Industry Associations

  • International Association of Privacy Professionals (IAPP) — Certified Information Privacy Professional, United States (CIPP/US)
  • Information Systems Security Association (ISSA)

Bar & Court Admissions

  • State Bar of California
  • State Bar of Florida
  • State Bar of Tennessee
  • U.S. Court of Appeals for the Eleventh Circuit
  • U.S. District Courts for the Middle, Southern and Northern Districts of Florida
  • U.S. District Court for the Middle District of Tennessee

Community Involvement

All Children’s Hospital Foundation Development Council 

Ronald McDonald House Charities of Tampa Bay


Vanderbilt University School of Law, J.D.

Vanderbilt University, M.A.

University of California at Santa Barbara, B.A.

Photo of Scott T. Lyon

Scott T. Lyon

Orange County
T: 714.557.7990
F: 714.557.7991
Representative Matters
Full Bio

Scott T. Lyon is a partner in M&R's Orange County office. His expertise in technology, cybersecurity, and data privacy is particularly relevant given today’s business climate. In addition to evaluating and implementing effective information security practices, Scott also manages data breach responses and notifications for his clients, guiding them through the complicated state, federal, and international legal obligations that arise when a data breach occurs.

As both a lawyer and IT professional, Scott employs his legal and technical knowledge in counseling a wide range of organizations in an array of industries (including financial services, insurance, advertising, digital media, hospitality, technology, and retail) on improving their cybersecurity and data privacy programs and developing policies to quickly mitigate and recover from cyberattacks. While some law firms focus primarily on breach response, Scott and the M&R Cybersecurity & Privacy team leverage their technical expertise to offer the full-spectrum of pre- and post-breach services: assisting clients in performing risk assessments, developing data governance policies, working with vendors and partners to establish third-party service provider security policies and contract terms, developing and testing incident response plans, assisting with breach response and notification, defending clients in data breach litigation, and building and implementing comprehensive organization-wide cybersecurity programs. Scott also helps clients comply with rapidly evolving cybersecurity and privacy regulations, including the New York Department of Financial Services (NY DFS) cybersecurity regulations, EU General Data Protection Regulation (GDPR), and others.

In the course of his career, Scott has been awarded numerous security and privacy certifications, including but not limited to CompTIA’s CySA+ (Cybersecurity Analyst), Security+, and A+ certifications, demonstrating IT mastery of cybersecurity technologies and practices. In addition, he has been designated as a Fellow of Information Privacy (FIP) and a Certified Information Privacy Professional, United States (CIPP/US) by the International Association of Privacy Professionals (IAPP), bestowed upon professionals who have demonstrated broad knowledge and experience in U.S. privacy and security laws and regulations. On top of this, Scott is a Certified Information Privacy Technologist (CIPT) which reveals his proficiency in the technical implementation of IT and engineering technologies relating to privacy and security.

A reasoned and pragmatic lawyer to his core, Scott is a graduate of the University of South Florida Circuit Court Civil Mediation Training program and serves as a certified mediator for the U.S. District Court for the Middle District of Florida.

Awards & Recognitions

  • IT certifications: CompTIA CySA+ (Cybersecurity Analyst), CompTIA Security+, and CompTIA A+
  • Fellow of Information Privacy (FIP)
  • Certified Information Privacy Professional, United States (CIPP/US)
  • Certified Information Privacy Technologist (CIPT)

Representative Matters


  • Drafted data governance policies, privacy policies, and counselled numerous clients on data mapping and e-commerce platform revisions to comply with EU GDPR.
  • Assisted California health care provider in data breach investigation and notification.
  • Represented and advised national retailer in multi-state data breach notification resulting from data breach by third-party payment processing vendor.
  • Prepared risk assessment policy, cybersecurity program, data governance policy, and third party service provider security policy for Fortune 100 company.
  • Counseled and prepared cybersecurity program policies for international IT development company.
  • Prepared incident response program for major national insurance carrier.
  • Revised privacy policies, terms and conditions and end-user license agreements and assisted with technology-based consumer rights issues on behalf of numerous international retailers.
  • Counseled multiple international retailers on complying with the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, and state email advertising laws.
  • Negotiated sponsorship agreements between electronic funds transfer management company client and various sponsor banks.
  • Represented multiple information technology consulting clients in acquisition of established IT consulting firms.
  • Drafted vendor and subcontractor agreements for national information technology client, as well as employment agreements, non-competition agreements and various other transactional documents. Drafted and negotiated website and branding design agreements.
  • Obtained federal trademark registration for information technology consulting client despite opposition by international software giant.

Litigation and Regulatory

  • Obtained a significant judgment in Illinois in favor of a computer programmer working on a visa whose employer had stolen a considerable amount of his wages, and successfully defended the programmer against a subsequent breach of fiduciary duty action filed against him by the employer. 
  • Represented financial service and healthcare providers in investigating and responding to data breach incidents.
  • Represented client in responding to government inquiries regarding product data security.
  • Represented financial services provider in defending against derivative action suit by minority shareholder.
  • Represented national IT consulting firm in breach of contract suit against staffing provider for services performed on behalf of national bank.
  • Represented national IT consulting firm in collection action based on breach of master services agreement by former client. Successfully obtained arbitration award and payment for client in full amount of damages and attorneys’ fees.
  • Represented printing company against allegations of sexual harassment, gender discrimination and hostile work environment claims by former employee. Succeeded in obtaining summary judgment for client after demonstrating numerous inconsistencies in plaintiff’s deposition.
  • Represented national healthcare company in criminal investigation stemming from death of resident following treatment at client’s facility. Successfully settled potential claims after demonstrating insufficient evidence of alleged trauma.
  • Represented regional hospital in suit against document storage company that refused to release stored medical records unless hospital paid an exorbitant “release” fee. Obtained judgment awarding damages against storage company, as well as attorneys’ fees and costs


Past Speaking Engagements