Elliot is a sought-out industry leader with deep technical experience on cutting edge topics including advertising and cookies and online tracking technologies, data monetization strategies, digital health tools, and artificial intelligence (AI). He also has deep technical and operational experience – including a two-year Chief Privacy Officer secondment to a large health insurance company – who designs and technically implements global privacy programs that harmonize US laws (like the California Consumer Privacy Act, Washington My Health My Data, and equivalent laws in over 20 states); health and financial-specific laws such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and insurance rules; marketing rules such as Telephone Consumer Protection Act and the Controlling the Assault of Non-Solicited Pornography and Marketing Act); and the full range of other US and global laws such as General Data Protection Regulation (GDPR) and the Children’s Online Privacy Protection Act.  Elliot has also managed hundreds of breaches and ransomware attacks, guiding clients through all aspects of investigation, notification, remediation, and engagement with regulators.

Elliot has been recognized in many industry rankings and awards, including by Chambers USA, Legal 500 US, Bloomberg Law, Global Data Review, and the National Law Journal. Elliot also chairs the American Bar Association’s E-Privacy Committee.

Show Less

• Advising a multinational automotive manufacturer with day-to-day privacy and product counseling issues that arise, including designing and implementing data subject rights processes, cookies and marketing initiatives, autonomous vehicles, usage-based insurance, connected vehicle services, and otherwise developing and improving its comprehensive privacy program. Assited with financial-specific strategic initiatives, such as developing and commercializing numerous new business lines, including the backend and consumer-facing web and mobile front-end environments
• Assisted over 100 clients with cookie compliance and risk management, including performing technical cookie audits, configuring and troubleshooting backend cookie consent tools, conducting extensive technical remediation and troubleshooting, facilitating “bet the company” business-risk decisions, and designing and implementing governance programs
• Defended dozens of clients in connection with litigation and pre-suit demand letters, alleging that the use of ordinary website technologies violates state and federal wiretapping laws
• Advised a leading US wireless carrier with numerous complex data governance issues, including advising on advertising and data monetization initiatives, overhauling its records retention program from scratch, and preparing dozens of business-facing guides to operationalize key data management issues
• Assisted a programmatic advertising company that specializes in cross-channel solutions to launch health-focused advertising vertical in compliance with state and federal laws and industry guidance
• Advised a multinational health and wellness company on a variety of data privacy and marketing matters, including children’s privacy issues involving modern technologies; operational, business, and legal considerations in handling and using genetic and biometric data; integrating two acquired companies into the company’s existing privacy compliance program; revising multiple privacy policies to ensure harmonization of existing language with best practices and compliance obligations; and global cookie compliance advice
• Advised a global financial services firm on the review and updating of cookie compliance processes to balance business needs with litigation and regulatory risk mitigation. Developed a technical step-by-step cookie operational guide to help configure its front- and back-end processes
• Advised a telecommunication company on developing AI products and integrations that have raised numerous complex issues and involved developing a risk management strategy from the ground up.  Also helped extensively with cookies and other data management issues
• Advised a provider of health information networking services on developing and implementing a state privacy law compliance program and assisting with evaluating and developing secondary use cases for data and broader data strategies program
• Led an engagement with a German multinational auto manufacturer on responding to a vendor security incident affecting information regarding approximately 3.3 million people in the US and Canada. Coordinated key internal stakeholders across US and Canadian business units, as well as third-party data analytics, cybersecurity and notification/credit monitoring vendors. We identified individuals impacted and the types of data at issue for each person; managed the notification process, including drafting notifications to individuals, regulators, credit reporting agencies and other third parties; prepared FAQs, press statements and other communications; and coordinated the establishment of a call center and informational website*
• Represented large multi-state health system on data security events, including extensive assistance securing file closures with no violation findings in response to Office for Civil Rights and state Attorneys General investigations. Also designed and implemented a completely overhauled record retention program, including detailed technical implementation to automate.
• Advised a leading multinational telecommunications technology company on privacy considerations related to its US$500 million strategic partnership transactions with a cloud communications provider. Helped develop a mobile centric Identity as a Service solution designed to authenticate identity using biometrics, quantum-safe computing and distributed ledger technology (including designing compliance with HIPAA, GLBA, California Consumer Privacy Act (CCPA), GDPR and many other laws and best practices)*
• Worked with a large integrated health system with provider and payer operations on complex digital health issues related to the new Information Blocking Rules, including the evaluation of information and entities in scope, the development of strategies for making information available through patient portals, and the development of policies and procedures*
• Represented a provider of substance use disorder care in connection with leveraging the data analytics, patient communication and other advanced technologies. Developed an overall privacy and security compliance program, which included drafting policies and procedures, preparing consent forms and processes and conducting training*
• Advises companies on compliance requirements under the CCPA, including by analyzing complex legal questions related to ambiguous provisions; drafting detailed policies and procedures; conducting data mapping; developing personalized individual rights response processes; preparing work plans and presentations; drafting and negotiating service provider contracts and data sharing agreements; and other similar compliance tasks*
• Advised a leading multinational technology company on privacy and security issues, including compliance with HIPAA and other US laws, as well as international laws (including the GDPR). This included partnering with the client to create a mobile centric Identity as a Service solution from scratch to help authenticate identity using biometrics and distributed ledger technology*
• Assisted one of the preeminent grants management software providers in conducting a comprehensive privacy and cybersecurity review, negotiating data protection agreements, navigating cross-border data protection requirements and strengthening its processes. As an intermediary between numerous parties, including grant funders, grant applicants and other third parties, the client’s data handling practices raised nuanced issues and we helped ensure those practices were deemed essential*
• Served as primary outside counsel for a major health plan, assisting with a wide range of high priority, as well as day-to-day privacy and cybersecurity issues*
• Assisted a major health insurance company in responding to a governmental investigation into data breaches; advised on planning and remedial efforts and defended the client in resulting litigation*
• Assisted a health plan organization in the development of a program that integrates medical products with the Internet of Things by collecting vital signs, alerting physicians and transmitting data to a consumer-facing cloud environment*
• Drafted incident response plans and data breach response toolkits for multiple healthcare clients; led tabletop exercises to test those plans*
• Conducted comprehensive privacy and cybersecurity assessments for several large clients (in sectors such as healthcare, defense and transportation), which included performing data surveys and interviews, assessing governance and recommending improvements, providing vendor contracting advice and drafting policies and procedures (e.g., internal and external-facing privacy statements, security policies, document retention policies, etc.)*
• Assisted a major automobile company in identifying personal information and other sensitive information within the organization and advised on data privacy and security issues*
• Advised a large cloud service provider in HIPAA and GLBA compliance, including the design and revision of HIPAA privacy and security policies*
• Assisted a large insurer/reinsurer in establishing a data classification system as part of a complete privacy and security policy overhaul and provided detailed advice regarding implementation of best practices and compliance with wide-ranging state and federal laws (e.g., HIPAA, GLBA, Federal Trade Commission Act and state security breach and record disposal laws)*
• Conducted overall due diligence assessment of compliance practices for network advertiser, including under DAA, NAI, etc. Reviewed and provided feedback on applicable contracts, designed a CCPA compliance program and provided other assistance*
• Evaluated and analyzed obligations under the NAI Code with respect to the use of a data broker that collected potential health-related data for targeted advertisements*
• Assessed distribution of ad tech across multinational systems for an international e-commerce platform, where data and practices are shared between multiple legal entities, in order to assess and improve compliance efforts under CCPA and other US laws. This included understanding complex and layered advertising practices, creation and use of custom audience segments (both as publisher and advertiser), third-party integration and involvement, assessing industry positions on evolving laws and regulations and providing risk-conscious and practical guidance. Developed templates and documentation for the exercise*

*Matter handled prior to joining the firm.

Show Less

• The National Law Journal, DC Rising Star, 2022
• Bloomberg Law “They’ve Got Next” Rising Star, 2021

Show Less