Data Security Risk Should Rank High on Retailers’ Priority Lists

Identity Theft

A recent study suggests data security is very low on many executives’ priority lists of perceived risks to their businesses.  Over 800 executives in Australia, France, Germany, Hong Kong, Norway, Sweden, UK and the US were asked what the greatest risk to their companies were, and data security finished 8th.   Business competition, finding talented people, maintaining profits, growing the business, attaining and maintaining a great reputation, deployment of new technology, and supporting legacy infrastructure all come before protecting one’s data. Additionally, while 63% of the executives expected to suffer a security breach at some point, only 44% believe their critical data is completely secure.  Even less (37%) believe their consumer data is completely secure.  Yet only 1% of the executives saw data security as the greatest risk to their business.

Is this lack of fear crippling any movement toward widespread change in policy regarding data protection? A recent study has found that 70% of executives believe that their organizations do not even understand the full risks associated with data breaches (Study). Only 45% of executives believed that their own company’s response to data breaches was proactive or well-developed.

So what can be done? According to the 2014 Executive Breach Preparedness Research Report, in order to control and respond to data breaches, a company must start taking into account the importance and value of their data in their business operations.  “Without a well thought out plan in place, and without the proper guidance, training and process instituted throughout the organization, executives can stumble when dealing with the public outcry once sensitive data has been compromised,” said Arthur Wong, Senior Vice President and General Manager for Enterprise Security Services at HP ( Wong also notes that while no amount of money can completely protect companies from highly sophisticated cyber attacks, with proper preparedness, an attack can become a “speed bump in the road” rather than a “catastrophic business event”.

Therefore, the first step towards being prepared involves executives understanding that data security is critical. It should be considered at the same challenge level as finding talented people, maintaining profits, and growing the business.  As the holiday shopping season approaches, retailers should be mindful that it only takes one data breach to push customers through the doors of a competitor.  Looking through that lens, data security should be quickly on par with concerns like business competition, maintaining profits and overall business growth.

 Post by Sarah Crabtree Perez and Daniel Broidy

A Small Spill Creates a Big Mess

Donnea Collins of Louisiana is suing Whole Foods for what she contends was negligence on the part of the retailer. The suit alleges that Ms. Collins slipped and fell on a “liquid” while shopping in the produce section of her local store. Ms. Collins’ lawyers contend Whole Foods should have known about the issue and cleaned it in an appropriate manner. Additionally, according to the lawsuit, Whole foods is accused of “failing to maintain the premises, failing to periodically inspect and clean, failing to keep the premises clean, failing to warn of a dangerous condition and failing to place warning signs.”

This is not the first time Whole Foods has been sued due to a slip and fall issue. In 2010, a Whole Foods in Pennsylvania was sued for $50,000 when a customer slipped and fell and sustained injuries which necessitated medical attention.

To determine whether there is liability in slip and fall cases, the courts look at:

(1)   Actual or constructive knowledge of some condition on the premises by the owner/operator;

(2)    That the condition posed an unreasonable risk of harm;

(3)    That the owner/operator did not exercise reasonable care to reduce or eliminate the risk; and

(4)   That the owner/operator’s failure to use such care proximately caused the plaintiff’s injuries

 (Wal-Mart Stores, Inc. v. Ortiz, 2000 Tex. App. LEXIS 5199; Keetch v. Kroger, 845 S.W.2d 262, 264 (Tex. 1992); Corbin v. Safeway Stores, Inc., 648 S.W.2d 292, 296 (Tex. 1983).

For a company such as Whole Foods to escape liability they often must prove that they could not have known about such dangers and thus they do not fail the reasonableness standard. Will Whole Foods be held liable in this new case? Read more here:

 Post by Sarah Perez and Daniel Broidy

Proposed Legal Ramifications for Retailers Suffering from Data Breaches

What do Michaels Stores, PF Chang’s, Neiman Marcus, Goodwill, and Target have in common? They’ve all suffered large data breaches in the past twelve months, leaving millions of consumers at risk. With the recent news that Home Depot is being investigated for a data breach that could be the largest of all time (over 110 million consumer records breached), retailers now face a harsh reality: the enactment of new state and federal laws holding them accountable to consumers.

Currently, State and Federal law is relatively lenient toward retailers confronted with breaches. Retailers are not liable for any of the costs to financial institutions for breaches, such as replacement cards (which cost $5-$10 per card to replace), or account monitoring. Presently, retailers are only required to pay for the losses that occur in their stores in the form of chargeback refunds (

Yet, even without statutory liability, retailers still suffer millions of dollars in losses for every breach that occurs.. According to a report from the Ponemon Institute (, the average cost to a company for a breach of data is $3.5 million, up 15% from 2013. However, recent breaches by big-named retailers such as Target (whose data breach affected over 100 million consumer records) can cost companies hundreds of millions of dollars. These losses come from replacing inventory, paying chargeback refunds, and from drops in revenue and stock price due to consumer concern. According to LexisNexis, the average merchant lost .68% of annual revenue to fraud in 2013, but the total costs is a higher multiple of that ( Essentially, for every $1 lost to fraud, retailers had to spend $3.08 to replace lost inventory and cover chargeback fees and other penalties.

Now, to add insult to injury, new laws have been proposed that could add more liability to retailers for future data breaches. For example, California has proposed Bill AB 1710, which would hold retailers liable for reimbursing any financial damages to their customers due to security breaches regardless of where the breached credit card information is used. Kentucky, New Mexico, Iowa, Minnesota, and Florida have also proposed security data laws, which could affect the future of retailer’s breach liability (  Additionally, Attorney General Eric Holder has called for Congress to pass more stringent federal laws regarding customer notification after data breaches, which could lead to even more rigorous standards in the near future.  All of these potential new standards will need to monitored and will certainly add up to extra costs for retailers who suffer data breaches.

Author: Troy Morris and Daniel Broidy