Data Security Risk Should Rank High on Retailers’ Priority Lists

Identity Theft

A recent study suggests data security is very low on many executives’ priority lists of perceived risks to their businesses.  Over 800 executives in Australia, France, Germany, Hong Kong, Norway, Sweden, UK and the US were asked what the greatest risk to their companies were, and data security finished 8th.   Business competition, finding talented people, maintaining profits, growing the business, attaining and maintaining a great reputation, deployment of new technology, and supporting legacy infrastructure all come before protecting one’s data. Additionally, while 63% of the executives expected to suffer a security breach at some point, only 44% believe their critical data is completely secure.  Even less (37%) believe their consumer data is completely secure.  Yet only 1% of the executives saw data security as the greatest risk to their business.

Is this lack of fear crippling any movement toward widespread change in policy regarding data protection? A recent study has found that 70% of executives believe that their organizations do not even understand the full risks associated with data breaches (Study). Only 45% of executives believed that their own company’s response to data breaches was proactive or well-developed.

So what can be done? According to the 2014 Executive Breach Preparedness Research Report, in order to control and respond to data breaches, a company must start taking into account the importance and value of their data in their business operations.  “Without a well thought out plan in place, and without the proper guidance, training and process instituted throughout the organization, executives can stumble when dealing with the public outcry once sensitive data has been compromised,” said Arthur Wong, Senior Vice President and General Manager for Enterprise Security Services at HP ( Wong also notes that while no amount of money can completely protect companies from highly sophisticated cyber attacks, with proper preparedness, an attack can become a “speed bump in the road” rather than a “catastrophic business event”.

Therefore, the first step towards being prepared involves executives understanding that data security is critical. It should be considered at the same challenge level as finding talented people, maintaining profits, and growing the business.  As the holiday shopping season approaches, retailers should be mindful that it only takes one data breach to push customers through the doors of a competitor.  Looking through that lens, data security should be quickly on par with concerns like business competition, maintaining profits and overall business growth.

 Post by Sarah Crabtree Perez and Daniel Broidy

Ebola Concerns for Employers–Darned if You Do, Darned if You Don’t

Forbes reports that four people are currently being treated for Ebola in America, two nurses who contracted it while treating a patient in Dallas, and two who were infected while in Africa and subsequently came to America (Forbes). Whether or not Ebola ends up spreading in America or follows the much more likely path and is fully contained, businesses need to at least consider the effect that it can have on their companies.  If Ebola were to spread, businesses would, according to USA Today, be greatly affected because many insurance plans do not cover Ebola.  (USA Today).  According to the Occupational Safety and Health Act, all employers have a legal obligation to provide a safe workplace for their employees (OSHA Liability). Therefore, businesses would be forced to purchase much costlier insurance plans or worry about possible liability from their employees contracting Ebola and potentially spreading the disease.

Additionally, the spread of Ebola could possible lead to whistleblower issues. Some employees may refuse to work at a place that they feel unsafe due to the presence of a disease in their workplace. Would these employees have a legitimate whistleblower claim if they were fired due to their refusal to work? It is likely that any employee who makes an official complaint would be legally protected under the Occupational Safety and Health Act and to prevent liability, employers would have to show that either: 1) there is no hazard or 2) that they have developed a response plan that will reasonably protect their employees from harm. (Environmentalsafetyupdate).

Although there are legitimate workplace safety concerns, in dealing with the threat of Ebola, employers must not run afoul of federal or state disability laws and or laws that protect employee medical information. The Americans with Disabilities Act (“ADA”) precludes employers from questioning employees about their health or medical condition without a legitimate business justification.  Employers also may not disclose medical information of employees.  Compliance with OSHA is likely a legitimate business justification for requesting medical information, however,  it will only be legitimate if an employer has a reasonable basis to believe an employee may have been at risk for exposure.  For example, if the employee is showing any of the symptoms of Ebola after recent travel to an infected region, the employer will have a reasonable basis to take steps to protect other employees and may request the employee at issue seek a medical examination before returning to work.  (

In general, it would be wise for employers not to overreact, particularly given the current contained nature of the virus in the US.  However, staying informed to be able to respond swiftly, effectively and lawfully should the threat be realized is critical. Employers should regularly consult the CDC for guidance on spotting symptoms and protocol for preventing the virus’ spread. Additionally, a look at the EEOC’s guidance on pandemic flu is instructive:

 For Further Reading on Ebola and Ebola in the workplace visit:

Also, USA Today posted a story about Target leaving behind their data breach for the holiday season. That article can be found here:

Our Blog post about Target and other Data Breaches can be found here:

Post authored by Sarah Perez and Daniel Broidy

Training Middle Management Can Save Millions When Faced With Whistleblower Situations

According to a recent Wall Street Journal article ( a vast majority of whistleblowing employees go to the manager or supervisor they trust most with their concerns, which often tends to be an employee in middle management. In fact, 95% of all incidents are reported straight to managers, not hotlines (Corporate Secretary). Because of this, it is essential that businesses train their middle management to appropriately handle whistleblower situations. If untrained, there can be huge financial and public relations implications.

Unfortunately however, according to Christine Chi, General Counsel of Financial Crime Compliance and Co-Head of the Global Internal Investigations Group at HSBC Holdings PLC, “[h]aving sophisticated enough personnel to engage in a meaningful and responsible back-and-forth with someone who’s raised concerns…takes a lot.” So, what is the value to the company to invest in training and personnel who are sophisticated enough to handle these situations?

The two biggest fears, which stop whistleblowers from coming forward, are (1) fear of retaliation and (2) fear that no action will be taken to stop the issue (Corporate Secretary). According to a recent study, 62% of all whistleblowers lost their jobs, 18% felt they were harassed or transferred, and another 11% had their job responsibilities or salaries reduced ( With trained middle management who know how to appropriately act in whistleblower situations, companies have an opportunity to investigate and take corrective action regarding any internal problems.  Without a trained middle management, companies risk situations similar to GM’s ( whose management ignored a whistleblower regarding faulty Chevy Cobalt parts, which led to 13 deaths and 54 accidents (businessweek), or Trader Joe’s who is currently being sued by a former employee for allegedly firing him for whistleblowing ( In Trader Joe’s case, the employee was allegedly fired for not having a “sense of fun” for reporting spoiling food, rodent droppings and faulty coolers and freezers.

Addressing and fixing internal issues as they present themselves and before they become a financial and legal hardship is absolutely paramount for businesses.  Case and point: GlaxoSmithKline agreed to a $3B settlement for misbranding their drug Paxil (among other things); Merck, Sharp, & Dohme, agreed to a $950M settlement for misleading doctors regarding their drug Vioxx (ConstantineCannonWhistleblowerSuccesses); and GM was forced to recall 20 million vehicles after ignoring a whistleblower who tipped them off to serious problems.

Many of these examples started as small problems and were ignored or never fully corrected by the company, forcing whistleblowers take their complaints outside the business, to places like the SEC. Just last year, the SEC gave out their biggest award ever, when they awarded an anonymous whistleblower $14M ( As the awards and whistleblower protection laws grow, it is imperative that businesses both stay out of trouble, and have trained management to deal with any and all whistleblower issues. If businesses train their middle management to deal with issues brought forth by whistleblowers in efficient and effective ways, it may have extra costs up front, but they may be able to save themselves millions (or even billions) in prevented lawsuits, regulatory agency issues, and public relations nightmares.


For more reading on whistleblowing check out these links:

Post by: Sarah Crabtree Perez and Daniel Broidy

A Small Spill Creates a Big Mess

Donnea Collins of Louisiana is suing Whole Foods for what she contends was negligence on the part of the retailer. The suit alleges that Ms. Collins slipped and fell on a “liquid” while shopping in the produce section of her local store. Ms. Collins’ lawyers contend Whole Foods should have known about the issue and cleaned it in an appropriate manner. Additionally, according to the lawsuit, Whole foods is accused of “failing to maintain the premises, failing to periodically inspect and clean, failing to keep the premises clean, failing to warn of a dangerous condition and failing to place warning signs.”

This is not the first time Whole Foods has been sued due to a slip and fall issue. In 2010, a Whole Foods in Pennsylvania was sued for $50,000 when a customer slipped and fell and sustained injuries which necessitated medical attention.

To determine whether there is liability in slip and fall cases, the courts look at:

(1)   Actual or constructive knowledge of some condition on the premises by the owner/operator;

(2)    That the condition posed an unreasonable risk of harm;

(3)    That the owner/operator did not exercise reasonable care to reduce or eliminate the risk; and

(4)   That the owner/operator’s failure to use such care proximately caused the plaintiff’s injuries

 (Wal-Mart Stores, Inc. v. Ortiz, 2000 Tex. App. LEXIS 5199; Keetch v. Kroger, 845 S.W.2d 262, 264 (Tex. 1992); Corbin v. Safeway Stores, Inc., 648 S.W.2d 292, 296 (Tex. 1983).

For a company such as Whole Foods to escape liability they often must prove that they could not have known about such dangers and thus they do not fail the reasonableness standard. Will Whole Foods be held liable in this new case? Read more here:

 Post by Sarah Perez and Daniel Broidy

Proposed Legal Ramifications for Retailers Suffering from Data Breaches

What do Michaels Stores, PF Chang’s, Neiman Marcus, Goodwill, and Target have in common? They’ve all suffered large data breaches in the past twelve months, leaving millions of consumers at risk. With the recent news that Home Depot is being investigated for a data breach that could be the largest of all time (over 110 million consumer records breached), retailers now face a harsh reality: the enactment of new state and federal laws holding them accountable to consumers.

Currently, State and Federal law is relatively lenient toward retailers confronted with breaches. Retailers are not liable for any of the costs to financial institutions for breaches, such as replacement cards (which cost $5-$10 per card to replace), or account monitoring. Presently, retailers are only required to pay for the losses that occur in their stores in the form of chargeback refunds (

Yet, even without statutory liability, retailers still suffer millions of dollars in losses for every breach that occurs.. According to a report from the Ponemon Institute (, the average cost to a company for a breach of data is $3.5 million, up 15% from 2013. However, recent breaches by big-named retailers such as Target (whose data breach affected over 100 million consumer records) can cost companies hundreds of millions of dollars. These losses come from replacing inventory, paying chargeback refunds, and from drops in revenue and stock price due to consumer concern. According to LexisNexis, the average merchant lost .68% of annual revenue to fraud in 2013, but the total costs is a higher multiple of that ( Essentially, for every $1 lost to fraud, retailers had to spend $3.08 to replace lost inventory and cover chargeback fees and other penalties.

Now, to add insult to injury, new laws have been proposed that could add more liability to retailers for future data breaches. For example, California has proposed Bill AB 1710, which would hold retailers liable for reimbursing any financial damages to their customers due to security breaches regardless of where the breached credit card information is used. Kentucky, New Mexico, Iowa, Minnesota, and Florida have also proposed security data laws, which could affect the future of retailer’s breach liability (  Additionally, Attorney General Eric Holder has called for Congress to pass more stringent federal laws regarding customer notification after data breaches, which could lead to even more rigorous standards in the near future.  All of these potential new standards will need to monitored and will certainly add up to extra costs for retailers who suffer data breaches.

Author: Troy Morris and Daniel Broidy


Last week the Equal Employment Opportunity Commission (EEOC) and the U.S. Federal Trade Commission (FTC) co-published guidance for both employers and employees related to use of background checks in employment.  According to one study conducted by the Hay Group in 2012, the turnover rate for part-time retail store employees is as high as 67% and for full time employees, the turnover rate was 24%.  Given these high turnover rates, retail employers are screening potential hires constantly.  Part of this screening process often, if not always, includes some level of background screening.  From the EEOC’s standpoint, employers must ensure everyone screened is treated equally.  No employment decision may be made based on race, national origin, color, sex, religion, disability, genetic informatio or age (if over 40).  The FTC added applicants must receive written notice they are going to be subject to a background screening.  This should be a standalone notice, not part of the general employment application.  When using information gained through a background or credit check, be sure the same standards are applied to all potential employees and take special care when basing employment decisions on problems that are more common amoung people of a certain race, national origin, age, etc.  Also, be mindful of problems that arose in an individual’s background because of a particular disability.  Such a person should be given the opportunity to demonstrate whether he or she can now perform the requirements of the job safely and effectively.  If you do choose to make a hiring decision based on background screening results, provide the potential employee with a copy of the report you are relying upon; the name, address and phone number of the company that provided the report; and that he or she may dispute the report and get an additional copy from the reporting company within 60 days.

For a complete copy of the recent guidance visit:


Analysts have recently reported compliance with the Affordable Care Act (“ACA”) is one of the greater risks retail employers may face in 2014 and the coming years.  In the retail industry, as with many other industries, full time employees are typically those who work more than 40 hours per week.  However, the ACA mandates that health insurance must be provided to employees working 30 hours per week or more.   This requires significant adjustments be made by human resources, legal and compliance departments for retailers nationwide.  On February 10, 2014,  The U.S. Deparatment of Treasury and Internal Revenue Service issued final regulations implementing the employer responsibility provisions of the ACA.  The National Retail Federation applauded the agencies’ efforts to simplify and streamline compliance with the ACA.   The biggest change in regulations for large employers (with 100 or more employees)  is that the percentage of employees to whom such employers must offer coverage will be phased in to assist in a smooth transition and hopefully avoid large penalties.  In 2015, large employers must offer coverage to 70% of full time employees and in 2016, that percentage increases to 95%.  Further, for mid-range employers (with 50-99 employees), employers must report coverage in 2015 but will have until 2016 before employer responsibility payments will apply.  To view a fact seet from the U.S. Treasury Department outlining these changes, visit  The level of complexity of the ACA makes implementation daunting and is certainly something for retailers to make high priority in the coming years.


Early last week it was reported that AON Risk Solutions has rated the retail and transportation sectors those at the highest risk for terrorism.  AON is a global provider of risk management insurance and human resources solutions.  AON’s 2014 Terrorism and Political Violence Map analyzed attacks in the business sector and found 33% of terrorist attacks affect the retail sector globally, including public markets, which are not as prevalent in the United States but have been the location of attacks globally.  This assessment is important for US retailers both at home and abroad as countries like Turkey, Bangladesh, Japan and Mozambique saw a marked rise in civil unrest and risk.  This increase is largely attributed to low wages and poor working conditions in the garment industry, which impacts much of the global retail sector.


For more information, visit:


Sounding strangely like a scene straight from the Mario Kart video game, Maurice Owens, a passenger of the DC Metro transit system, has claimed $15,000 in damages related to an alleged slip and fall as a result of a banana peel left in an elevator.  Unfortunately for Mr. Owens, security footage shows him dropping an object on the floor of the elevator and then slipping and falling on it when the doors open.  As a result, the DC transit police have echoed Mr. Owens’ claim by charging him with fraud based on what looks like a faked slip and fall.  Just when you thought banana peels drops were only for the video games it looks like, at least in the case of Mr. Owens, they may be somewhat a reality.


For more information check out:


The newest innovation in retail is the concept of delivery by drone, introduced by Amazon CEO Jeff Bezos last week.  Bezos has optimistically predicted his dream will become a reality within 5 years and will provide customers with the option to receive their packages within 30 minutes of placing their orders.  While the drone concept, which seems like something straight from a science fiction movie, is an exciting and interesting prospect, it does pose some obvious liability risks that retailers will have to assess and mitigate.  According to a recent article in the Wall Street Journal, there are environmental factors and potential risks to people and property on the ground that must be taken into account before the drone project goes live.  First, the drones will likely require FAA and potentially EPA approval, both of which can be lengthy processes.  Secondly, risk of trespass, property damage and attractive nuisance claims may exist.  For example, it has likely not been addressed by many courts whether a drone delivering your neighbor’s packages by flying over your yard may be a trespass on your property, the Wall Street Journal notes.  Regarding obvious questions and concerns for safety, and Amazon spokeswoman stated “Safety will be our top priority, and our vehicles will be built with multiple redundancies and designed to commercial aviation standards.”  Amazon has several years to work out the kinks of what has been dubbed “the drone dream” and in the process it is likely some of these legal and safety risks may be addressed.  For more information check out:

Amazon’s Drone Delivery Idea Faces Hurdles-Greg Bensinger- Wall Street Journal

Amazon’s Drone Dreams and the Future of Retail – Derek Thompson – The Atlantic