Elliot Golding (CIPP/US) is a partner in the firm’s Data Privacy, Cybersecurity & Digital Assets Practice and leads the Healthcare Industry Group. He has been recognized in Bloomberg Law’s 2021 rising star series, “They’ve Got Next,” as well as Global Data Review’s inaugural 40 Under 40 list, which “represents the best of the data law bar around the world.”

    Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. Clients rely on his forward-looking advice and insight, which takes into account trends and best practices in areas that are driving innovation – the Internet of Things, AdTech and biometrics, among others – amid the myriad ever-evolving state legal requirements. Elliot helps clients understand how to balance legal risk while leveraging customer data to gain a marketplace advantage.

    A considerable portion of Elliot’s work involves managing hundreds of breach responses for companies, providing guidance through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and state attorneys general). His deep experience includes defending clients in singular or multistate litigation alleging violations of security breach notification laws and HIPAA and helps clients avoid enforcement actions altogether by interacting directly with regulators during investigations.

    Drawing on a wealth of legal, regulatory and industry experience, Elliot counsels clients on the Health Insurance Portability and Accountability Act (HIPAA) and HITECH; the California Consumer Privacy Act; 42 CFR Part 2 (Federal Confidentiality of Substance Use Disorder Patient Records); Federal Trade Commission (FTC) Act; state laws governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

    Elliot has several appointments in the American Bar Association’s Science & Technology Law Section, including serving as the co-chair of the E-Privacy Law Committee, co-chair of the Privacy, Security and Emerging Technology Division, vice-chair of the Biotechnology, Healthcare Technology, and Medical Device Committee, and a Council Member. He also is a member of the Bloomberg BNA Health Care Innovations Board, a sought-after speaker and a prolific writer.

    Award Mouse thought multimedia interface book medal screen monitor
    • Led an engagement with a German multinational auto manufacturer on responding to a vendor security incident affecting information regarding approximately 3.3 million people in the US and Canada. Coordinated key internal stakeholders across US and Canadian business units, as well as third-party data analytics, cybersecurity and notification/credit monitoring vendors. We identified individuals impacted and the types of data at issue for each person; managed the notification process, including drafting notifications to individuals, regulators, credit reporting agencies and other third parties; prepared FAQs, press statements and other communications; and coordinated the establishment of a call center and informational website.
    • Advised a leading multinational telecommunications technology company on privacy considerations related to its US$500 million strategic partnership transaction with a cloud communications provider. Helped develop a mobile-centric Identity as a Service solution designed to authenticate identity using biometrics, quantum-safe computing and distributed ledger technology (including designing compliance with HIPAA, GLBA, CCPA, GDPR and many other laws and best practices).
    • Worked with a large integrated health system with provider and payer operations on complex digital health issues related to the new Information Blocking Rules, including the evaluation of information and entities in scope, the development of strategies for making information available through patient portals, and the development of policies and procedures.
    • Represented a provider of substance use disorder care in connection with leveraging the data analytics, patient communication and other advanced technologies. Developed an overall privacy and security compliance program, which included drafting policies and procedures, preparing consent forms and processes, and conducting training.
    • Advises companies on compliance requirements under the California Consumer Privacy Act, including by analyzing complex legal questions related to ambiguous provisions; drafting detailed policies and procedures; conducting data mapping; developing personalized individual rights response processes; preparing work plans and presentations; drafting and negotiating service provider contracts and data sharing agreements; and other similar compliance tasks.
    • Advised a leading multinational technology company on privacy and security issues, including compliance with HIPAA and other US laws, as well as international laws (including the GDPR). This included partnering with the client to create a mobile-centric Identity as a Service solution from scratch to help authenticate identity using biometrics and distributed ledger technology.
    • Assisted one of the preeminent grants management software providers in conducting a comprehensive privacy and cybersecurity review, negotiating data protection agreements, navigating cross-border data protection requirements and strengthening its processes. As an intermediary between numerous parties, including grant funders, grant applicants and other third parties, the client’s data handling practices raised nuanced issues and we helped ensure those practices were deemed essential.
    • Served as primary outside counsel for a major health plan, assisting with a wide range of high priority, as well as day-to-day privacy and cybersecurity issues.
    • Assisted a major health insurance company in responding to a governmental investigation into data breaches; advised on planning and remedial efforts and defended the client in resulting litigation.
    • Assisted a health plan organization in the development of a program that integrates medical products with the Internet of Things by collecting vital signs, alerting physicians and transmitting data to a consumer-facing cloud environment.
    • Drafted incident response plans and data breach response toolkits for multiple healthcare clients; led tabletop exercises to test those plans.
    • Conducted comprehensive privacy and cybersecurity assessments for several large clients (in sectors such as healthcare, defense and transportation), which included performing data surveys and interviews, assessing governance and recommending improvements, providing vendor contracting advice and drafting policies and procedures (e.g., internal and external-facing privacy statements, security policies, document retention policies, etc.).
    • Assisted a major automobile company in identifying personal information and other sensitive information within the organization and advised on data privacy and security issues.
    • Advised a large cloud service provider in HIPAA and GLBA compliance, including the design and revision of HIPAA privacy and security policies.
    • Assisted a large insurer/reinsurer in establishing a data classification system as part of a complete privacy and security policy overhaul and provided detailed advice regarding implementation of best practices and compliance with wide-ranging state and federal laws (e.g., HIPAA, GLBA, FTC Act and state security breach and record disposal laws).
    • Conducted overall due diligence assessment of compliance practices for network advertiser, including under DAA, NAI, etc. Reviewed and provided feedback on applicable contracts, designed a CCPA compliance program and provided other assistance.
    • Evaluated and analyzed obligations under the NAI Code with respect to the use of a data broker that collected potential health-related data for targeted advertisements.
    • Assessed distribution of ad tech across multinational systems for an international e-commerce platform, where data and practices are shared between multiple legal entities, in order to assess and improve compliance efforts under CCPA and other US laws. This included understanding complex and layered advertising practices, creation and use of custom audience segments (both as publisher and advertiser), third-party integration and involvement, assessing industry positions on evolving laws and regulations, and providing risk-conscious and practical guidance. Developed templates and documentation for the exercise.


    • George Washington University Law School, J.D., magna cum laude, Order of the Coif
    • University of Virginia, B.A., with distinction


    • District of Columbia, 2010
    • Maryland, 2009

    Memberships and Affiliations

    • Certified Information Privacy Professional (CIPP/US)
    • Co-Chair, Privacy, Security and Emerging Technology Division
    • Co-Chair, e-Privacy Committee
    • Vice-Chair, Biotechnology, Healthcare Technology, and Medical Devices Committee
    • Voting Member, Science and Technology Law Section Council
    • Member, Program Committee
    • Advisor, Uniform Law Commission, Online Privacy Protection Study Committee
    • Member, American Health Lawyers Association
    • Member, Bloomberg BNA Health Care Innovations Board

    {{insights.date}} {{insights.source}} {{insights.type}}
    {{blog.title}} {{blog.source}}

    • Bloomberg Law, “California Privacy Law Enforcement Risk Grows With New Rules,” August 2020.
      The rules explain in detail how businesses must carry out the law. For instance, businesses that tell their customers they don’t sell data, and then later wish to do so, would need to get consumers to opt-in twice. The rules also require companies to describe the process for verifying consumer requests to correct or delete data. “Most of the meat” of the law’s requirements are in the final regulations, said Elliot Golding, Data Privacy, Cybersecurity & Digital Assets partner at Squire Patton Boggs. Becerra had “more than enough” plain statute language for enforcement, but the rules give him an even stronger hand, he said.
    • OneTrust DataGuidance, “California: AG submits final CCPA regulations for approval,” June 2020.
      Elliot Golding, Partner at Squire Patton Boggs (US) LLP, told OneTrust DataGuidance, "There do not appear to be any material changes in the Regulations compared to the most recent March proposed draft. Along with the final Regulations submission, the AG published additional explanatory material and responses to public comments. Although such commentary may not carry the force of law, it does provide helpful guidance around how the AG could interpret ambiguous provisions."
    • Plan Advisor, “Shifting California Privacy Regulations Are Serious Business for Advisers,” February 14, 2020.
      According to a quartet of attorneys with the cybersecurity specialist law firm Squire Patton Boggs, the financial services industry is one of many business sectors that will feel the full brunt of the CCPA. For that reason, Glenn Brown, Lydia de la Torre, Elliot Golding and Ann LaFrance, all counsel or partners with the firm, say the financial services sector should remain engaged with the unfolding regulatory process surrounding the CCPA.
    • Bloomberg Law, “California Privacy Plan Aids Ad Tech Industry, Attorneys Say,” February 10, 2020.
      The updated proposed rules would also make clear that ad tech companies can continue to use individual data collected 90 days before that person requested the information not be sold to third parties. That change would make complying with the law easier, said Elliot Golding, data privacy and cybersecurity partner at Squire Patton Boggs.
    • Bloomberg Law, “Cyber Insurance Purchases Will Surge With California Privacy Law,” February 5, 2020.
      The provision will lead “to a barrage of litigation” that companies need to protect themselves from, said Elliot Golding, a partner at Squire Patton Boggs who counsels companies on privacy and cybersecurity matters.
    • Global Data Review News, “US Health Department Changing Substance Abuse Disclosure Rules,” September 20, 2019.
      The HHS’s proposed changes are to its Confidentiality of Substance Use Disorder Records regulations, which were originally implemented in 1975 to protect the privacy of people seeking treatment for drug addictions. As the US drug war was ramping up around that time, there were worries that “law enforcement authorities would go to clinics and round up their information,” Squire Patton Boggs partner Elliot Golding, a member of the firm’s health industry group leadership team, explained.
    • ACA International, “Examining the CCPA and Data Privacy Litigation,” June 3, 2019.
      California’s data privacy law, the California Consumer Privacy Act (CCPA), is set to take effect in January 2020. As businesses plan for compliance requirements of the new law before the effective date, the question remains – how will it connect to data privacy litigation? Squire Patton Boggs partners Petrina Hall McDaniel and Elliot Golding and associate Keshia Lipscomb weigh in on the issue in an article “Will the CCPA be the New TCPA for Plaintiffs” on the firm’s website.
    • Modern Healthcare,Anthem’s $16M Breach Settlement Reminds Others to Assess Their Cyber Risks,” October 16, 2018.
      Following Anthem’s record-breaking data breach settlement, Elliott Golding, a partner in the data privacy and cybersecurity practice group of Squire Patton Boggs, discusses proper risk assessments, the Office for Civil Rights and the National Institute of Standards and Technology.
    • Bloomberg Law’s Big Law Business, “First Digital Contraceptive App Spawns New Legal Questions,” October 11, 2018.
      The FDA approved a new digital contraceptive application, raising questions about potential legal risks associated with this app and those similar. Elliot Golding sheds light on these risks, including data privacy issues.
    • Becker’s Health IT & CIO Report, “Federal Court Reaffirms Individual Patients Cannot File HIPAA Lawsuits: 5 Things to Know,” June 26, 2018.
      A US district court judge in Washington DC reaffirmed the precedent that individual patients cannot file lawsuits for alleged HIPAA violations. Elliot Golding provides his knowledge of court decisions in response.'
    • Bloomberg Law, “Dumb Devices Smarten Up, Widening Data Security Enforcement Net,” December 27, 2017.
      Traditionally “dumb” products, such as toasters and light bulbs, are increasingly gaining internet connectivity, becoming “smart” internet of things devices with ongoing data security obligations. Elliot Holding speaks to Bloomberg Law on the sensitive nature and the large amounts of data being collected and the FTC’s enforcement stance.
    • Bloomberg Law, “Otsuka's Digital Drug: A Privacy Poison Pill?” December 27, 2017.
      The Food and Drug Administration last month approved Abilify MyCite, the first drug in the US embedded with a sensor that registers whether a patient has taken it. Elliot Golding discusses the benefits, as well as possible data privacy challenges that such medical technology can pose with Bloomberg Law.
    • Bloomberg BNA, “FTC Issues Privacy Guidance on Child Voice Recordings,” October 23, 2017.
      Companies will not face Federal Trade Commission enforcement actions for failing to obtain parental consent before collecting children’s voice recordings, if they are collected only to replace written commands and kept briefly, the agency said October 23. Elliot Golding speaks with Bloomberg BNA.
    • Bloomberg BNA, “Squire Patton Boggs Partner Elliot Golding on Health Privacy & Security,” June, 21, 2017.
      Data breaches, directors and officers liability, and the Internet of Things will be the hot areas in health privacy and security-related litigation, Elliot Golding recently told Bloomberg BNA.
    • Law360,Health Industry Lagging On Cybersecurity, Task Force Says,” June 6, 2017.
      In response to the release of the Health Care Industry Cybersecurity (HCIC) Taskforce Report, Elliot Golding, spoke to Law360 regarding the need for the healthcare industry to adopt "a proactive, risk-based approach to managing cybersecurity,” particularly given the rise of new connected technology.
    • Bloomberg BNA, “CardioNet $2.5M Settlement Is Wireless Health Privacy First,” April 24, 2017
      Wireless cardiac monitoring service, CardioNet Inc., has agreed to pay US$2.5 million for allegedly losing a laptop containing the health information of 1,391 individuals, the US Department of Health and Human Services Office for Civil Rights (OCR) announced. Elliot Golding discusses OCR settlements in the CardioNet case and its implications for the healthcare sector more broadly with Bloomberg BNA.
    • Privacy Advisor, “Squire Patton Boggs continues privacy build-out,” March 9, 2017.
      Robin Campbell, CIPP/US, CIPM, and Elliot Golding, CIPP/US, have both transitioned to new positions at Squire Patton Boggs’ Washington DC office. Campbell is now co-chairing the Data Privacy, Cybersecurity & Digital Assets Practice Group at Squire Patton Boggs, where she will focus specifically on automotive issues. Golding took on the role of partner, with a healthcare focus. Squire Patton Boggs’ vast network of global offices and perspectives was a draw for both privacy pros.
    • Bloomberg BNA, “Horizon Healthcare to Pay N.J. $1.1M Over Stolen Laptops,” February 21, 2017.
      New Jersey-based insurance provider Horizon Healthcare Services Inc. agreed to pay the state US$1.1 million to settle allegations that the theft of two laptops compromised the privacy of some 690,000 policyholders. Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs LLP in Washington DC, discusses with Bloomberg BNA.
    • Commercial Dispute Resolution, “Specialist partners join Squire Patton Boggs,” February 17, 2017.
      Data protection and cybersecurity partners head to Squire Patton Boggs as regulation in the US and Europe tightens. Squire Patton Boggs has made a string of hires on both sides of the Atlantic, adding expertise to its specialist disputes practices. In Washington DC, the firm has hired a pair of data and cybersecurity partners.
    • Law360, “Squire Patton Boggs Snags Crowell & Moring Privacy Lawyers,” February 14, 2017 (subscription required).
      Squire Patton Boggs LLP has made further inroads into one of the legal industry’s fastest growing practice areas with the addition of two partners to its data privacy and cybersecurity practice who join in their Washington DC offices.

    Speaking Engagements

    • Presenter, “Beyond HIPAA – Regulating Data in the Health Care Sector,” 31st Annual HIPAA Summit, March 2-4, 2022.
    • Moderator, “Healthcare Research: a Transatlantic and Trans-European Dialogue Summit,” Càtedra Microsoft Universitat de València Privacitat & Transformació Digital, November 23, 2021.
    • Speaker, “Data Roundup: Changes to Health Data Privacy, Security & Access Rules,” Washington Health Law Summit 2021, December 6, 2021.
    • Presenter, “Got Data?: How the Health Data Rules are Changing,” Arizona Society of Healthcare Attorneys Webinar, September 23, 2021.
    • Presenter, "Beyond HIPAA: Regulating Data in the Health Care Sector," ABA Webinar, September 9, 2021.
    • Presenter, “Got Data? How the Health Data Rules are Changing,” ABA Webinar, June 1, 2020.
    • Presenter, “Privacy + Security Forum Spring Academy 2021,” Virtual Event, May 24 – 26, 2021.
    • Presenter, “Understand and Prepare for the California Privacy Rights Act,” Webinar, January 21, 2021.
    • Presenter, “Privacy Law, Coronavirus, and Post-Pandemic Best Practices,” Bloomberg Law, Webinar, April 30, 2020.
    • Presenter, “Compliance/Regulatory: We scares because we CARES,” LeadsCouncil – Leadership Series, Webinar, April 9, 2020.
    • Presenter, “The Final California Consumer Privacy Act: What Are Your Obligations,” American Bar Association, Webinar, December 4, 2019.
    • Presenter, “The ‘Final’ California Consumer Privacy Act – What Are Your Obligations,” Squire Patton Boggs, Cleveland, Ohio, November 12, 2019.
    • Presenter, “The ‘Final’ California Consumer Privacy Act,” Society for Information Management, Cleveland, Ohio, November 11, 2019.
    • Presenter, “The ‘Final’ California Consumer Privacy Act – What Are Your Obligations,” Webinar, October 17, 2019.
    • Presenter, “Privacy and Security in a World Filled with Innovation,” CLE Seminar for Ohio Health Insurer In-House and General Counsel, Columbus, Ohio, September 18, 2019.
    • Panelist, “Keep Your Care Healthy: How to Prevent Your Digital Innovations from Calling In Sick,” American Health Lawyer’s Association Annual Meeting, Boston, MA, June 25 and 26, 2019.
    • Presenter, “Understanding and Preparing for the California Consumer Privacy Act," Webinar, May 7 and June 4, 2019.
    • Speaker, “A Discussion on Data Privacy and Cybersecurity in the Americas,” Lunch and Learn, Miami, April 16, 2019.
    • Presenter, “New Frontiers in Healthcare Data – Reaping the Rewards and Navigating the Risks,” International Performance Management Institute’s (IPMI) Healthcare Law & Compliance Institute, Napa, CA, March 4, 2019.
    • Presenter, “We’ve Got Data: Now What?” Lunch & Learn: Hot Topics in Data Privacy, FCPA and I-9 Compliance, Washington DC, October 24, 2018.
    • Presenter, “Medical Device Security and Privacy: Risks, Liability, and Recommendations,” Privacy and Security Forum, October 4, 2018.
    • Panelist, “When the Breach Alarm Sounds, Will You Be Ready?” Data Breach Masterclass, London, October 2, 2018.
    • Presenter, “Cybersecurity – Managing the Emerging Threat,” Association of Corporate Governance – Columbus, Columbus, OH, September 13, 2018.
    • Podcast interview, “Building Data Protections Into IoT Devices,” Information Security Media Group (ISMG), April 30, 2018.
    • Presenter, “Murder, Mayhem and Medical Devices: Liability for Patient Harm and Other Consequences when Internet-Connected Medical Devices are Hacked,” AHLA Physicians and Hospitals Law Institute, February 5 – 7, 2018.
    • Presenter, “Global Compliance Forum: Minimizing Risk to Protect Your Business Interests,” Squire Patton Boggs, November 1, 2017.
    • Presenter, “We’ve Got Data: Now What? Protecting Data in a Digital World,” ACC-Squire Patton Boggs, Tampa Bay, October 19, 2017.
    • Presenter, “Cybersecurity Update Panel,” Healthcare Executive Forum (HEF) webinar, July 11, 2017.
    • Presenter, “Cybersecurity and Service Providers: Strategies for Keeping Compliant when Dealing with Outside Vendors,” ACI Managed Care Disputes and Litigation, May 3, 2017.
    • Moderator, “Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More,” ABA Webinar, January 31, 2017.
    • Presenter, “Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture," Webinar, September 8, 2016.
    • Facilitator, “Cybersecurity Table Top for a Congressional Cyber Security Lab Program,” Wilson Center, Washington DC, June 10, 2016.
    • Panelist, “ABA Young Leaders on Cybersecurity, Privacy, & Information Law: Rapid-Fire Retrospectives on 2014 and Predictions for 2015,” ABA's PCL and SciTech Sections, teleconference, December 8, 2014.
    • Presenter, “Guess What? You're Now Subject to HIPAA (Yes, You!): The Broad Reach of HIPAA over Business Associates,” AllClear ID Data Breach Response Services Webinar, November 12, 2013.
    • Presenter, “How to Manage a Data Breach Crisis (and Prevent the Next One), ABA Section of Science and Technology Law,” Information Security Committee Fall Meeting, Washington DC, October 26 – 27, 2013.
    • Presenter, “Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny,” L2 Federal Resources Webinar, September 19, 2013.
    • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Washington DC, August 21 – 22, 2013.
    • Presenter, “Cyber Contracting Workshop for Contractors & Agencies,” Thomson West Federal Publications Seminar, Alpharetta, GA, May 30 – 31, 2013.


    Award Mouse thought multimedia interface book medal screen monitor