The ports of Long Beach and Los Angeles receive about 40% of all imports into the United States. The miles of shipping containers along the coastline could not have been a more fitting backdrop for the recent CSP Leadership and Crisis Prevention Forum, because minimizing risk is the main job description for many of the more than 30 retailer and supplier attendees.
And for convenience retailers, the risks—and regulations—have multiplied just as the business continues to grow in complexity. Over the forum’s three days, speakers covered topics ranging from insurance to cybercrime and immigration enforcement—all to help operators get ahead of the game.
Table of Contents
A False Sense of Cybersecurity
Getting Insured—and Paying for It
Assessing the Effects of Deeming
Chipotle’s Crisis: Your Lesson to Learn
I-9 Update
A False Sense of Cybersecurity
Businesses seemingly have several technologies at their disposal to protect themselves from hacking. But Dan Ford, chief security officer for Silent Circle, Geneva, Switzerland, told attendees that many of these trusted tools are little more than security theater.
Passwords. Does your company have a policy requiring you to change your password after so many days? If so, it’s time to rethink it.
“You actually put yourself in a weaker security position every time you change your password,” said Ford. “The only time you need to change your password, if you have a decently secure password, is if you believe it’s been compromised.”
Ford recommends password managers such as LastPass and 1Password, which not only create a multidigit master password but also securely store existing passwords.
Penetration tests. While penetration tests—in which a company hires a service to attempt to hack into its network—can reveal big security flaws, don’t consider them foolproof, Ford said.
“One of the problems with these penetration tests is that we can restrain them to certain rules of engagement,” he said. “Bad actors don’t care about rules of engagement.”
Firewalls. Ford likes to compare firewalls to Swiss cheese or spaghetti strainers. The good traffic flows out of the firewall, while the bad traffic is caught. But there’s a catch.
“Your firewall is saying what is permitted to come through,” said Ford. “Those are the exact ways that a bad actor is going to come through.”
That said, a firewall is still necessary as a basic security feature, but consider it only one element of a broader defense strategy.
Smartphones. Despite the drama behind the FBI’s recent attempt to force Apple to unlock the iPhone of the San Bernardino shooters, the smartphone is not an impenetrable piece of hardware. More than 500 vulnerabilities have been discovered in the iPhone since 2014 alone, Ford said. The most recent operating system—iOs 9.3.1—already has more than 100 known vulnerabilities.
That said, he considers the iPhone “a really solid Honda—it won’t break down,” and also the most secure smartphone out of the box. The key is patching the vulnerabilities by updating the iPhone as soon as Apple releases updates. And above all, do not “jailbreak”—get rid of software restrictions—on the iPhone. By doing so, “you’ve taken away over 15 years of research from Apple to secure the device,” Ford said.
With that in mind, how safe is payment technology such as Apple Pay? Considering that Apple already has payment and other personal information from its smartphone users, this is a moot point, he said: “If you believe in and trust Apple, how much additional trust are you extending to let them use information they already have?”
Anti-virus software. Do you have top-of-the-line anti-virus software? If you do, according to Ford, you are wasting your money.
“There is not an anti-virus product out there that’s any good,” said Ford. “You are just as safe using the built-in Windows Defender, which is free, than you are with any anti-virus software out there.”
In Ford’s own recent test, he had dozens of malware-infected files sent to his computer to see how many anti-virus software programs would catch them. Out of 53 major programs, only five were able to identify a piece of malware.
“Anti-virus is old technology,” said Ford. “It is essentially things that are already known.”
The simplest approach is to update existing operating systems and software on schedule. Our goal is always to minimize the ‘threat window,’ ” he said, referring to the period between when a vulnerability exists and when a patch becomes available. “The problem is that the majority of us walk around with a system that has vulnerabilities in it and the patch is available.”
Continued: Getting Insured—and Paying for It
Getting Insured—and Paying for It
With no major catastrophes and continued investment by private-equity firms, insurance had a fairly “quiet” 2015, said Stewart Van Duzer, first vice president and director of special accounts marketing for Federated Insurance, Owatonna, Minn. For retailers, that means rates overall should remain flat in 2016, depending on the type of insurance. For example:
Workers’ compensation. Expect pricing on workers’ comp policies to remain “a bit dicey” in 2016, Van Duzer said. This is because of a trend toward more severe incidents resulting in larger claims, and also because actuaries are still unsure how the Affordable Care Act (ACA) may influence the uninsured to file workers’ comp claims. There’s also uncertainty about the future of funding for the ACA itself.
“There are quite real statements that the ACA will blow up next year—it’ll run out of money,” said Van Duzer. “It’s a problem for actuaries setting rates. How do you price that into the product?”
Automotive. Blame distracted driving for helping push up automotive liability-insurance rates.
Retailers can implement policies to minimize any potential policy price increases.
For example, those who employ drivers should consider installing video cameras in the truck cabs. One retailer at the meeting, who requested anonymity, said his company recently installed cameras in its delivery trucks and already has seen “a huge difference” in drivers’ behavior. The devices help capture everything from fender benders to prohibited activities such as smoking or cellphone use.
“It’s important for the underwriter at your insurance carrier to know, ‘Hey, we have drive cams installed—we’re filming drivers at work,’ ” said Van Duzer. “It will help you price-wise.” Also consider writing a distracted-driving policy “with real teeth” to help keep costs in check.
“You need to make the determination: Is it OK if they’re on the phone, use hands-free or not hands-free?” he said. “When that accident happens, the first thing [police] ask for is the records on that phone. If that vehicle has your name on it, you’re going to be sued.”
General liability and umbrella. Pricing for these policies is “stable,” said Van Duzer, pointing out that investment dollars continue to flow into reinsurers, helping keep pricing on umbrella policies in check.
Some companies are even deciding to have an internal umbrella policy that covers an initial limit of costs before a reinsurer gets involved.
Cyber liability. If your company falls victim to a cyberhack, expect to pay an average of $300 per record, or $5 million per event. This makes coverage critical.
“If you’re a marketer and you don’t carry any type of cyber insurance, you are inviting disaster,” said Van Duzer. “You need to have this coverage in place.”
A good base plan would provide $1 million in coverage, he said: “If I’ve found out I’ve had an accident or a breach, at least I’ve got someone to manage the claim for me. If you have no coverage—no one to manage that claim—you’re on your own. And that’s expensive.”
Insurers are increasingly including cyber liability coverage in their basic programs. And because of the increased frequency of cyber liability claims, more insurers are entering this market and helping keep policies reasonably priced. A retailer’s IT policies, such as use of firewalls and auto-wipe features on hardware, can help earn policy discounts.
Continued: Assessing the Effects of Deeming
Assessing the Effects of Deeming
The U.S. Food and Drug Administration’s (FDA) newly announced deeming regulations over e-cigarettes (as well as cigars, hookah tobacco and pipe tobacco) will transform that industry, said Ryan Sullivan, corporate counsel for BIC Corp., Shelton, Conn. The cost of meeting product registration requirements—submitting ingredient lists—will cost an estimated $2 million to $10 million per product.
“It’s going to force a lot of small players out of this, and you’re going to be left with a couple of players already in big tobacco who have the resources and ability to navigate through the regulatory scheme work,” said Sullivan. There is a congressional push to exempt existing manufacturers from having to comply with this particular requirement, and flavors were not included in the regulations, so the ultimate effect remains in flux.
Having the regulations in place is one thing; enforcing them is another. “You can have more rules, but where does the enforcement come from?” said Steve Burkhart, vice president and general counsel for BIC. The Department of Justice does not necessarily have a bigger budget for enforcing the deeming regulations, and depending on the result of the presidential election, it could have an even smaller one.
“If you don’t have the budget or are not being told to spend the money, then where is the fight likely to happen? Maybe in a civil lawsuit, in a courtroom, between private parties,” said Burkhart. “It’s great to have new rules, some clarity, at least starting the process. But it probably helps the plaintiff’s lawyers first, not the lawyer inside the justice department trying to enforce the new rule.”
Continued: 3 Lessons to Learn From Chipotle’s Crisis
3 Lessons to Learn From Chipotle’s Crisis
In 2015, 3,000 people died and 40 million were sickened from foodborne illness. Last year’s outbreaks proved it could happen to anyone, even the darling of the restaurant industry.
Chipotle battled a three-headed dragon of foodborne illness—E. coli, salmonella, norovirus—that began last summer with outbreaks on the West Coast and in the Midwest and crossed the country to Boston-area locations.
By the time the year was over, about 500 people were sick, Chipotle’s stock price had fallen by more than 20% and its same-store restaurant sales had eroded by double digits.
When a crisis strikes, having a strong policy in place is not enough; you also have to prove to regulators it was executed properly, which is a strenuous task.
“ ‘Let’s see your handbook, let’s talk to your HR department, let’s take a look at your employee roll and see who’s coming and going,’ ” said Sullivan of the process. “It’s not a convenient situation, it’s not on your time frame and you’re essentially at the mercy of the regulators.”
Chipotle hired food-safety experts to comb through its supply chain to find its vulnerabilities, and it acted on many of the hundreds of resulting recommendations. These included:
Centralizing food preparation. While the theater of prepping ingredients in the restaurant helped Chipotle rocket to success, it was one of the first casualties of the food-poisoning outbreaks. The chain ultimately moved food prep from the restaurant into centralized commissaries, where it could better control conditions.
“This is exactly what they were mocking the other fast-food companies for: this centralized commissary approach, which is rather tried and true,” said Sullivan. “Because of this, it’s really challenged how they were built and how they became so successful.”
Improving ingredient traceability. Chipotle initially had poor traceability from farm to the point of service, with no granular way to determine where ingredients originated and which stores they headed to from there. The crises led it to develop a screening process and system for its farmer and supplier partners, which was a significant expense.
Rebuilding trust. Competitors felt considerable Schadenfreude over Chipotle’s troubles because of how aggressively it wielded the “food with integrity” marketing campaign. The fact that it was hit by five separate foodborne illness outbreaks suggested that Chipotle focused on the promise of quality, local ingredients over safe ones, said Sullivan.
Even with the company’s new food-safety checks in place, the hardest part may be winning back lost customers. “There are folks who won’t go back to Chipotle; they’ll never regain that trust,” he said.
“Know what’s going on, know what people are responsible for,” Sullivan told operators. “That’s what’s paramount here: to keep your eye on the ball.”
Continued: I-9 Update
I-9 Update
Form I-9 is a familiar document for employers, who must fill it out to establish employment eligibility for every new recruit. As a refresher for retailers, Manuel Saldaña, a partner with San Francisco-based Gordon & Rees LLP, shared some tips on handling the form and staying in compliance with the law.
- Keep using the current form. Although the latest version of the form has technically expired, employers are still being asked to use it until a newly designed form is available. Once the new form is available, you need not have all employees fill out the form again.
- Follow the correct order. Hire first, then ask for documentation. “You shouldn’t be … saying, ‘Before I hire you, let me see your papers,’ ” said Saldaña. “You’re going to get yourself in trouble.”
- Treat everyone the same. This includes requesting that a particular new employee provides different documentation than you typically require. It also means not insisting on certain documents for proof of eligibility. “It’s the employee’s choice to show you what documents they want,” he said. “Give them a form that says which documents satisfy, but it’s up to them to decide.”
- Don’t rely solely on E-Verify. Employers can check a potential employee’s eligibility for employment by using the online E-Verify system, but they should not consider it a foolproof verification method.
“It just means you get a presumption you did the verification,” said Saldaña. “You get a little bit of a leg up, but it’s not a slam dunk. If the [government] sees you didn’t check documents properly … you’ve got problems.”
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.