919.228.2902
ejohnson@wyrick.com
Bio
Elizabeth is a member of the firm’s Privacy & Data Security Practice Group. Her practice addresses all aspects of U.S. privacy and data security law, as well as GDPR and international data transfer mechanisms. Elizabeth enjoys helping clients with compliance initiatives to address privacy and data security and has assisted with a wide variety of implementation projects including data subject rights portals, targeted and contextual advertising, data monetization, telehealth, mobile applications ranging from wellness programs to ecommerce to gaming, precise location tracking, biometric authentication, and complex customer insights initiatives including fraud prevention. Elizabeth also supports all aspects of data breach preparation and response, including leading forensic investigations, advising on extortion and ransomware response, supporting notification to affected parties, coordinating with law enforcement, and handling government agency notifications and inquiries.
Elizabeth’s experience addresses all major U.S. privacy laws as well as the General Data Protection Regulation (GDPR) and international data transfer restrictions including SCC implementation. Among the U.S. laws she advises on regularly are: California Consumer Privacy Rights Act (CPRA/CCPA) and analogs in dozens of other states, HIPAA, “Part 2” pertaining to substance use disorders, Washington’s My Health My Data Act and similar state statutes, Gramm-Leach-Bliley Act, the FCRA, the Telephone Consumer Protection Act or TCPA, CAN-SPAM, data security breach notification, COPPA, and VPPA. She also helps clients with government agency inquiries pertaining to privacy and data security, such as HIPAA compliance reviews conducted by the U.S. Department of Health and Human Services. Her breach response experience includes a variety of incident types, including ransomware matters, external system intrusions, malicious employee activity, and lost or stolen electronic and hard copy records.
Elizabeth received her BA, magna cum laude, from Coe College as a Phi Beta Kappa graduate and her JD, cum laude, from Duke University.
Prior to entering private practice, Elizabeth was a law clerk for The Honorable William L. Osteen, U.S. District Court, Middle District of North Carolina.
Elizabeth speaks and writes frequently on privacy matters. Visit our privacy law blog to read her take on current data privacy-related events.
- BTI Client Service All-Star, BTI Consulting Group 2022
- Business North Carolina, “Legal Elite – Under 40 Young Guns,” 2009, 2011; “Intellectual Property” 2019
- Super Lawyers Magazine, “North Carolina Super Lawyers,” 2022-2026; “Rising Star,” 2009-2017
- Triangle Business Journal, “50 To Watch in Business,” 2013
- North Carolina Bar Association, Ethics Committee: Member (2024)
- Former Adjunct Professor, University of North Carolina School of Law
- North Carolina State Bar Privacy & Information Security Specialization Committee, Vice Chair (2015-2025)
- International Association of Privacy Professionals
- North Carolina State Bar
- North Carolina Bar Association
- Responded to regulatory enforcement actions regarding U.S. privacy and data security matters including data breach response, security implementation, online tracking initiatives, and use of sensitive data
- Advised Fortune 50 clients on implementation of novel privacy laws including extensive data mapping and implementation of consumer privacy rights requirements
- Assisted clients in media, retail, financial services, health care and global payments to address emerging data-driven initiatives including biometrics as a consumer authentication measure, data monetization, connected cars, smart homes, and extensive online tracking technologies.
- Led data breach responses for hundreds of clients arising from ransomware, business email compromise, hacking, employee malfeasance, misdirected communications, physical break-ins, and other root causes.
- Structured breach response programs and readiness exercises for multiple clients including global SaaS provider, large retailers, global clinical research organization, and Fortune 500 professional services company.
- Directed privileged forensic investigations, vulnerability assessments, and compliance reviews for clients in the retail, health care, insurance, payments, financial services, life sciences, professional services, and technology sectors.
- Advised clients on consolidation and application of multiple privacy legal schemes applicable to their business, such as CCPA/CPRA, emerging state privacy laws including Washington’s My Health My Data Act, HIPAA, GDPR, GLBA, TCPA, CAN-SPAM, VPPA, and Part 2.
- Advised clients regarding privacy and data security considerations for buy-side and sell-side mergers and acquisitions across various industries.
- Negotiated complex agreements involving data licensing, EMR integrations, media services including ad tech, telehealth deployment, and other multimillion dollar technology services.
- Implemented international data transfer mechanisms and Schrems risk including model clauses/standard contractual clauses and Privacy Shield for various clients, including several global technology vendors.
- Privacy and Information Security Law Specialist, North Carolina State Bar Board of Legal Specialization
- Certified Information Privacy Professional/United States (CIPP/US), International Association of Privacy Professionals
Recent posts from our privacy and data security blog, Practical Privacy.
- Connecting the Dots: Privacy Law Updates from the Nutmeg State
- The Justice Department’s New Rule on Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons: A Guide to Determining Whether Your Business is Covered
- Something Old, Something New: Latest NYDFS Cybersecurity Regulation Enforcement Action Emphasizes Policy Implementation, Training, and Effective Access Controls
- Addressable No More: HHS Proposes Significant Changes to HIPAA Security Rule
- Everything Is Bigger in Texas…Except for Reproductive Privacy Rights
- FTC Flags a New Form of Unsportsmanlike Conduct via Notice of Penalty Offense
- My Health, My Data, My Class Action Lawsuit: Why the Washington My Health My Data Act Deserves EVERY Company’s Attention
- Abracadabra! The FTC Pulls a New Federal Breach Notice Standard out of its Hat
- Worried about Ransomware? Ten Steps to Help Legal Counsel Understand and Mitigate the Risk
- CUL8R TCPA: SCOTUS Delivers a BFD Opinion in TXT MSG Litigation Landscape
- No Silver Linings: EDPB Issues a Grim Forecast on U.S.-Based Cloud and Data Access with New Guidance
- European Data Protection Board Confirms: No Safe Harbor for Privacy Shield Members
- What’s in Your Wallet? Five Tips to Protect Forensic Reports from Discovery Post-Capital One
- Infinity War: Exploring the State Data Security Law Multiverse and Its Newest Member (the NY SHIELD Act)
- Dissecting OCR HIPAA Penalties: Why small breaches continue to drive big settlements and penalties
- Record GDPR Fine of $230M Places Emphasis on Data Security
- Elizabeth Johnson speaks to ACC Docket: 5 Points to Consider When Upgrading Your Cybersecurity Plan
- 2018 Actions Show North Carolina Attorney General Emerging as Leading Privacy Enforcer
- Client Alert: First OCR HIPAA Settlement with a Business Associate Highlights Seriousness of Increased Scrutiny on Vendors
- Client Alert: Double Jeopardy—The Growing Trend of Privacy Regulators Piling On Multiple Enforcement Actions after a Data Breach
- Navigating Scope, Requirements and Risk in Health Privacy Law: Developments and Trends, North Carolina Bar Association, October 24, 2025
- Life Sciences Cybersecurity and Data Privacy, American Conference Institute, June 4, 2025
- Prepare, Predict, Protect: Cybersecurity Strategies to Implement Now, Wells Fargo Technology Event, April 10, 2025
- My Health My Data My Class Action Lawsuit, IAPP, October 31, 2023
- Capture the Privacy Red Flag: Privacy Issue Spotting for the Non-Privacy Lawyer, North Carolina Bar Association Corporate Counsel Section Annual Program, January 24, 2023
- Preparing for a Ransomware Attack, NC Commissioner of Banks Institute panel, October 7, 2022
- Updates to Federal Agency Breach Notification Standards, The Year in Privacy (2022), October 6, 2022
- Not ‘If’ But ‘When’: Preparing for Success in the Current Cybersecurity & Ransomware Environment, UNC Banking Institute panel, March 31, 2022
- Worried about Ransomware? Ten Steps for Counsel to Understand and Mitigate the Risk, Association of Corporate Counsel, November 17, 2021
- SolarWinds of Change: Annual Privacy Law Review, NCBA Privacy and Data Security Section Meeting, October 28, 2021
- This Year in Privacy, NCBA Annual Review 2021, October September 14, 2021
- Hindsight is 2020: Annual Privacy Law Review, NCBA 2020 Annual Review, October 16, 2020
- A Lawyer’s Role in Cyber Attacks, ACC Annual Meeting 2020, October 15, 2020
- This Year in Privacy, NCBA Privacy and Data Security Section Annual Meeting, September 17, 2020
- IAPP Privacy Tracker | Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption.
- “Which Cyber Regulations to Worry About?” Wall Street Journal Pro’s Cybersecurity Symposium, Charlotte, NC, March 9, 2020
- Navigating a Watershed Law: CCPA, UNC Festival of Legal Learning, February 8, 2019
- HIPAA Security Risk Analysis, Client CLE, January 23, 2019
- Data Breach Response and Emerging Privacy Law, VACO, January 22, 2019
- HIPAA Basics, Client CLE, January 18, 2019
- Data Security Laws and Risk Management, Client CLE, November 30, 2018
- CCPA: Key Requirements and Areas of Confusion, IAPP Knowledgenet, November 28, 2018
- Paging All Healthcare Professionals: The CCPA Deserves Your Attention, International Association of Privacy Professionals, November 9, 2018
- NCTA Emerging Technologies & Trends Series “Connecting Your Workforce Through Mobile Apps”, Panel Moderator, June 23, 2011
