- International Association of Privacy Professionals (IAPP) — Certified Information Privacy Professional, United States (CIPP/US)
- Information Systems Security Association (ISSA)
Bar & Court Admissions
- State Bar of California
- State Bar of Florida
- State Bar of Tennessee
- U.S. Court of Appeals for the Eleventh Circuit
- U.S. District Courts for the Middle, Southern and Northern Districts of Florida
- U.S. District Court for the Middle District of Tennessee
All Children’s Hospital Foundation Development Council
Ronald McDonald House Charities of Tampa Bay
Vanderbilt University School of Law, J.D.
Vanderbilt University, M.A.
University of California at Santa Barbara, B.A.
Scott T. Lyon
Scott T. Lyon is an M&R partner whose expertise in technology, cybersecurity and data privacy is particularly relevant given today’s business climate. In addition to evaluating and implementing effective information security practices, Scott also manages data breach responses and notifications for his clients, guiding them through the complicated state, federal and international legal obligations that arise when a data breach occurs.
As both a lawyer and IT professional, Scott employs his legal and technical knowledge in counseling a wide range of organizations in an array of industries (including financial services, insurance, advertising, digital media, hospitality, technology and retail) on improving their cybersecurity and data privacy programs and developing policies to quickly mitigate and recover from cyberattacks. While some law firms focus primarily on breach response, Scott and the M&R Cybersecurity & Privacy team leverage their technical expertise to offer the full-spectrum of pre- and post-breach services: assisting clients in performing risk assessments, developing data governance policies, working with vendors and partners to establish third party service provider security policies and contract terms, developing and testing incident response plans, assisting with breach response and notification, defending clients in data breach litigation, and building and implementing comprehensive organization-wide cybersecurity programs. Scott also helps clients comply with rapidly evolving cybersecurity and privacy regulations, including the New York Department of Financial Services (NY DFS) cybersecurity regulations, EU General Data Protection Regulation (GDPR) and others.
In the course of his career, Scott has been awarded numerous security and privacy certifications, including but not limited to CompTIA’s CySA+ (Cybersecurity Analyst), Security+, and A+ certifications, demonstrating IT mastery of cybersecurity technologies and practices. In addition, he has been designated as a Fellow of Information Privacy (FIP) and a Certified Information Privacy Professional, United States (CIPP/US) by the International Association of Privacy Professionals (IAPP), bestowed upon professionals who have demonstrated broad knowledge and experience in U.S. privacy and security laws and regulations. On top of this, Scott is a Certified Information Privacy Technologist (CIPT) which reveals his proficiency in the technical implementation of IT and engineering technologies relating to privacy and security.
A reasoned and pragmatic lawyer to his core, Scott is a graduate of the University of South Florida Circuit Court Civil Mediation Training program and serves as a certified mediator for the U.S. District Court for the Middle District of Florida.
Awards & Recognitions
- IT certifications: CompTIA CySA+ (Cybersecurity Analyst), CompTIA Security+, and CompTIA A+
- Fellow of Information Privacy (FIP)
- Certified Information Privacy Professional, United States (CIPP/US)
- Certified Information Privacy Technologist (CIPT)
- Drafted data governance policies, privacy policies, and counselled numerous clients on data mapping and e-commerce platform revisions to comply with EU GDPR.
- Assisted California health care provider in data breach investigation and notification.
- Represented and advised national retailer in multi-state data breach notification resulting from data breach by third party payment processing vendor.
- Prepared risk assessment policy, cybersecurity program, data governance policy, and third party service provider security policy for Fortune 100 company.
- Counseled and prepared cybersecurity program policies for international IT development company.
- Prepared incident response program for major national insurance carrier.
- Revised privacy policies, terms and conditions and end-user license agreements and assisted with technology-based consumer rights issues on behalf of numerous international retailers.
- Counseled multiple international retailers on complying with the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, and state email advertising laws.
- Negotiated sponsorship agreements between electronic funds transfer management company client and various sponsor banks.
- Represented multiple information technology consulting clients in acquisition of established IT consulting firms.
- Drafted vendor and subcontractor agreements for national information technology client, as well as employment agreements, non-competition agreements and various other transactional documents. Drafted and negotiated website and branding design agreements.
Obtained federal trademark registration for information technology consulting client despite opposition by international software giant.
Litigation and Regulatory
- Represented financial service and healthcare providers in investigating and responding to data breach incidents.
- Represented client in responding to government inquiries regarding product data security.
- Represented financial services provider in defending against derivative action suit by minority shareholder.
- Represented national IT consulting firm in breach of contract suit against staffing provider for services performed on behalf of national bank.
- Represented national IT consulting firm in collection action based on breach of master services agreement by former client. Successfully obtained arbitration award and payment for client in full amount of damages and attorneys’ fees.
- Represented printing company against allegations of sexual harassment, gender discrimination and hostile work environment claims by former employee. Succeeded in obtaining summary judgment for client after demonstrating numerous inconsistencies in plaintiff’s deposition.
- Represented national healthcare company in criminal investigation stemming from death of resident following treatment at client’s facility. Successfully settled potential claims after demonstrating insufficient evidence of alleged trauma.
- Represented regional hospital in suit against document storage company that refused to release stored medical records unless hospital paid an exorbitant “release” fee. Obtained judgment awarding damages against storage company, as well as attorneys’ fees and costs
- Digiday, March 27, 2018
- Law360, May 26, 2017
- Insurance Journal, October 10, 2018
- Risk Management, October 1, 2018
- PropertyCasualty360, March 20, 2018
- Hotel News Now, March 7, 2018
- Insurance Journal, January 31, 2018
- Insurance Journal, August 25, 2017
- Corporate Counsel, May 24, 2017
- California Legislature Takes Aim at IoT SecurityLaw360, April 12, 2017
- Cybersecurity Risks of Collaboration in the Construction IndustryUCON Magazine, April 1, 2017
- Law Firm Cyber IssuesSwiss Re Client Newsletter, March 31, 2017
- Are You a Cyber Target?Construction Business Owner Magazine, February 1, 2017
- New Jersey TCCWNA Developments Affecting Online RetailersSedgwick’s Cybersecurity Today Blog, November 21, 2016
- NY Cybersecurity Regs Could Spur Legal Work Nationwide Corporate CounselCorporate Counsel, October 1, 2016
- House Committee Report Details Extent of OPM Security Failures Resulting in Breach of Over 30 Million RecordsSedgwick’s Cybersecurity Today Blog, September 8, 2016
- Lessons from Ransomware Attacks on Healthcare ProvidersToday’s General Counsel, June 28, 2016
- The Encryption Debate Beyond the San Bernardino ShootersX, Summer 2016 editionABA Intellectual Property Law Committee, June 1, 2016
- Proposed Legislation Could Make It More Difficult for Law Enforcement to Identify Criminals Using Anonymizing TechnologySedgwick’s Cybersecurity Today Blog, May 23, 2016
Past Speaking Engagements
- Juvenile Products Manufacturers Association (JPMA)Webinar, October 3, 2018
- American Agents Alliance (AAA) Convention & ExpoPalm Desert, CA, September 22, 2018
- IAIR/AIRROC Current Issues Forum at the NAIC Summer National MeetingBoston, MA, August 5, 2018
- Finding Problems Before the Bad Guys: A Legal and Technical Discussion on Penetration Testing and Managed Security ServicesProperty Casualty Association of America (PCI) 29th Annual Western Region General Counsel SeminarSan Diego, CA, July 26, 2018
- Oh The Laws, They Are A Changin’: Evolving Cybersecurity & Privacy Regulations and Their Impact on Managing PrivacyInformation Systems Security Association (ISSA) of Orange County June MeetingIrvine, CA, June 14, 2018
- HMM, CPAs LLP 2017 Healthcare SummitMelville, NY, November 30, 2017
- American Agents Alliance (AAA) Convention and ExpoPalm Desert, CA, September 24, 2017
- Legal Hackers of Orange CountyIrvine, CA, September 18, 2017
- Property Casualty Insurers Association of America (PCI) ACIC General Counsel SeminarSan Diego, CA, July 27, 2017
- Louisiana Insurers' Conference (LIC) Annual Compliance Seminar & Legislative ReviewNew Orleans, LA, June 22, 2017
- Michelman & Robinson, LLP (M&R) Insurance Hot TopicsMay 2017
- The GDPR Comes to the Golden State July 2, 2018
- Cybersecurity Rules May Be Coming to a State Near You: South Carolina Enacts NAIC’s Model Law June 11, 2018
- Digital Switzerland June 4, 2018
- Forecast for Overseas Data: Partly Cloudy May 9, 2018
- Is a New Federal Standard for Breach Notification on the Horizon? April 9, 2018
- GDPR Compliance Strategy February 21, 2018
- With New York Cybersecurity Rules in Place, the NAIC Looks to Follow Suit September 25, 2017