Scott Lashway

Partner, Manatt, Phelps & Phillips

Scott Lashway is the managing partner of Manatt’s Boston office and co-leader of Manatt’s privacy and cybersecurity practice group. He has established himself as one of the nation’s leading cybersecurity and data privacy advisors as well as a go-to counsel for significant disputes and investigations.

Focusing much of his practice on the intersections of law, corporate data and technology, Scott is well known for advising clients to anticipate and manage data governance, privacy and security risks across a variety of industries by deftly guiding them through proactive advisory work, incident response and breach investigations, litigation, and government investigations and enforcement actions. His work on cybersecurity and privacy matters dates back two decades and includes a wide variety of matters, including data and intellectual property (IP) misappropriation; unauthorized access, acquisition and misuse; hacking; and technology disruptions.

While Scott represents clients in a large range of industries, he has a significant focus on the health care, financial services and technology sectors. For years, Scott has advised clients at the forefront of technology implementation and development as well as new data uses, which uniquely qualifies Scott to navigate complex and unprecedented data and privacy issues in Web3 and the metaverse. Scott’s greatest accomplishments for his clients are those that avoid headlines and are rarely—if ever—heard of.

Examples of Scott’s representations include:

• Representing a leading children’s hospital defending allegations in purported class action in state court alleging patient data was inappropriately accessed in violation of privacy and security disclosures.
• For a global financial institution and asset manager, served as coordinating counsel in breach of contract litigation involving ten consolidated actions, including handling all discovery (~100 depositions) and data handling obligations for the outside counsel team.
• Represented a global data and technology company in an investigation of, and an incident response to, simultaneous intrusions by multiple nation-state attackers and numerous financially motivated threat actors.
• For a surgery and medical facility, obtained dismissal of a purported class action in an issue of first impression in the Eleventh Circuit, concerning Article III standing requirements to plead harm, brought against a health care facility alleging that patient data had been accessed, stolen and posted to the Internet by a well-known threat actor.
• Led a team representing a global biotechnology company, involved in the strategic development of therapeutics, in investigating and defending against a cyberattack by a highly sophisticated, well-resourced threat actor. This matter involved close interaction with various U.S. agencies and law enforcement.
• Represented a startup multimedia company with an international following against allegations involving data theft and raiding in a state court litigation, and proactively pursued claims concerning cyber espionage against former executives and employees.
• Represented a leading publisher of legal, business and regulatory information as a plaintiff in federal court alleging the unauthorized taking of millions of dollars of protected data scraped through an online portal using a bot or “data scraper.”
• On behalf of a global risk intelligence company, obtained dismissal on matters of first impression of a purported class action alleging violation of state law regarding the alleged display of consumers’ Social Security numbers, obtained appellate victories upholding dismissal up to the state’s highest court and established jurisdiction of a purported class action in the state’s complex business session as a matter of first impression.
• On behalf of a multichannel media company, secured a defense verdict on all counts after a two-week federal court bench trial involving allegations of IP rights violations and Massachusetts’ consumer protection laws.
• For a global retail chain, conducted an internal investigation and cyber incident response spanning four continents involving concerns of credit card theft.

Having drafted his first privacy policy in 2001 and having handled his first data destruction investigation in 2002, Scott has advised clients on hundreds of proactive and reactive matters involving U.S. and international privacy and security laws and obligations (civil and criminal), including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA); HIPAA and state law equivalents; the Biometric Information Privacy Act (BIPA); the New York State Department of Financial Services (NYDFS) cybersecurity regulations and the Shield Act; the Computer Fraud and Abuse Act, the Stored Communications Act and state law equivalents; SEC and Financial Industry Regulatory Authority (FINRA) security guidance and privacy obligations; the Gramm-Leach-Bliley Act; FedRamp and state consumer protection statutes, including Massachusetts’ Chapter 93A; and compliance with National Institute of Standards and Technology, SOC 2, HITRUST and other security frameworks.

Scott routinely counsels industry groups and leading industry participants on data privacy and security trends, serves as a sounding board to many, and is a member of Law360’s Cybersecurity & Privacy Editorial Advisory Board. Earlier in his career, Scott worked as senior in-house counsel and head of investigations for a Fortune 100 global financial services company.