Elliot provides business-oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy, with particular expertise in the technology, health care/life sciences, retail/ecommerce, automotive and financial sectors. His practical approach gives clients actionable advice to help balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, biometrics, the Internet of Things, data monetization, online advertising technology and Artificial Intelligence/Machine Learning tools. He provides both day-to-day product counseling and helps companies develop global compliance programs that harmonize CCPA/CPRA (and equivalent laws in Virginia, Colorado, and Utah); GDPR and other international laws; specific rules in the highly regulated health and financial sectors (HIPAA/HITECH, ONC Information Blocking and CMS Interoperability Rules, 42 CFR Part 2, the Common Rule, GLBA, and state equivalents); marketing rules (TCPA, CANSPAM, and industry self-regulatory standards); security standards (such as PCI-DSS, NIST, and ISO); and many others. Elliot has also managed hundreds of breaches and ransomware attacks, guiding clients through all aspects of investigation, notification, remediation and engagement with regulators.
Elliot is IAPP certified (CIPP/US) and has been recognized in a number of industry rankings and awards, including by Bloomberg Law and Global Data Review. Elliot also co-chairs the American Bar Association’s SciTech Privacy, Security and Emerging Technology Division; E-Privacy Committee; and Biotechnology, Healthcare Technology, and Medical Device Committee.
Led an engagement with a German multinational auto manufacturer on responding to a vendor security incident affecting information regarding approximately 3.3 million people in the US and Canada. Coordinated key internal stakeholders across US and Canadian business units, as well as third-party data analytics, cybersecurity and notification/credit monitoring vendors. We identified individuals impacted and the types of data at issue for each person; managed the notification process, including drafting notifications to individuals, regulators, credit reporting agencies and other third parties; prepared FAQs, press statements and other communications; and coordinated the establishment of a call center and informational website*
Advised a leading multinational telecommunications technology company on privacy considerations related to its US$500 million strategic partnership transactions with a cloud communications provider. Helped develop a mobile centric Identity as a Service solution designed to authenticate identity using biometrics, quantum-safe computing and distributed ledger technology (including designing compliance with HIPAA, GLBA, CCPA, GDPR and many other laws and best practices) *
Worked with a large integrated health system with provider and payer operations on complex digital health issues related to the new Information Blocking Rules, including the evaluation of information and entities in scope, the development of strategies for making information available through patient portals, and the development of policies and procedures*
Represented a provider of substance use disorder care in connection with leveraging the data analytics, patient communication and other advanced technologies. Developed an overall privacy and security compliance program, which included drafting policies and procedures, preparing consent forms and processes and conducting training*
Advises companies on compliance requirements under the California Consumer Privacy Act, including by analyzing complex legal questions related to ambiguous provisions; drafting detailed policies and procedures; conducting data mapping; developing personalized individual rights response processes; preparing work plans and presentations; drafting and negotiating service provider contracts and data sharing agreements; and other similar compliance tasks*
Advised a leading multinational technology company on privacy and security issues, including compliance with HIPAA and other US laws, as well as international laws (including the GDPR). This included partnering with the client to create a mobile centric Identity as a Service solution from scratch to help authenticate identity using biometrics and distributed ledger technology*
Assisted one of the preeminent grants management software providers in conducting a comprehensive privacy and cybersecurity review, negotiating data protection agreements, navigating cross-border data protection requirements and strengthening its processes. As an intermediary between numerous parties, including grant funders, grant applicants and other third parties, the client’s data handling practices raised nuanced issues and we helped ensure those practices were deemed essential*
Served as primary outside counsel for a major health plan, assisting with a wide range of high priority, as well as day-to-day privacy and cybersecurity issues*
Assisted a major health insurance company in responding to a governmental investigation into data breaches; advised on planning and remedial efforts and defended the client in resulting litigation*
Assisted a health plan organization in the development of a program that integrates medical products with the Internet of Things by collecting vital signs, alerting physicians and transmitting data to a consumer-facing cloud environment*
Drafted incident response plans and data breach response toolkits for multiple healthcare clients; led tabletop exercises to test those plans*
Conducted comprehensive privacy and cybersecurity assessments for several large clients (in sectors such as healthcare, defense and transportation), which included performing data surveys and interviews, assessing governance and recommending improvements, providing vendor contracting advice and drafting policies and procedures (e.g., internal and external-facing privacy statements, security policies, document retention policies, etc.) *
Assisted a major automobile company in identifying personal information and other sensitive information within the organization and advised on data privacy and security issues*
Advised a large cloud service provider in HIPAA and GLBA compliance, including the design and revision of HIPAA privacy and security policies*
Assisted a large insurer/reinsurer in establishing a data classification system as part of a complete privacy and security policy overhaul and provided detailed advice regarding implementation of best practices and compliance with wide-ranging state and federal laws (e.g., HIPAA, GLBA, FTC Act and state security breach and record disposal laws) *
Conducted overall due diligence assessment of compliance practices for network advertiser, including under DAA, NAI, etc. Reviewed and provided feedback on applicable contracts, designed a CCPA compliance program and provided other assistance*
Evaluated and analyzed obligations under the NAI Code with respect to the use of a data broker that collected potential health-related data for targeted advertisements*
Assessed distribution of ad tech across multinational systems for an international e-commerce platform, where data and practices are shared between multiple legal entities, in order to assess and improve compliance efforts under CCPA and other US laws. This included understanding complex and layered advertising practices, creation and use of custom audience segments (both as publisher and advertiser), third-party integration and involvement, assessing industry positions on evolving laws and regulations and providing risk-conscious and practical guidance. Developed templates and documentation for the exercise*
American Bar Association, SciTech Privacy, Security and Emerging Technology Division, co-chair; E-Privacy Committee, co-chair; Biotechnology, Healthcare Technology, and Medical Device Committee, co-chair
American Health Lawyers Association, member
Bloomberg BNA Health Care Innovations Board, member
Do not send any information or documents that you want to have treated as secret or confidential. Providing information to McDermott via email links on this website or other introductory email communications will not create an attorney-client relationship; will not preclude McDermott from representing any other person or firm in any matter; and will not obligate McDermott to keep confidential the information you provide. McDermott cannot enter into an attorney-client relationship with you until McDermott has determined that doing so will not create a conflict of interest and until you and McDermott have entered into a written agreement or engagement letter that sets forth the terms of our relationship.