Elizabeth H. Johnson
Bio
Elizabeth is a member of the firm’s Privacy & Data Security Practice Group. Her practice addresses all aspects of U.S. privacy and data security law, as well as GDPR and international data transfer mechanisms. Elizabeth enjoys helping clients with compliance initiatives to address privacy and data security and has assisted with a wide variety of implementation projects including data subject rights portals, data monetization, targeted and contextual advertising, telehealth, health information exchanges, mobile applications ranging from wellness programs to ecommerce to gaming, precise location tracking, biometric authentication, and complex customer insights initiatives including fraud prevention. Elizabeth also supports all aspects of data breach preparation and response, including leading forensic investigations, advising on extortion and ransomware response, supporting notification to affected parties, coordinating with law enforcement, and handling government agency notifications and inquiries.
Elizabeth’s experience addresses all major U.S. privacy laws as well as the General Data Protection Regulation (GDPR) and international data transfer restrictions including SCC implementation. Among the U.S. laws she advises on regularly are: California Consumer Privacy Rights Act (CPRA/CCPA) and analogs such as Virginia’s CDPA, Colorado’s CPA, Connecticut’s DPA, Utah’s CPA etc., HIPAA, “Part 2” pertaining to substance use disorders, Washington’s My Health My Data Act and similar state statutes, Gramm-Leach-Bliley Act, the FCRA, the Telephone Consumer Protection Act or TCPA, CAN-SPAM, data security breach notification, COPPA, and VPPA. She also helps clients with government agency inquiries pertaining to privacy and data security, such as HIPAA compliance reviews conducted by the U.S. Department of Health and Human Services. Her breach response experience includes a variety of incident types, including ransomware matters, external system intrusions, malicious employee activity, and lost or stolen electronic and hard copy records.
Elizabeth received her BA, magna cum laude, from Coe College as a Phi Beta Kappa graduate and her JD, cum laude, from Duke University. She also received her Master of Environmental Management from Duke University Nicholas School of Earth and Environmental Sciences.
Prior to entering private practice, Elizabeth was a law clerk for The Honorable William L. Osteen, U.S. District Court, Middle District of North Carolina.
Elizabeth speaks and writes frequently on privacy matters. Visit our privacy law blog to read her take on current data privacy-related events.
- BTI Client Service All-Star, BTI Consulting Group 2022
- Business North Carolina, “Legal Elite – Under 40 Young Guns,” 2009, 2011; “Intellectual Property” 2019
- Super Lawyers Magazine, “North Carolina Super Lawyers,” 2022-2024; “Rising Star,” 2009-2017
- Triangle Business Journal, “50 To Watch in Business,” 2013
- North Carolina Bar Association, Ethics Committee: Member (2024)
- Former Adjunct Professor, University of North Carolina School of Law
- North Carolina State Bar Privacy & Information Security Specialization Committee, Vice Chair
- International Association of Privacy Professionals
- North Carolina State Bar
- North Carolina Bar Association
- Advised Fortune 50 client on implementation of novel privacy law including extensive data mapping and implementation of consumer privacy rights requirements
- Led data breach responses for hundreds of clients arising from ransomware, business email compromise, hacking, employee malfeasance, misdirected communications, physical break-ins, and other root causes.
- Structured breach response programs and readiness exercises for multiple clients including global SaaS provider, large retailers, global clinical research organization, and Fortune 500 professional services company.
- Directed privileged forensic investigations, vulnerability assessments, and compliance reviews for clients in the retail, health care, insurance, payments, financial services, life sciences, professional services, and technology sectors.
- Advised clients on consolidation of multiple privacy legal schemes applicable to their business, such as CCPA/CPRA, emerging state privacy laws including Washington’s My Health My Data Act, HIPAA, GDPR, GLBA, TCPA, CAN-SPAM, VPPA, and Part 2.
- Advised clients regarding privacy and data security considerations for buy-side and sell-side mergers and acquisitions across various industries.
- Advised retail, health care, and insurance clients regarding text and robocall compliance programs and TCPA-mitigation strategies.
- Negotiated complex agreements involving data licensing, EMR integrations, media services including ad tech, telehealth deployment, and other multimillion dollar technology services.
- Advised retail, financial services, and global payments companies on implementation of facial recognition as consumer authentication measure.
- Implemented international data transfer mechanisms and Schrems risk including model clauses/standard contractual clauses and Privacy Shield for various clients, including several global technology vendors.
- Privacy and Information Security Law Specialist, North Carolina State Bar Board of Legal Specialization
- Certified Information Privacy Professional/United States (CIPP/US), International Association of Privacy Professionals
Recent posts from our privacy and data security blog, Practical Privacy.
- Everything Is Bigger in Texas…Except for Reproductive Privacy Rights
- FTC Flags a New Form of Unsportsmanlike Conduct via Notice of Penalty Offense
- My Health, My Data, My Class Action Lawsuit: Why the Washington My Health My Data Act Deserves EVERY Company’s Attention
- Abracadabra! The FTC Pulls a New Federal Breach Notice Standard out of its Hat
- Worried about Ransomware? Ten Steps to Help Legal Counsel Understand and Mitigate the Risk
- CUL8R TCPA: SCOTUS Delivers a BFD Opinion in TXT MSG Litigation Landscape
- No Silver Linings: EDPB Issues a Grim Forecast on U.S.-Based Cloud and Data Access with New Guidance
- European Data Protection Board Confirms: No Safe Harbor for Privacy Shield Members
- What’s in Your Wallet? Five Tips to Protect Forensic Reports from Discovery Post-Capital One
- Infinity War: Exploring the State Data Security Law Multiverse and Its Newest Member (the NY SHIELD Act)
- Dissecting OCR HIPAA Penalties: Why small breaches continue to drive big settlements and penalties
- Record GDPR Fine of $230M Places Emphasis on Data Security
- Elizabeth Johnson speaks to ACC Docket: 5 Points to Consider When Upgrading Your Cybersecurity Plan
- 2018 Actions Show North Carolina Attorney General Emerging as Leading Privacy Enforcer
- Client Alert: First OCR HIPAA Settlement with a Business Associate Highlights Seriousness of Increased Scrutiny on Vendors
- Client Alert: Double Jeopardy—The Growing Trend of Privacy Regulators Piling On Multiple Enforcement Actions after a Data Breach
- My Health My Data My Class Action Lawsuit, IAPP, October 31, 2023
- Capture the Privacy Red Flag: Privacy Issue Spotting for the Non-Privacy Lawyer, NC Bar Association, January 24, 2023
- Preparing for a Ransomware Attack, NC Commissioner of Banks Institute panel, October 7, 2022
- Updates to Federal Agency Breach Notification Standards, The Year in Privacy (2022), October 6, 2022
- Not ‘If’ But ‘When’: Preparing for Success in the Current Cybersecurity & Ransomware Environment, UNC Banking Institute panel, March 31, 2022
- Worried about Ransomware? Ten Steps for Counsel to Understand and Mitigate the Risk, Association of Corporate Counsel, November 17, 2021
- SolarWinds of Change: Annual Privacy Law Review, NCBA Privacy and Data Security Section Meeting, October 28, 2021
- This Year in Privacy, NCBA Annual Review 2021, October September 14, 2021
- Hindsight is 2020: Annual Privacy Law Review, NCBA 2020 Annual Review, October 16, 2020
- A Lawyer’s Role in Cyber Attacks, ACC Annual Meeting 2020, October 15, 2020
- This Year in Privacy, NCBA Privacy and Data Security Section Annual Meeting, September 17, 2020
- IAPP Privacy Tracker | Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption.
- “Which Cyber Regulations to Worry About?” Wall Street Journal Pro’s Cybersecurity Symposium, Charlotte, NC, March 9, 2020
- Navigating a Watershed Law: CCPA, UNC Festival of Legal Learning, February 8, 2019
- HIPAA Security Risk Analysis, Client CLE, January 23, 2019
- Data Breach Response and Emerging Privacy Law, VACO, January 22, 2019
- HIPAA Basics, Client CLE, January 18, 2019
- Data Security Laws and Risk Management, Client CLE, November 30, 2018
- CCPA: Key Requirements and Areas of Confusion, IAPP Knowledgenet, November 28, 2018
- Paging All Healthcare Professionals: The CCPA Deserves Your Attention, International Association of Privacy Professionals, November 9, 2018
- Annual Privacy Law Review, NCBA, October 25, 2018
- Fintech and Consumer Relationships, Bank Directors’ Forum, North Carolina Commissioner of Banks, October 12, 2018
- OCR Enforcement and Priorities, Client CLE, August 27, 2018
- Panel on Cybersecurity, UNC, February 9, 2018
- Panel on Security Breach Preparation, NCBA, January 26, 2018
- GDPR: Practical Implementation and Hype, Association of Corporate Counsel, November 16, 2017
- Panel on Data Analytics in Health Research, UNC, October 26, 2017
- Annual Privacy Law Review, NCBA, October 19, 2017
- Showcase Showdown: HIPAA Enforcement, Client CLE, October 10, 2017
- Panel on HIPAA Enforcement, NC Society of Health Care Attorneys, October 6, 2017
- OCR Enforcement and Patient Outreach, Client CLE, October 3, 2017
- Data Breach Practice Tips, Association of Corporate Counsel, September 27, 2017
- FTC Enforcement and Priorities, Client CLE, September 7, 2017
- OCR HIPAA Audits, Association of Corporate Counsel, July 13, 2017
- Emerging Privacy Issues in Health Care, Academic Medical Center Privacy and Security Forum, NCMICA, June 14, 2017
- NC Technology Association: State of Technology, General Data Protection Regulation Preparedness Panel, May 5, 2017
- Sentinel Risk Advisors: Cyber Risk Management and Preparedness, February 28, 2017
- Wake Forest University: Banking Law Symposium Cybersecurity Panel, February 10, 2017
- Campbell University, Privacy Law Seminar, February 7, 2017
- NC Bar Association: Annual Corporate Counsel Meeting, Data Breach Response Panel, January 27, 2017
- WRAL TechWire Executive Exchange: The Future of Mobile Health, September 27, 2016
- Cybersecurity for Corporate Directors, Research Triangle Chapter of the National Association of Corporate Directors, September 15, 2016
- Cyber Attack: Vulnerabilities and HR Compliance, NC Chamber HR Compliance Conference, September 14, 2016
- Cybersecurity Risk and Preparedness, Joint Presentation with FBI, Hughes Pittman Gupton Annual Client Event, July 21, 2016
- Data Wars: Emerging Trends and Risk in Privacy and Data Security Law, Manpower Legal Group Annual CLE Event, July 14, 2016
- Academic Medical Centers’ and Business Associates’ Complex Privacy & Data Security Compliance, NCHICA Academic Medical Center Conference, June 28, 2016
- Key Issues & Ingredients of Compliant & Effective Information Governance, NCHICA Academic Medical Center Conference, June 27, 2016
- Cyber, Lawyers, and Risk: Where We Are Headed in 2016, Blue Cross Blue Shield North Carolina Annual IT Summit, March 17, 2016
- Best Legal Practices for Information Security and Privacy, Advising private and governmental clients – NC State Lawyers Alumni Annual Meeting, October 30, 2015
- The Data Breach Files: Your Data Is Out There, Blue Cross Blue Shield North Carolina Annual Legal Summit, October 16, 2015
- HIPAA Security Risk Analysis and Enforcement, NC AHHC Annual Meeting, September 28, 2015
- Cyber Security in Vendor Relationship Management, Blue Cross Blue Shield Association Annual Summit, September 22, 2015
- Here Come the Other Feds: FTC Enforcement in Privacy and Data Security, NC Bar Association, Health Law Section Annual Meeting, April 23, 2015
- Panel Member, Triangle Business Journal’s Cyber Security Symposium, April 16, 2015
- Cyber Security: U.S. Legal Update, British American Business Council, March 9, 2015
- Emerging Privacy and Security Risks in Ecommerce, ROI, February 2015
- Data Breach Response, NC League of Municipalities Annual Managers Meeting, February 5, 2015
- The Role of In-House Counsel Before, During and After a Data Breach, NC Bar Association, Corporate Counsel Annual Meeting, January 30, 2015
- Parade of Horribles: Update on 2014 Privacy and Data Security Enforcement, Carolina Privacy Officials Network, January 24, 2015
- HIPAA Bingo: Everyone’s a Loser, Carolina Privacy Officials’ Network Annual Meeting, January 23, 2015
- Security Breach Response Overview: Legal Requirements and Response Tips, North Carolina League of Municipalities, Fall 2014
- Security Compliance and Strategy: Key Issues to Survive Agency Audits, North Carolina Healthcare Facilities Association, August 5, 2014
- Hispanic National Bar Association Corporate Counsel Section, Privacy Law Update, November 21, 2013
- Campbell Law Review Annual Symposium, Keynote Speaker, October 18, 2013
- North Carolina League of Municipalities, Breach Notification and Information Security Legal Requirements, October 14, 2013
- North Carolina Assisted Living Association, The Final Omnibus HIPAA/HITECH Rules: What They Mean for You, October 9, 2013
- RTP CFO Forum, Hackers and Spammers and Malware, Oh My! Pulling Back the Curtain on Cyber Security and Breach, August 2, 2013
- Hughes Pittman Gupton Annual Client Seminar, Privacy and Information Security: An Update on Legal Risks and Requirements, July 11, 2013
- North Carolina Medical Society, New HIPAA/HITECH Rules: Strategy and Risk Mitigation (Part II), May 23, 2013
- Association of Home and Hospice Care, The Final Omnibus HIPAA/HITECH Rules: What They Mean for You, March 26, 2013 and April 5, 2013
- International Association of Privacy Professionals, Privacy Summit, The Art of BYOD Implementation: A Case Study at the World’s Largest Employer, March 7, 2013
- UNC Festival of Legal Learning, Breach Notification and Security Legal Requirements, February 8, 2013
- Carolina Privacy Officials Network, Blink and You Missed It: Recap of 20 Major Privacy Events from Last 60 Days, January 21, 2013
- Consero, Corporate Compliance and Ethics Forum, Privacy and Data Security Panel, October 28, 2012
- Hughes Pittman Gupton/Poyner Spruill Client Event, Cybersecurity Panel, September 27, 2012
- Peak 10 Forum, Cloud Computing Compliance Panel, August 23, 2012
- North Carolina Bankers Association, Security Summit, Emerging Legal Requirements in Information Security, May 10, 2012
- North Carolina Medical Society, New HIPAA/HITECH Rules: Compliance and Implementation (Part I), May 9, 2012
- MD HIMSS Spring Conference: Emerging Legal Risks in Social Media for Health Care Providers, April 26, 2012
- Guest Lecturer, Privacy Law Seminar, University of North Carolina School of Law, 2008-2012
- NCTA’s State of Technology: Big Data – Privacy and Security, April 13, 2012
- NCHIMA Spring Meeting: Emerging Legal Risks in Social Media for Health Care Providers, April 13, 2012
- NCHCFA “All Things Audit” Conference: OCR HIPAA Audits: What to Expect and How to Prepare, April 9, 2012
- RTP CFO Forum: Emerging Privacy and Data Protection Requirements and Risks, April 6, 2012
- VACO Event: Managing Social Media in the Workplace, March 21, 2012
- CPON Data Privacy Day Symposium: Proposed Revisions to EU Data Protection Directive, January 28, 2012
- Cherry, Bekaert & Holland, Critical Times & Critical Issues: Solutions to Financial & Operational Challenges, Emerging Privacy and Security Risks, December 7, 2011
- Twin Cities Privacy Network, Minnesota Health Privacy Summit, Social Media and Mobile Devices in Health Care, November 30, 2011
- The Advisory Group, Key Steps to Help Avoid a Major Privacy or Security Headache, November 2, 2011
- UNC-C Annual Cybersecurity Symposium, The Good, the Bad, and the Really, Really Ugly: in Federal Legislative Proposals and Government Initiatives, October 11, 2011
- NCHICA Annual Meeting, Identification and Management of Emerging Legal Risks in Social Media, September 26, 2011
- ISACA RTC Emerging Risks and Requirements in Information Privacy and Security, September 7, 2011
- NCTA Emerging Technologies & Trends Series “Connecting Your Workforce Through Mobile Apps”, Panel Moderator, June 23, 2011
- Peak 10 Presentation, Security Risk and Compliance in the Cloud, April 21, 2011
- East Coast Game Conference, Ten Steps to Avoid a Major Privacy or Security Breach, April 13, 2011
- State Capital Law Group Annual Meeting, Navigating Social Media on the Internet: Legal, Practical and Ethical Issues Involved When Deploying Online Resources in Your Legal Practice, March 18, 2011
- Twin Cities Privacy Retreat, “Risk of Harm” Considerations in Data-Breach Notification, February 25, 2011
- UNC Festival of Legal Learning, Privacy and Information Security for Legal Service Providers, February 11, 2011
- CPON: Data Privacy Day Symposium, Emerging Risk and Compliance as the Practice of Law Gets Social (Online), January 28, 2011
- Intellectual Exchange Group, CIO Roundtable on HIPAA Compliance, Panel Moderator, January 25, 2011
- Triangle Interactive Marketing Association Lunch and Learn, Ten Steps to Help Avoid a Major Privacy or Security Headache, January 12, 2011
- Advising the Business Owner Seminar, Emerging Privacy and Security Risks, November 18, 2010, December 1, 2010, and December 9, 2010
- Internet Summit 10, Ten Steps to Avoid a Major Privacy or Security Breach, November 17, 2010
- 11th Annual Cyber Security Symposium, UNC Charlotte, Legally-Defensible Security: What New Laws and Emerging Risks Mean for Your Information Security Program, November 2, 2010
- Association for Home and Hospice Care Annual Leadership Conference: It’s Not a Day at the Beach – HITECH: What Agencies Need to Know, October 19, 2010
- Nova E-Discovery Panel: Practical Guide to Corporate e-Discovery, October 5, 2010
- NCHICA Annual Meeting: HITECH Act Breach Notification – Preparing Effectively for Tomorrow’s Security Breach by Mitigating Today’s Risks, September 15, 2010
- NCTA Emerging Tech and Trends Panel, Cybersecurity, August 18, 2010
- Data Privacy Day: CPON Symposium – So Much for F2F: Privacy Compliance & Risk as Businesses Go Virtual, January 21, 2010