Spider Monkeys, Ponies and Lawyers, Oh My!
Roundtable attendees take in gravity of operational risk, noncompliance exposure.
Move over, seeing eye dogs: Authorized service animals today include diaper-clad spider monkeys and house-broken miniature horses.
There’s never a dull moment when exploring risk and liability issues, as 23 retailer and sponsor attendees discovered this past spring at CSP’s 10th annual Leadership and Crisis Prevention Forum, held in New Orleans.
Speakers covered topics ranging from business interruption to product liability, and the Americans with Disabilities Act (ADA) to Payment Card Industry (PCI) compliance, with retailers sharing liability-related stories and how their chains handle different areas of exposure.
The latest version of ADA mandates is a 300-page document with seemingly endless layers of detail, according to David Mordick, maintenance, construction and environmental compliance manager for Robinson Oil Co., Santa Clara, Calif.
“Service animals are no longer limited to dogs, so, for example, people in a wheelchair can use a spider monkey that’ll climbs shelves to get items; or people can use a [waist-high] miniature horse to help them stand if they have vertigo,” Mordick said, citing a detail in the law that may offer retailers respite. “But employees can ask the horse’s owner if the animal is housebroken.”
In addition to ADA complexities, speakers focused on a number of concerns:
- Product Liability: With so many foreign manufacturers and imports entering the United States with little to no oversight, local retailers are becoming the target for product-related lawsuits, which hold them accountable for everything from health violations to false advertising.
- Cybercrime Liability: Data breaches and noncompliance with PCI standards are a growing issue.
- Business Interruption: Retailers may not realize the kinds of losses they can incur—other than physical property—when business stops due to an act-of-nature event.
- Professional Liability: Retailers can be exposed due to employee misconduct or company mismanagement.
Stories ranged from manufacturers caving in to class-action suits to one retailer’s recollection of someone suing the chain even though that same individual was caught on video stealing.
These days, legal precedent is putting retailers in the crosshairs. “If you’re in the supply chain, you’re on the hook,” said Steve Burkhart, vice president and general counsel for BIC Corp., Shelton, Conn., explaining that pinpointing a responsible party is increasingly difficult and, as a result, courts and legislators are focusing on retailers. “Things are so different now.”
A combination of trends is saddling retailers with liability for hazardous or defective products, Burkhart said. First, c-stores and retailers in general have grown both in numbers and revenue over the past decades, with 14 retailers making Forbes’ list of the top 75 companies last year. The increased visibility attracts lawsuits.
Government entities have also connected the dots from retailer to product. For instance, the Consumer Product Safety Commission has mandated that retailers and other sellers notify it of hazardous or defective products, and required they follow set rules and deadlines. Just last year, 10 companies were penalized $4 million for inadequately reporting product defects.
Most concerning for Burkhart is that in 2008, four executives from a U.S. importing firm were indicted on criminal charges, a precedent that puts a retailer’s liberty at risk.
Much of the problem stems from imported goods, which in some countries receive little to no manufacturing supervision. When consumers fall victim to a faulty or unhealthy product, the governments of these countries fail to allow for recourse. This scenario leaves the seller or retailer the only tie to liability.
Along these lines, another area of imminent concern is private-label goods, Burkhart said. A number of retailers have publicly committed to the expansion of private-label lines. In that scenario, not only are health standards an issue, but so are patent infringements, for which sellers are being held responsible.
In one example, Burkhart said companies in China are being accused of flooding the U.S. market with its oversupply of honey, allegedly made with harmful products and without regard to processing standards. To get around restrictions, importers will often repackage the product, disguising its origin and thereby exposing the retailer to liability.
Burkhart described an “arrogance” that translates into illegal honey coming in through India or Malaysia, with for eign manufacturers substituting paperwork, disguising barrels by painting them a legal color or removing elements so its roots can’t be traced.
With the trail of responsibility passing through if not ending with the retailer, Burkart insisted that retailers take an honest look at their exposure and implement best practices to reduce risk.
While tracking the origins of physical product is important, so is assessing the vulnerability of a company’s electronic network. Phil Kenealy, president of ACES, a Cedar Falls, Iowa-based data security and analysis firm, told attendees that the industry faces myriad data-integrity issues, many of which they can solve easily.
For instance, many times the way to the restroom is through the “employees only” hallway. The access can lead to computers with open ports, which allow for potential breaches.
Also, sometimes staff members are not properly trained. So when a breach does occur, they may fail to take critical actions to help forensic teams understand what happened.
Retailers must develop comprehensive plans to monitor both the physical state of the store and the firewalls and other electronic protections in place. For instance, data thieves can place false card swipes on ATMs and pumps to steal card data [CSP—May ’12, p. 107].
Another gateway to theft can occur when companies such as Microsoft issue “patches” designed to repair vulnerabilities. “In essence, they’re saying, ‘Hey, we’ve got a vulnerability,’ and [thieves] can just scan the Internet for computers that have those issues,” Kenealy said. “Many times people don’t put on the patches. IT is putting out fires every day and often says, ‘I’ll get to patching later.’ ”
In another example, Kenealy said disgruntled employees often have “the keys to the kingdom” and can leave with passwords or whole databases.
Kenealy also pointed out a recently released study on 2011 data breaches done by New York-based Verizon. The report contained key points:
- 92% of breaches came from external sources, suggesting an increase in attacks on smaller organizations.
- 83% of victims were targets of opportunity vs. planned targets.
- 96% of breaches were avoidable through simple or intermediate controls.
- 89% of victims subject to PCI compliance had not achieved compliance.
While social media presents retailers with an easy, cost-effective way to start a dialogue with customers, Burkhart of BIC advised attendees to be cautious.
“There are few rules,” he said. “And where regulation is lacking, you have to be careful.”
For instance, conversation on BIC’s Facebook page surrounding its lighters typically starts after a city’s happy hour. The topic of lighters comes up, and people— many of whom have been consuming alcohol—continue the conversation online.
“What do you say? What don’t you say?” he asked. “You have to be consistent—and monitor it 24/7.”
While technology is one piece of the liability puzzle, another more hands-on challenge is at store level, with ADA compliance.
Though allowing a spider monkey into the store may be one of the more peculiar ADA rules, others can be costly, such as lowering pumps to make nozzles and keypads accessible.
Essentially, most of the focus is on new construction or alterations to a site done after March 15, 2012, according to Mordick of Robinson Oil. Prior to then, if a site was compliant under 1991 standards, then everything built before March 15, 2012, would need no upgrades.
The picture changes after that date, when alterations or new construction to a site would force compliance with 2010 standards.
The difference between the 1991 and 2010 standards affect several areas at the pump and on the sales floor, including drink fountains, display areas, ATMs and dispensers. Work areas where employees pass must also be wide enough to accommodate wheelchairs, Mordick said.
Here are a few differences retailers need to consider:
Reach lengths to dispenser controls from a wheelchair have lowered from 54 inches to 48 inches, with the slope being level at no more than 2%
Access must exist at the pumps, and the entrance must not slope more than 5%, with cross-slopes not exceeding 2%. The exceptions are ramps or curb ramps, which should not exceed 8.3%.
- Parking must have an accessible aisle and use the shortest route possible to the entrance.
- Self-serve drink and food dispensers must have a 30-inch-by-48-inch clear floor space at the controls of the area, with the controls and product being within reach ranges (46 inches, 48 inches or 54 inches).
- Controls or handles must be operable with one hand without tight grasping, pinching or twisting of the wrist. In addition, everything must require 5 pounds or less of force to operate. These rules call into question ketchup bottles that users must turn over and squeeze, as well as tightly sealed cooler doors.
- Half the shelves need to be accessible, with the assumption that the entire range of food lines can be displayed on those spaces.
- Service counters at least 36 inches wide must be no higher than 36 inches above the ground.
- ATMs and vending machines must have the requisite space around the controls. Those controls must be within reach and have Braille instructions and audio capabilities. The concern here lies with vendor-supplied ATMs and DVD kiosks: Retailers must make sure efforts are being made to comply.
The group took an afternoon walk through New Orleans to review the ADA compliance of nearby drug stores, c-stores and the hotel where attendees were staying. Many of the compliance issues surrounded shippers blocking aisles, service counters that were too high, and not placing the full line of a category in shelves within reach of anyone in a wheelchair.
Fines in the past were a straight-up $4,000 payment, Mordick said. Today, fines can range from $55,000 to $110,000 per instance.
While ADA compliance can be an operational issue, many times companies fail to consider the damage and lawsuits that may come from the acts of its executives. Stewart Van Duzer, first vice president, director of special accounts marketing, for Federated Insurance, Owatonna, Minn., told attendees he’s surprised at how much exposure chains allow, especially when coverage is inexpensive.
Privately held companies aren’t immune either, he said. “Numerous instances” exist in which closely held corporations have had their officers sued for actions in running the company, including bad-faith claims, mismanagement claims by employees, manufacturer or bank suits and suits brought by other officers.
Van Duzer said that in studies he has seen, 62% of respondents have experienced some management liability event in the past five years, and yet 33% of that pool had not purchased insurance to mitigate the risks.
Like professional liability coverage, other areas of exposure are off retailers’ radar.
For instance, if retailers thought only a fire, flood or tornado could shut down their stores, what if that fire hit a retailer’s refinery, cutting off supply for an indefinite time? Or what if the bridge that connects a store with its customers washes out in a flood? That’s the difference between casualty insurance and business-interruption coverage, according to Mississippi lawyer Collier Graham.
Graham, of Wise, Carter, Child & Caraway, Jackson, Miss., said retailers need to fully understand their coverage in that many of the true reasons they suffer damage or loss of livelihood goes beyond the physical destruction of property.
Taking the refinery shutdown example, he said, “If you do not have a rider or endorsement or if it’s not in the standard policy, you’re not [covered]. I have advised a petroleum-retail client … to sue his broker because the broker said he didn’t need it or was covered when he wasn’t.”
When a business is forced to shut down, Graham said, certain costs begin to accrue, including salaries, utilities, rent and other fixed costs—for all of which a business is entitled to insurance reimbursement.
One example would be if power went out during a hurricane. A business could be up and ready to run within a day, having either been untouched or only slightly affected in the physical sense. But power to the region may be down for a month. “Are you covered? Maybe. You might have a separate endorsement for loss of utility,” he said. “Where I live we have awful infrastructure. We’re too poor to maintain it. Our sewer pipes are so bad [that after a storm], we lost water and sewer for a better part of the month.”
In addition to understanding what the “loss potential” is for a business, retailers need to have an accounting system that will be able to prove loss.
Many factors go into loss calculation, Graham said. Generally speaking, it’s the net profits adjusted seasonally from the previous year, he said. But that could be a plus or minus. For instance, the Gulf oil spill certainly caused damage to hundreds of businesses. Some were covered, some not.
A lot of the damage that occurred was not from oil washing onto the beach. It’s that tourists didn’t come. For many businesses, that loss was not covered. “But if you had a condo or Hilton had oil on its beach, you had a covered loss,” he said. “If a c-store was near the beach and suffered no [physical damage] … then you had no coverage.”
Overall, retailers at this year’s roundtable took away new insights. But mostly, they left with a need to re-examine their companies’ current exposure and consider ways to close the potential holes before an iceberg hits—or a miniature horse walks through their doors.
Best Practices for Reducing Risk
Retailers need to instill processes designed to reduce exposure to product recall or lawsuits, according to Steve Burkhart of BIC Corp. Here’s a short list of recommendations:
- Control purchasing.
- Obtain indemnity and sufficient insurance coverage from highly rated companies.
- American companies should require exporters to have insurance coverage from an American or international insurer.
- Have proof of compliance with standards and regulations.
- Deal only with reputable, financially responsible manufacturers and distributors.