed changes are to its Confidentiality of Substance Use Disorder Records regulations, which were originally implemented in 1975 to protect the privacy of people seeking treatment for drug addictions. As the US drug war was ramping up around that time, there were worries that “law enforcement authorities would go to clinics and round up their information,” Squire Patton Boggs partner Elliot Golding, a member of the firm’s health industry group leadership team, explained.
    • ACA International, “Examining the CCPA and Data Privacy Litigation,” June 3, 2019.
      California’s data privacy law, the California Consumer Privacy Act (CCPA), is set to take effect in January 2020. As businesses plan for compliance requirements of the new law before the effective date, the question remains – how will it connect to data privacy litigation? Squire Patton Boggs partners Petrina Hall McDaniel and Elliot Golding and associate Keshia Lipscomb weigh in on the issue in an article “Will the CCPA be the New TCPA for Plaintiffs” on the firm’s website.
    • Modern Healthcare,Anthem’s $16M Breach Settlement Reminds Others to Assess Their Cyber Risks,” October 16, 2018.
      Following Anthem’s record-breaking data breach settlement, Elliott Golding, a partner in the data privacy and cybersecurity practice group of Squire Patton Boggs, discusses proper risk assessments, the Office for Civil Rights and the National Institute of Standards and Technology.
    • Bloomberg Law’s Big Law Business, “First Digital Contraceptive App Spawns New Legal Questions,” October 11, 2018.
      The FDA approved a new digital contraceptive application, raising questions about potential legal risks associated with this app and those similar. Elliot Golding sheds light on these risks, including data privacy issues.
    • Becker’s Health IT & CIO Report, “Federal Court Reaffirms Individual Patients Cannot File HIPAA Lawsuits: 5 Things to Know,” June 26, 2018.
      A US district court judge in Washington DC reaffirmed the precedent that individual patients cannot file lawsuits for alleged HIPAA violations. Elliot Golding provides his knowledge of court decisions in response.'
    • Bloomberg Law, “Dumb Devices Smarten Up, Widening Data Security Enforcement Net,” December 27, 2017.
      Traditionally “dumb” products, such as toasters and light bulbs, are increasingly gaining internet connectivity, becoming “smart” internet of things devices with ongoing data security obligations. Elliot Holding speaks to Bloomberg Law on the sensitive nature and the large amounts of data being collected and the FTC’s enforcement stance.
    • Bloomberg Law, “Otsuka's Digital Drug: A Privacy Poison Pill?” December 27, 2017.
      The Food and Drug Administration last month approved Abilify MyCite, the first drug in the US embedded with a sensor that registers whether a patient has taken it. Elliot Golding discusses the benefits, as well as possible data privacy challenges that such medical technology can pose with Bloomberg Law.
    • Bloomberg BNA, “FTC Issues Privacy Guidance on Child Voice Recordings,” October 23, 2017.
      Companies will not face Federal Trade Commission enforcement actions for failing to obtain parental consent before collecting children’s voice recordings, if they are collected only to replace written commands and kept briefly, the agency said October 23. Elliot Golding speaks with Bloomberg BNA.
    • Bloomberg BNA, “Squire Patton Boggs Partner Elliot Golding on Health Privacy & Security,” June, 21, 2017.
      Data breaches, directors and officers liability, and the Internet of Things will be the hot areas in health privacy and security-related litigation, Elliot Golding recently told Bloomberg BNA.
    • Law360,Health Industry Lagging On Cybersecurity, Task Force Says,” June 6, 2017.
      In response to the release of the Health Care Industry Cybersecurity (HCIC) Taskforce Report, Elliot Golding, spoke to Law360 regarding the need for the healthcare industry to adopt "a proactive, risk-based approach to managing cybersecurity,” particularly given the rise of new connected technology.
    • Bloomberg BNA, “CardioNet $2.5M Settlement Is Wireless Health Privacy First,” April 24, 2017
      Wireless cardiac monitoring service, CardioNet Inc., has agreed to pay US$2.5 million for allegedly losing a laptop containing the health information of 1,391 individuals, the US Department of Health and Human Services Office for Civil Rights (OCR) announced. Elliot Golding discusses OCR settlements in the CardioNet case and its implications for the healthcare sector more broadly with Bloomberg BNA.
    • Privacy Advisor, “Squire Patton Boggs continues privacy build-out,” March 9, 2017.
      Robin Campbell, CIPP/US, CIPM, and Elliot Golding, CIPP/US, have both transitioned to new positions at Squire Patton Boggs’ Washington DC office. Campbell is now co-chairing the Data Privacy & Cybersecurity Group at Squire Patton Boggs, where she will focus specifically on automotive issues. Golding took on the role of partner, with a healthcare focus. Squire Patton Boggs’ vast network of global offices and perspectives was a draw for both privacy pros.
    • Bloomberg BNA, “Horizon Healthcare to Pay N.J. $1.1M Over Stolen Laptops,” February 21, 2017.
      New Jersey-based insurance provider Horizon Healthcare Services Inc. agreed to pay the state US$1.1 million to settle allegations that the theft of two laptops compromised the privacy of some 690,000 policyholders. Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs LLP in Washington DC, discusses with Bloomberg BNA.
    • Commercial Dispute Resolution, “Specialist partners join Squire Patton Boggs,” February 17, 2017.
      Data protection and cybersecurity partners head to Squire Patton Boggs as regulation in the US and Europe tightens. Squire Patton Boggs has made a string of hires on both sides of the Atlantic, adding expertise to its specialist disputes practices. In Washington DC, the firm has hired a pair of data and cybersecurity partners.
    • Law360, “Squire Patton Boggs Snags Crowell & Moring Privacy Lawyers,” February 14, 2017 (subscription required).
      Squire Patton Boggs LLP has made further inroads into one of the legal industry’s fastest growing practice areas with the addition of two partners to its data privacy and cybersecurity practice who join in their Washington DC offices.


    Speaking Engagements

    • Presenter, “Got Data? How the Health Data Rules are Changing,” ABA Webinar, June 1, 2020.
    • Presenter, “Privacy + Security Forum Spring Academy 2021,” Virtual Event, May 24 – 26, 2021.
    • Presenter, “Understand and Prepare for the California Privacy Rights Act,” Webinar, January 21, 2021.
    • Presenter, “Privacy Law, Coronavirus, and Post-Pandemic Best Practices,” Bloomberg Law, Webinar, April 30, 2020.
    • Presenter, “Compliance/Regulatory: We scares because we CARES,” LeadsCouncil – Leadership Series, Webinar, April 9, 2020.
    • Presenter, “The Final California Consumer Privacy Act: What Are Your Obligations,” American Bar Association, Webinar, December 4, 2019.
    • Presenter, “The ‘Final’ California Consumer Privacy Act – What Are Your Obligations,” Squire Patton Boggs, Cleveland, Ohio, November 12, 2019.
    • Presenter, “The ‘Final’ California Consumer Privacy Act,” Society for Information Management, Cleveland, Ohio, November 11, 2019.
    • Presenter, “The ‘Final’ California Consumer Privacy Act – What Are Your Obligations,” Webinar, October 17, 2019.
    • Presenter, “Privacy and Security in a World Filled with Innovation,” CLE Seminar for Ohio Health Insurer In-House and General Counsel, Columbus, Ohio, September 18, 2019.
    • Panelist, “Keep Your Care Healthy: How to Prevent Your Digital Innovations from Calling In Sick,” American Health Lawyer’s Association Annual Meeting, Boston, MA, June 25 and 26, 2019.
    • Presenter, “Understanding and Preparing for the California Consumer Privacy Act," Webinar, May 7 and June 4, 2019.
    • Speaker, “A Discussion on Data Privacy and Cybersecurity in the Americas,” Lunch and Learn, Miami, April 16, 2019.
    • Presenter, “New Frontiers in Healthcare Data – Reaping the Rewards and Navigating the Risks,” International Performance Management Institute’s (IPMI) Healthcare Law & Compliance Institute, Napa, CA, March 4, 2019.
    • Presenter, “We’ve Got Data: Now What?” Lunch & Learn: Hot Topics in Data Privacy, FCPA and I-9 Compliance, Washington DC, October 24, 2018.
    • Presenter, “Medical Device Security and Privacy: Risks, Liability, and Recommendations,” Privacy and Security Forum, October 4, 2018.
    • Panelist, “When the Breach Alarm Sounds, Will You Be Ready?” Data Breach Masterclass, London, October 2, 2018.
    • Presenter, “Cybersecurity – Managing the Emerging Threat,” Association of Corporate Governance – Columbus, Columbus, OH, September 13, 2018.
    • Podcast interview, “Building Data Protections Into IoT Devices,” Information Security Media Group (ISMG), April 30, 2018.
    • Presenter, “Murder, Mayhem and Medical Devices: Liability for Patient Harm and Other Consequences when Internet-Connected Medical Devices are Hacked,” AHLA Physicians and Hospitals Law Institute, February 5 – 7, 2018.
    • Presenter, “Global Compliance Forum: Minimizing Risk to Protect Your Business Interests,” Squire Patton Boggs, November 1, 2017.
    • Presenter, “We’ve Got Data: Now What? Protecting Data in a Digital World,” ACC-Squire Patton Boggs, Tampa Bay, October 19, 2017.
    • Presenter, “Cybersecurity Update Panel,” Healthcare Executive Forum (HEF) webinar, July 11, 2017.
    • Presenter, “Cybersecurity and Service Providers: Strategies for Keeping Compliant when Dealing with Outside Vendors,” ACI Managed Care Disputes and Litigation, May 3, 2017.
    • Moderator, “Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More,” ABA Webinar, January 31, 2017.
    • Presenter, “Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture," Webinar, September 8, 2016.
    • Facilitator, “Cybersecurity Table Top for a Congressional Cyber Security Lab Program,” Wilson Center, Washington DC, June 10, 2016.
    • Panelist, “ABA Young Leaders on Cybersecurity, Privacy, & Information Law: Rapid-Fire Retrospectives on 2014 and Predictions for 2015,” ABA's PCL and SciTech Sections, teleconference, December 8, 2014.
    • Presenter, “Guess What? You're Now Subject to HIPAA (Yes, You!): The Broad Reach of HIPAA over Business Associates,” AllClear ID Data Breach Response Services Webinar, November 12, 2013.
    • Presenter, “How to Manage a Data Breach Crisis (and Prevent the Next One), ABA Section of Science and Technology Law,” Information Security Committee Fall Meeting, Washington DC, October 26 – 27, 2013.
    • Presenter, “Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny,” L2 Federal Resources Webinar, September 19, 2013.
    • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Washington DC, August 21 – 22, 2013.
    • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Alpharetta, GA, May 30 – 31, 2013.

    Publications

    Award Mouse thought multimedia interface book medal screen monitor