Photo of William C. Wagner

William C. Wagner

Subscribe to William C. Wagner's Posts

Bill is a seasoned trial lawyer who concentrates his practice on complex commercial litigation, environmental law, and white collar criminal defense. He holds the CIPP/G, CIPP/US, CPCU designations, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production, and serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.

Follow: Read more about William C. WagnerWilliam's Linkedin Profile

According to the FBI, billions of dollars are lost every year repairing computer systems and networks hit by cyberattacks like ransomware. The 2019 Internet Crime Report notes that in 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints of cybercrime with reported losses exceeding $3.5 billion. While the number of ransomware attacks has declined sharply, the amounts demanded in such attacks has increased. For example, BleepingComputer recently reported seeing ransom notes for the Ragnar Locker ransomware, which targets software commonly used by managed service providers, with demands ranging from $200,000 to about $600,000.

Some insurers selling cyber insurance offer to pay a ransom demand, which theoretically should allow the policyholder to get their data back. But what happens if you don’t have cyber insurance or the funds to pay the ransom? What if you pay the ransom and the criminals renege? If your computers and network are slowed but otherwise operable, will your traditional business owners’ insurance policy pay to replace the damaged computers and network?

Continue Reading Business owners’ insurance policy required to pay for computer damage from ransomware attack

In the summer of 2015, we cautioned that the Department of Defense’s (DoD’s) new cybersecurity regulations could be used offensively to support False Claims Act (FCA) cases and bid protests. Four years later, those premonitions have unfortunately come true. Recently, a federal court refused to dismiss a relator’s implied certification FCA case in which he alleged that his employer “misrepresented … to the government the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls” in violation of DoD’s cybersecurity regulations. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245, 2019 WL 2024595, *3 (E.D. Cal. May 8, 2019).

Continue Reading False Claims Act Case Based On DoD’s Cybersecurity Regulations Survives Motion to Dismiss

The Indiana Attorney General recently asserted a novel claim under the Indiana Deceptive Consumer Sales Act that, if successful, opens the door for data breach victims to file class action lawsuits and recover $500 or more per person in statutory damages and attorney’s fees. Damages can add up fast as a data breach involving 2,000 people could result in $1,000,000 in damages, not including attorney’s fees. Data breaches may also result in a lawsuit by the Attorney General for civil penalties, attorney fees, and injunctive relief. Now is the perfect time to consider hardening your company’s cyber security defenses and increasing your cyber insurance policy limits.

Continue Reading Indiana Business Owners May Now Face Million Dollar Lawsuits From Data Breach Victims

Rebekah Mackey, Taft summer associate, contributed to this article.

Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.

The California Consumer Privacy Act (“Act”) was originally a ballot initiative to be voted on by California residents in November, but the fate of the policy changed course rapidly when AB 375 passed within one week of being introduced in the state’s legislature. Here are some of the key provisions of which businesses and consumers should be aware when the law goes into effect Jan. 1, 2020.

Continue Reading So Goes California, So Goes the Country?: The Golden State Again Breaks New Privacy Law Ground

Beginning in April 2018, the General Services Administration (GSA) will publish for 60 days of public comment updates to its cybersecurity requirements for eventual integration into the GSA Acquisition Regulation (GSAR). [GSAR Case 2016-G511, Information and Information Systems Security, 83 Fed. Reg. 1941 (Jan. 12, 2018).] Then, beginning in August 2018, the GSA will publish for 60 days of public comments updates to its cyber incident reporting requirements for GSA contractors. [GSAR Case 2016-515, Cyber Incident Reporting, 83 F.R. 1941
Continue Reading GSA is Updating its Cybersecurity and Incident Reporting Requirements

There are several helpful resources for contractors looking to comply with the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” To help contractors meet the requirements, NIST recently issued NIST Handbook 162, entitled “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.”  The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in
Continue Reading NIST SP 800-171 Resources for Government Contractors

It seems like I get this question once every couple of months.

Hey Bill, my company just got sued. After paying premiums for years, I finally had to make a claim. My insurance company wrote me a “reservation of rights” letter. They offered to have one of their “panel counsel” defend my company, but then they listed 15 reasons why they don’t need to cover the lawsuit, including that there is no “covered claim,” the event was not an “occurrence”
Continue Reading When can a policyholder select defense counsel in Indiana?

A recent GAO decision denying a contractor’s protest because of cybersecurity concerns offers contractors four lessons on how to avoid making the same mistakes.

I.  Background Facts and Decision

Syneren Technologies Corporation was one of 20 contractors who responded to a Navy RFP to award an ID/IQ contract for IT systems and software to support human resource operations involving a variety of business enterprise services. The work was to be performed at a government facility and involved DoD and Navy

Continue Reading Selling Software to the Government: Four Cybersecurity Lessons from a Failed DoD Bid Protest

Ohio is poised to lead the nation by incentivizing businesses to implement certain cybersecurity controls, which can be an affirmative defense to a data breach claim based on negligence. Under the proposed legislation, if a business is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the business can assert its compliance with the cybersecurity control as an affirmative defense at trial.

For years we have counseled our clients to implement a comprehensive data
Continue Reading Cybersecurity: An Affirmative Defense to Ohio Data Breach Negligence Claims

The recent sentencing of a former Boeing engineer for stealing trade secrets raised the question of whether a defense contractor has a duty to notify the Department of Defense (DoD) under the Safeguarding Covered Defense Information and Cyber Incident Reporting Regulation (DFARS 252.204-7012), when the contractor has knowledge that an employee may be stealing trade secrets.

1. The Sentencing of Mr. Justice for Economic Espionage and AECA and ITAR Violations.

Former Boeing Satellite Systems’ engineer and long-time employee Gregory Allen
Continue Reading What Are A Defense Contractor’s Reporting Obligations When An Employee May Be Stealing Trade Secrets?