Skip to main content

Scott T. Lashway

Member / Co-Chair, Privacy & Cybersecurity Practice

[email protected]



Leveraging more than 20 years of experience with cybersecurity, privacy, and other technology matters, Scott partners with clients operating at the vanguard of technology implementation and development as well as new data uses. Along with advising on the rapid evolution of data governance, collection, and technology innovation, he helps navigate complex and novel data and privacy issues in Al and related technology development. His role often entails skillfully guiding clients through cybersecurity incident response and breach investigations as well as complex business and class action litigation. His extensive cybersecurity and privacy experience encompasses matters involving data and intellectual property (IP) theft and misappropriation, unauthorized access and acquisition, misuse, hacking, ransomware, cyberextortion, and technology disruptions. Scott’s greatest accomplishments for his clients are those that avoid headlines and are rarely — if ever — heard of.


Scott is recognized for his depth of knowledge and client service by various publications. He is ranked in Chambers Global, is identified as a leading cybersecurity incident response attorney globally by the Incident Response Forum, is recognized as a Client Service All-Star by BTI Consulting, and is identified as one of the 500 “Leading Litigators in America” by Lawdragon.

“Scott Lashway is a standout in many ways. His client service skills are the best in the business. He’s always responsive and meets our timelines, even when we have last-minute requests and escalated deadlines. He is incredibly knowledgeable and is able to see the big-picture legal risks that might otherwise require multiple attorneys in a variety of disciplines.”


— Client, Legal 500 Cyber Law (including Data Privacy and Data Protection).

In litigation involving privacy, cybersecurity, and a range of other complex issues, Scott has represented clients in state and federal courts nationwide and in various arbitration settings. He regularly serves as first-chair in trials and has significant experience defending and prosecuting bet-the-company and impactful litigation on behalf of companies and their officers and directors. In collaboration with white collar defense colleagues, he also oversees civil and criminal investigations. He regularly represents clients before various state and federal regulators, including the Securities and Exchange Commission (SEC), the Department of Justice (DOJ), the Financial Industry Regulatory Authority (FINRA), state attorneys general, the New York Department of Financial Services (NYDFS), and the Federal Trade Commission (FTC). 


Scott has advised clients on hundreds of proactive and reactive matters involving US and international privacy and security laws and obligations, both civil and criminal, since drafting his first privacy policy in 2001 and handling his first data-focused investigation in 2002. Through this work, he has gained a deep understanding of the intricacies of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), state privacy laws, HIPAA and state law equivalents; the Biometric Information Privacy Act (BIPA), the New York State Department of Financial Services (NYDFS) cybersecurity regulations, the Shield Act, the Computer Fraud and Abuse Act, the Stored Communications Act, and state law equivalents (including wiretap statutes). His regulatory knowledge also extends to the Securities and Exchange Commission and Financial Industry Regulatory Authority (FINRA) security and privacy laws, guidance, and obligations, as well as the Gramm-Leach-Bliley Act and the Federal Risk and Authorization Management Program. Additionally, he regularly handles matters involving state consumer protection statutes, including Massachusetts' Chapter 93A and compliance with the National Institute of Standards and Technology, SOC 2, ISO, HITRUST, and other security frameworks.


A sought-after thought leader in his field, Scott regularly writes and speaks on data privacy and cyber security issues, and counsels industry groups and stakeholders on data privacy and security trends. He also regularly receives recognition and accolades for his extensive knowledge and outstanding client service. 


Prior to joining Mintz, Scott founded and opened the Boston office of a national firm. In addition to serving as the firm's Office Managing Partner, he co-led the firm’s global privacy and cybersecurity practice. Earlier, while practicing at a multinational law firm, he co-chaired the data privacy and cybersecurity team. Scott also previously worked as senior in-house counsel and head of investigations for a Fortune 100 global financial services company, where he oversaw investigations, implementation of anti-fraud controls, and related training.


Featured Experience:

  • Led a team representing an academic medical center throughout its response to and investigation of a widely reported cybersecurity matter, including advising on and managing the forensic investigation, crisis communications, litigation defense, regulatory interactions, law enforcement engagement, and all related matters.
  • Served as lead counsel for a leading children's hospital, successfully defending allegations in a purported class action that alleged patient data was inappropriately accessed in violation of privacy and security disclosures. The case centered on a novel legal theory that a HIPAA Privacy Notice formed a contractual basis to bring actual and implied breaches of contract, a theory the court summarily rejected after significant oral argument.
  • Serving as lead counsel for a global financial institution and asset manager in breach of contract and fraud litigation that involved more than 10 consolidated actions over a sizable asset.
  • Represented a global data and technology company throughout an investigation of, and its response to, simultaneous intrusions by multiple nation-state attackers and various financially motivated threat actors.
  • Secured dismissal of a purported class action for a surgical and medical facility in an issue of first impression in the US Court of Appeals for the Eleventh Circuit. The case concerned Article III standing requirements to plead harm in a case brought against a health care facility, which alleged that patient data had been accessed, stolen, and posted on the internet by a well-known threat actor.

Cybersecurity, Data Privacy, and Technology-Focused Matters

  • Represented a health care analytics company and its business associate in its investigation of and response to a reported security compromise and reported breach by a vendor.
  • Defended a global data and technology company in a Delaware Chancery Court action related to data quality and integrity that was brought by a competitor.
  • Led a team representing a global biotechnology company in investigating and defending against a cyberattack by a sophisticated threat actor. This matter involved extensive interaction with various US agencies and law enforcement.
  • Represented a start-up multimedia company with an international audience against allegations involving data theft and raiding in a state court litigation, proactively advancing cyber espionage claims against former executives and employees.
  • Represented a leading publisher of legal, business, and regulatory information as a plaintiff in federal court case alleging the unauthorized taking of millions of dollars of protected data through an online portal using a bot, or "data scraper.”
  • Obtained dismissal on matters of first impression for a global risk intelligence company in a purported class action alleging violation of state law concerning the alleged display of consumers' Social Security numbers. Also secured appellate victories upholding dismissal up to the state's highest court and established jurisdiction of a purported class action in the state's complex business session.
  • Secured a complete defense verdict for a multichannel media company after a two-week federal court bench trial involving allegations of IP rights violations and Massachusetts consumer protection laws.
  • Conducted an internal investigation and cyber incident response for a global retail chain focusing on concerns of credit card theft spanning four continents.
  • Advised various clients on federal and state wiretapping statutes related to website pixels, cookies, tracking technologies, and chatbots. This work has included defending a healthtech provider in federal court litigation concerning alleged wiretapping violations through the deployment of social media pixels on its website, defending a national retailer in litigation regarding alleged wiretapping violations involving the deployment of a leading chatbot on its website, and advising health care companies on complying with recent US Department of Health and Human Services guidance as to the application of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule to website tracking technology.
  • Counseled a health care claims and analytics company in its response to a publicly reported cybersecurity matter from a key vendor providing cybersecurity and privacy-related services, including advising on investigation and reporting obligations to hundreds of downstream vendors.
  • Defended numerous clients in lawsuits brought by Atlas Data Privacy Corporation and others asserting violations of New Jersey's Daniel's Law, NJ Statutes section 56:8-166.1, which relates to the privacy of judicial officers and the online publication of data about law enforcement personnel.
  • Represented a cloud e-commerce platform company in its response to multiple cybersecurity incidents involving alleged credit card data theft and misuse as well as in a privacy class action filed in Delaware.
  • Advised a biotechnology and therapeutics company in its response to reports of hacking of its patient technology, which entailed an investigation and reporting to the FDA.
  • Advised a Big 4 accounting firm on numerous security and privacy matters.
  • Represented a health information cloud provider throughout its investigation and remediation of a ransomware attack that encrypted thousands of patient records.
  • Advised a global health care company on matters related to a material joint venture with a pharmaceutical company, developing a privacy and security framework in compliance with laws from 50+ jurisdictions.
  • Represented an adtech company in connection with the collection, processing, and transfer of data across dozens of global jurisdictions, which included data transfers into and out of the US.
  • Advised a real estate and property tech (proptech) industry group and its global members on the California Consumer Privacy Act (CCPA) through white papers and industry presentations and in presenting comments on the CCPA regulations.
  • Oversaw an internal investigation and incident response for a global restaurant chain in connection with concerns of credit card theft involving the potential exposure of millions of cards.
  • Represented individuals accused in a federal court action of violating the Computer Fraud and Abuse Act and the Stored Communications Act as part of an alleged scheme to clone a state-owned petrochemical company's electronic infrastructure.
  • Counseled a global financial services company on the redesign and rebuild of its digital forensics and cybersecurity functions to increase the company's efficiency and efficacy in response to disputes, investigations, and compliance risks.
  • Advised one of the world's largest technology companies on the development and drafting of data privacy and security addendums focused on hardware and software, which reflect new privacy obligations and potential security-related liability.
  • Advised an e-gaming company in connection with global cybersecurity and privacy risks and obligations in a potential transaction.
  • Counseled a defense contractor on the containment and remediation of a ransomware attack that impacted the company's production and assembly operations and reported information pursuant to federal defense contractor obligations.
  • Advised a professional services firm in an investigation of a business email compromise involving dozens of employees, which compromised the data for various firm clients.

Business Litigation, Financial Institution Litigation, Class Actions and Crisis Management

  • Obtained a defense verdict as first-chair trial counsel for a start-up media company, prevailing on all counts after a two-week federal court bench trial involving allegations of violations of intellectual property rights and a Massachusetts consumer protection statute.
  • Defended a Fortune 100 life insurance company in a purported class action that challenged the company's retention of surplus profits and its alleged noncompliance with Massachusetts law concerning the distribution of dividends to policy owners, with alleged damages of billions of dollars.
  • Represented a mutual life insurance company — and obtained a motion-to-dismiss victory — in a purported class action, which concerned the company's corporate governance and members' voting rights to elect the company's board of directors. The case presented matters of first impression under Massachusetts law and ultimately upheld the company's 160-year-old practice.
  • Defended a financial services company in a purported class action that challenged the legality of the company's bylaws and certain amendments, which raised matters of first impression, and provided guidance to the company and its board of directors on a second round of bylaw amendments.
  • Counseled a foreign-based asset manager and its US parent company on the acquisition of a Korean asset manager, serving as the parent company's representative in Korea throughout the process of gaining regulatory approval from the Korean government.
  • Represented a global pharmacy chain in litigation defending allegations related to alleged Telephone Consumer Protection Act violations.

Internal Investigations, Government Enforcement, and White Collar Defense

  • Advising a global medical technology company in its response to multiple subpoenas stemming from a DOJ investigation of third parties' alleged Medicare fraud schemes relating to genetic testing.
  • Advised a global company in its investigation of the offboarding of employees suspected of raiding the company’s customer information, trade secrets, and proprietary information.
  • Led an investigation of accounting irregularities for a start-up technology company preparing for an initial public offering (IPO) or acquisition.
  • Resolved an SEC enforcement matter and other regulatory inquiries — stemming from allegations of a purported Dodd-Frank Act whistleblower — related to the disclosure of certain variable annuity features on behalf of a life insurance company.
  • Represented financial service companies, including life insurance companies and broker-dealers, in connection with regulatory inquiries involving alleged sales practice violations as well as product design and disclosure matters. These engagements involved interacting with the SEC, FINRA, and state regulatory authorities (including the Massachusetts Division of Securities, the Massachusetts Division of Insurance, the Massachusetts Attorney General, and the NYDFS).
Read less


  • Author, "Massachusetts' march to comprehensive privacy legislation: an end-of-year update,” Massachusetts Lawyers Weekly (January 2024)
  • Co-author, "How SEC And NY Cyber Reporting Rules Affect Key Industries," Law360 (December 2023)
  • Co-author, "Navigating the HIPAA Risks of Website Trackers,” Privacy and Cybersecurity Law Report (June 2023)
  • Co-author, "Chapter 7: Telehealth and digital health privacy regulations,” Diabetes Digital Health and Telehealth (2022)
  • Co-author, "Signs Inscribed on a Gate: The Impact of Van Buren v. United States on Civil Claims Under the Computer Fraud and Abuse Act,” Western New England Law Review (2022)
  • Co-author, "Data — and data protection — is key to digital strategies,” Sports Business Journal (November 2021)
  • Co-author, "Considerations in Machine Learning-Led Programmatic Underwriting,” Rail: The Journal of Robotics, Artificial Intelligence & Law, Volume 4, No. 4 (May 2021)
  • Co-author, "Addressing The Security Risks Of University Foreign Funding,” Law360 (January 2021)
  • Co-author, "The California Privacy Rights Act Has Passed: What's In It?," Pratt's Privacy & Cybersecurity Law Report (November/December 2020)
  • Co-author, "An Intersection Between Ransomware and U.S. National Security: OFAC Speaks,” Corporate Compliance Insights (October 2020) 
  • Co-author, "Conducting Internal Investigations During the COVID-19 Pandemic,” Law Journal Newsletters' Business Crimes Bulletin (March 2020)
  • Co-author, " COVID-19: Evolving Cybersecurity Considerations for Business,” Corporate Compliance Insights (March 2020)
  • Co-author, "6 Changes In California's New Draft Privacy Regulations,” Law360 (March 2020)
Read less

Recognition & Awards

  • Chambers Global: Privacy & Data Security (2024)

  • Chambers USA: Privacy & Data Security: Healthcare – National (2023-2024)

  • Cybersecurity Docket: Incident Response 40 (2022)

  • Massachusetts Lawyers Weekly: Go-To Lawyers: Cybersecurity and Data Privacy (2022, 2024)

  • Lawdragon: “500 Leading Litigators in America” (2022 and 2024)

  • BTI Consulting: Client Service All-Star (2022)

  • Best Lawyers in America: Privacy and Data Security Law (2021– 2024)

  • Best Lawyers in America: Commercial Litigation (2023 – 2024)

  • Massachusetts Supreme Judicial Court – Pro Bono Honor Roll (2020)

Read less

Scott T. Lashway

Member / Co-Chair, Privacy & Cybersecurity Practice