Scott T. Lashway
Member / Co-Chair, Privacy & Cybersecurity Practice
+1.617.348.1833
Scott is a globally recognized privacy and cybersecurity disputes attorney who focuses his practice on the intersections of law, corporate data, and technology. A go-to advisor for significant disputes, corporate crises, and investigations, he also serves as Co-chair of Mintz’s Privacy & Cybersecurity Practice. Along with guiding clients through high-stakes incident response and breach investigations, complex and bet-the-company litigation, government investigations, and enforcement actions, he frequently provides strategic counsel on data management and technology development and use, including development and use of artificial intelligence. Scott represents clients in a range of industries, with a particular emphasis on health care, financial services, technology, artificial intelligence, and the media and adtech sectors.
Leveraging more than 20 years of experience with cybersecurity, privacy, and other technology matters, Scott partners with clients operating at the vanguard of technology implementation and development as well as new data uses. Along with advising on the rapid evolution of data governance, collection, and technology innovation, he helps navigate complex and novel data and privacy issues in Al and related technology development. His role often entails skillfully guiding clients through cybersecurity incident response and breach investigations as well as complex business and class action litigation. His extensive cybersecurity and privacy experience encompasses matters involving data and intellectual property (IP) theft and misappropriation, unauthorized access and acquisition, misuse, hacking, ransomware, cyberextortion, and technology disruptions. Scott’s greatest accomplishments for his clients are those that avoid headlines and are rarely — if ever — heard of.
Scott is recognized for his depth of knowledge and client service by various publications. He is ranked in Chambers Global, is identified as a leading cybersecurity incident response attorney globally by the Incident Response Forum, is recognized as a Client Service All-Star by BTI Consulting, and is identified as one of the 500 “Leading Litigators in America” by Lawdragon.
“Scott Lashway is a standout in many ways. His client service skills are the best in the business. He’s always responsive and meets our timelines, even when we have last-minute requests and escalated deadlines. He is incredibly knowledgeable and is able to see the big-picture legal risks that might otherwise require multiple attorneys in a variety of disciplines.”
— Client, Legal 500 Cyber Law (including Data Privacy and Data Protection).
In litigation involving privacy, cybersecurity, and a range of other complex issues, Scott has represented clients in state and federal courts nationwide and in various arbitration settings. He regularly serves as first-chair in trials and has significant experience defending and prosecuting bet-the-company and impactful litigation on behalf of companies and their officers and directors. In collaboration with white collar defense colleagues, he also oversees civil and criminal investigations. He regularly represents clients before various state and federal regulators, including the Securities and Exchange Commission (SEC), the Department of Justice (DOJ), the Financial Industry Regulatory Authority (FINRA), state attorneys general, the New York Department of Financial Services (NYDFS), and the Federal Trade Commission (FTC).
Scott has advised clients on hundreds of proactive and reactive matters involving US and international privacy and security laws and obligations, both civil and criminal, since drafting his first privacy policy in 2001 and handling his first data-focused investigation in 2002. Through this work, he has gained a deep understanding of the intricacies of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), state privacy laws, HIPAA and state law equivalents; the Biometric Information Privacy Act (BIPA), the New York State Department of Financial Services (NYDFS) cybersecurity regulations, the Shield Act, the Computer Fraud and Abuse Act, the Stored Communications Act, and state law equivalents (including wiretap statutes). His regulatory knowledge also extends to the Securities and Exchange Commission and Financial Industry Regulatory Authority (FINRA) security and privacy laws, guidance, and obligations, as well as the Gramm-Leach-Bliley Act and the Federal Risk and Authorization Management Program. Additionally, he regularly handles matters involving state consumer protection statutes, including Massachusetts' Chapter 93A and compliance with the National Institute of Standards and Technology, SOC 2, ISO, HITRUST, and other security frameworks.
A sought-after thought leader in his field, Scott regularly writes and speaks on data privacy and cyber security issues, and counsels industry groups and stakeholders on data privacy and security trends. He also regularly receives recognition and accolades for his extensive knowledge and outstanding client service.
Prior to joining Mintz, Scott founded and opened the Boston office of a national firm. In addition to serving as the firm's Office Managing Partner, he co-led the firm’s global privacy and cybersecurity practice.
Scott is a globally recognized privacy and cybersecurity disputes attorney who focuses his practice on the intersections of law, corporate data, and technology. A go-to advisor for significant disputes, corporate crises, and investigations, he also serves as Co-chair of Mintz’s Privacy & Cybersecurity Practice. Along with guiding clients through high-stakes incident response and breach investigations, complex and bet-the-company litigation, government investigations, and enforcement actions, he frequently provides strategic counsel on data management and technology development and use, including development and use of artificial intelligence. Scott represents clients in a range of industries, with a particular emphasis on health care, financial services, technology, artificial intelligence, and the media and adtech sectors.
Experience
Featured Experience:
- Led a team representing an academic medical center throughout its response to and investigation of a widely reported cybersecurity matter, including advising on and managing the forensic investigation, crisis communications, litigation defense, regulatory interactions, law enforcement engagement, and all related matters.
- Served as lead counsel for a leading children's hospital, successfully defending allegations in a purported class action that alleged patient data was inappropriately accessed in violation of privacy and security disclosures. The case centered on a novel legal theory that a HIPAA Privacy Notice formed a contractual basis to bring actual and implied breaches of contract, a theory the court summarily rejected after significant oral argument.
- Serving as lead counsel for a global financial institution and asset manager in breach of contract and fraud litigation that involved more than 10 consolidated actions over a sizable asset.
- Represented a global data and technology company throughout an investigation of, and its response to, simultaneous intrusions by multiple nation-state attackers and various financially motivated threat actors.
- Secured dismissal of a purported class action for a surgical and medical facility in an issue of first impression in the US Court of Appeals for the Eleventh Circuit. The case concerned Article III standing requirements to plead harm in a case brought against a health care facility, which alleged that patient data had been accessed, stolen, and posted on the internet by a well-known threat actor.
Cybersecurity, Data Privacy, and Technology-Focused Matters
- Represented a health care analytics company and its business associate in its investigation of and response to a reported security compromise and reported breach by a vendor.
- Defended a global data and technology company in a Delaware Chancery Court action related to data quality and integrity that was brought by a competitor.
- Led a team representing a global biotechnology company in investigating and defending against a cyberattack by a sophisticated threat actor. This matter involved extensive interaction with various US agencies and law enforcement.
- Represented a start-up multimedia company with an international audience against allegations involving data theft and raiding in a state court litigation, proactively advancing cyber espionage claims against former executives and employees.
- Represented a leading publisher of legal, business, and regulatory information as a plaintiff in federal court case alleging the unauthorized taking of millions of dollars of protected data through an online portal using a bot, or "data scraper.”
- Obtained dismissal on matters of first impression for a global risk intelligence company in a purported class action alleging violation of state law concerning the alleged display of consumers' Social Security numbers. Also secured appellate victories upholding dismissal up to the state's highest court and established jurisdiction of a purported class action in the state's complex business session.
- Secured a complete defense verdict for a multichannel media company after a two-week federal court bench trial involving allegations of IP rights violations and Massachusetts consumer protection laws.
- Conducted an internal investigation and cyber incident response for a global retail chain focusing on concerns of credit card theft spanning four continents.
- Advised various clients on federal and state wiretapping statutes related to website pixels, cookies, tracking technologies, and chatbots. This work has included defending a healthtech provider in federal court litigation concerning alleged wiretapping violations through the deployment of social media pixels on its website, defending a national retailer in litigation regarding alleged wiretapping violations involving the deployment of a leading chatbot on its website, and advising health care companies on complying with recent US Department of Health and Human Services guidance as to the application of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule to website tracking technology.
- Counseled a health care claims and analytics company in its response to a publicly reported cybersecurity matter from a key vendor providing cybersecurity and privacy-related services, including advising on investigation and reporting obligations to hundreds of downstream vendors.
- Defended numerous clients in lawsuits brought by Atlas Data Privacy Corporation and others asserting violations of New Jersey's Daniel's Law, NJ Statutes section 56:8-166.1, which relates to the privacy of judicial officers and the online publication of data about law enforcement personnel.
- Represented a cloud e-commerce platform company in its response to multiple cybersecurity incidents involving alleged credit card data theft and misuse as well as in a privacy class action filed in Delaware.
- Advised a biotechnology and therapeutics company in its response to reports of hacking of its patient technology, which entailed an investigation and reporting to the FDA.
- Advised a Big 4 accounting firm on numerous security and privacy matters.
- Represented a health information cloud provider throughout its investigation and remediation of a ransomware attack that encrypted thousands of patient records.
- Advised a global health care company on matters related to a material joint venture with a pharmaceutical company, developing a privacy and security framework in compliance with laws from 50+ jurisdictions.
- Represented an adtech company in connection with the collection, processing, and transfer of data across dozens of global jurisdictions, which included data transfers into and out of the US.
- Advised a real estate and property tech (proptech) industry group and its global members on the California Consumer Privacy Act (CCPA) through white papers and industry presentations and in presenting comments on the CCPA regulations.
- Oversaw an internal investigation and incident response for a global restaurant chain in connection with concerns of credit card theft involving the potential exposure of millions of cards.
- Represented individuals accused in a federal court action of violating the Computer Fraud and Abuse Act and the Stored Communications Act as part of an alleged scheme to clone a state-owned petrochemical company's electronic infrastructure.
- Counseled a global financial services company on the redesign and rebuild of its digital forensics and cybersecurity functions to increase the company's efficiency and efficacy in response to disputes, investigations, and compliance risks.
- Advised one of the world's largest technology companies on the development and drafting of data privacy and security addendums focused on hardware and software, which reflect new privacy obligations and potential security-related liability.
- Advised an e-gaming company in connection with global cybersecurity and privacy risks and obligations in a potential transaction.
- Counseled a defense contractor on the containment and remediation of a ransomware attack that impacted the company's production and assembly operations and reported information pursuant to federal defense contractor obligations.
- Advised a professional services firm in an investigation of a business email compromise involving dozens of employees, which compromised the data for various firm clients.
Business Litigation, Financial Institution Litigation, Class Actions and Crisis Management
- Obtained a defense verdict as first-chair trial counsel for a start-up media company, prevailing on all counts after a two-week federal court bench trial involving allegations of violations of intellectual property rights and a Massachusetts consumer protection statute.
- Defended a Fortune 100 life insurance company in a purported class action that challenged the company's retention of surplus profits and its alleged noncompliance with Massachusetts law concerning the distribution of dividends to policy owners, with alleged damages of billions of dollars.
- Represented a mutual life insurance company — and obtained a motion-to-dismiss victory — in a purported class action, which concerned the company's corporate governance and members' voting rights to elect the company's board of directors. The case presented matters of first impression under Massachusetts law and ultimately upheld the company's 160-year-old practice.
- Defended a financial services company in a purported class action that challenged the legality of the company's bylaws and certain amendments, which raised matters of first impression, and provided guidance to the company and its board of directors on a second round of bylaw amendments.
- Counseled a foreign-based asset manager and its US parent company on the acquisition of a Korean asset manager, serving as the parent company's representative in Korea throughout the process of gaining regulatory approval from the Korean government.
- Represented a global pharmacy chain in litigation defending allegations related to alleged Telephone Consumer Protection Act violations.
Internal Investigations, Government Enforcement, and White Collar Defense
- Advising a global medical technology company in its response to multiple subpoenas stemming from a DOJ investigation of third parties' alleged Medicare fraud schemes relating to genetic testing.
- Advised a global company in its investigation of the offboarding of employees suspected of raiding the company’s customer information, trade secrets, and proprietary information.
- Led an investigation of accounting irregularities for a start-up technology company preparing for an initial public offering (IPO) or acquisition.
- Resolved an SEC enforcement matter and other regulatory inquiries — stemming from allegations of a purported Dodd-Frank Act whistleblower — related to the disclosure of certain variable annuity features on behalf of a life insurance company.
- Represented financial service companies, including life insurance companies and broker-dealers, in connection with regulatory inquiries involving alleged sales practice violations as well as product design and disclosure matters. These engagements involved interacting with the SEC, FINRA, and state regulatory authorities (including the Massachusetts Division of Securities, the Massachusetts Division of Insurance, the Massachusetts Attorney General, and the NYDFS).
viewpoints
String Of Numbers Or Identifier: The Ninth Circuit Weighs In On BIPA’s Application To Non-Users
October 17, 2024 | Blog | By Scott Lashway, Matthew Stein
In June, the U.S. Court of Appeals for the Ninth Circuit affirmed a social media company’s summary judgment win on BIPA claims, in a sophisticated ruling providing a plausible path forward for technology companies and others offering facial matching services.
Healthcare Provider Beware: Massachusetts Federal Court Largely Permits Tracking Technologies and Wiretapping Claims To Proceed
May 16, 2024 | Blog | By Scott Lashway, Matthew Stein
News & Press
Thirteen Mintz attorneys named to Lawdragon’s 2025 “Leading Litigators in America” list
September 12, 2024
Thirteen Mintz attorneys have been named to Lawdragon’s 2025 “Leading Litigators in America.” The list honors the “best litigators the US has to offer – in antitrust, intellectual property, white collar and investigations, securities and corporate governance litigation, and a vast array of class actions, product liability and other complex civil litigation,” according to the publication.
FCA Settlements Demonstrate Importance of Cybersecurity Controls Imposed by Contract
August 20, 2024
Members Scott Lashway, Laurence Freedman, and Special Counsel Matthew Stein published an article in Bloomberg Law about how recent False Claims Act (FCA) settlements show a focus on cybersecurity enforcement. In the article, they outline how organizations with government contracts can mitigate the risk of cybersecurity-related FCA investigations and litigation.
The Best Lawyers in America 2025 Recognizes 184 Mintz Attorneys across 56 Practice Areas
August 15, 2024
187 Mintz attorneys have been recognized by Best Lawyers® in the 2025 edition of The Best Lawyers in America©. Notably, three Mintz attorneys received 2025 “Lawyer of the Year” awards, and 64 firm attorneys were included in the 2025 edition of Best Lawyers: Ones to Watch.
Mintz announced today that 42 of its practices and 83 of its attorneys earned recognition in the 2024 edition of Chambers USA, a guide to the country’s leading law firms. Of those included in the guide, 18 attorneys and seven practice areas were awarded Chambers’ highest ranking, Band 1. The firm obtained new listings in three practice areas and 10 of its lawyers were recognized for the first time.
The Boston Business Journal covered the arrival of Members Scott Lashway and Chris Lisy to the firm’s Data & Privacy Litigation and Investigations Practice. Scott will serve as the Co-chair of the Privacy & Cybersecurity practice.
Mintz announces that two new Members, Scott Lashway and Chris Lisy, have joined the firm’s Boston office in its Data & Privacy Litigation and Investigations Practice.
Events & Speaking
Understanding Business Email Compromise Fraud and Its Legal Fallout
Hosted by the Boston Bar Association
16 Beacon Street, Boston, MA 02108
Publications
- Author, "Massachusetts' march to comprehensive privacy legislation: an end-of-year update,” Massachusetts Lawyers Weekly (January 2024)
- Co-author, "How SEC And NY Cyber Reporting Rules Affect Key Industries," Law360 (December 2023)
- Co-author, "Navigating the HIPAA Risks of Website Trackers,” Privacy and Cybersecurity Law Report (June 2023)
- Co-author, "Chapter 7: Telehealth and digital health privacy regulations,” Diabetes Digital Health and Telehealth (2022)
- Co-author, "Signs Inscribed on a Gate: The Impact of Van Buren v. United States on Civil Claims Under the Computer Fraud and Abuse Act,” Western New England Law Review (2022)
- Co-author, "Data — and data protection — is key to digital strategies,” Sports Business Journal (November 2021)
- Co-author, "Considerations in Machine Learning-Led Programmatic Underwriting,” Rail: The Journal of Robotics, Artificial Intelligence & Law, Volume 4, No. 4 (May 2021)
- Co-author, "Addressing The Security Risks Of University Foreign Funding,” Law360 (January 2021)
- Co-author, "The California Privacy Rights Act Has Passed: What's In It?," Pratt's Privacy & Cybersecurity Law Report (November/December 2020)
- Co-author, "An Intersection Between Ransomware and U.S. National Security: OFAC Speaks,” Corporate Compliance Insights (October 2020)
- Co-author, "Conducting Internal Investigations During the COVID-19 Pandemic,” Law Journal Newsletters' Business Crimes Bulletin (March 2020)
- Co-author, " COVID-19: Evolving Cybersecurity Considerations for Business,” Corporate Compliance Insights (March 2020)
- Co-author, "6 Changes In California's New Draft Privacy Regulations,” Law360 (March 2020)
Scott is a globally recognized privacy and cybersecurity disputes attorney who focuses his practice on the intersections of law, corporate data, and technology. A go-to advisor for significant disputes, corporate crises, and investigations, he also serves as Co-chair of Mintz’s Privacy & Cybersecurity Practice. Along with guiding clients through high-stakes incident response and breach investigations, complex and bet-the-company litigation, government investigations, and enforcement actions, he frequently provides strategic counsel on data management and technology development and use, including development and use of artificial intelligence. Scott represents clients in a range of industries, with a particular emphasis on health care, financial services, technology, artificial intelligence, and the media and adtech sectors.
Recognition & Awards
Chambers Global: Privacy & Data Security (2024)
Chambers USA: Privacy & Data Security: Healthcare – National (2023-2024)
Cybersecurity Docket: Incident Response 40 (2022)
Massachusetts Lawyers Weekly: Go-To Lawyers: Cybersecurity and Data Privacy (2022, 2024)
Lawdragon: “500 Leading Litigators in America” (2022 and 2024-2025)
BTI Consulting: Client Service All-Star (2022)
Best Lawyers in America: Privacy and Data Security Law (2021– 2025)
Best Lawyers in America: Commercial Litigation (2023 – 2024)
Massachusetts Supreme Judicial Court – Pro Bono Honor Roll (2020)
Scott is a globally recognized privacy and cybersecurity disputes attorney who focuses his practice on the intersections of law, corporate data, and technology. A go-to advisor for significant disputes, corporate crises, and investigations, he also serves as Co-chair of Mintz’s Privacy & Cybersecurity Practice. Along with guiding clients through high-stakes incident response and breach investigations, complex and bet-the-company litigation, government investigations, and enforcement actions, he frequently provides strategic counsel on data management and technology development and use, including development and use of artificial intelligence. Scott represents clients in a range of industries, with a particular emphasis on health care, financial services, technology, artificial intelligence, and the media and adtech sectors.
Involvement
- Advisory Council, Woods College of Advancing Studies, Cybersecurity and Governance Master’s Program, Boston College (2017 – present)
- Advisory Council, New England Legal Foundation (2016 – present)
- Board Member, New England Legal Foundation (2015 – 2016)
- Member, Cybersecurity & Privacy Editorial Advisory Board, Law360
- Member, Board of Advisors, Boston Symphony Orchestra