Spider Monkeys, Ponies and Lawyers, Oh My!

Move over, seeing eye dogs: Authorized service animals today include diaper-clad spider monkeys and house-broken min­iature horses.

There’s never a dull moment when exploring risk and liability issues, as 23 retailer and sponsor attendees discov­ered this past spring at CSP’s 10th annual Leadership and Crisis Prevention Forum, held in New Orleans.

Speakers covered topics ranging from business interruption to product liabil­ity, and the Americans with Disabilities Act (ADA) to Payment Card Industry (PCI) compliance, with retailers shar­ing liability-related stories and how their chains handle different areas of exposure.

The latest version of ADA mandates is a 300-page document with seemingly endless layers of detail, according to David Mordick, maintenance, construction and environmental compliance manager for Robinson Oil Co., Santa Clara, Calif.

“Service animals are no longer lim­ited to dogs, so, for example, people in a wheelchair can use a spider monkey that’ll climbs shelves to get items; or people can use a [waist-high] miniature horse to help them stand if they have ver­tigo,” Mordick said, citing a detail in the law that may offer retailers respite. “But employees can ask the horse’s owner if the animal is housebroken.”

In addition to ADA complexities, speakers focused on a number of concerns:

• Product Liability: With so many foreign manufacturers and imports entering the United States with little to no oversight, local retailers are becoming the target for product-related lawsuits, which hold them accountable for everything from health violations to false advertising.
• Cybercrime Liability: Data breaches and noncompliance with PCI standards are a growing issue.
• Business Interruption: Retailers may not realize the kinds of losses they can incur—other than physical prop­erty—when business stops due to an act-of-nature event.
• Professional Liability: Retailers can be exposed due to employee miscon­duct or company mismanagement.

Stories ranged from manufacturers caving in to class-action suits to one retailer’s recollection of someone suing the chain even though that same indi­vidual was caught on video stealing.

These days, legal precedent is putting retailers in the crosshairs. “If you’re in the supply chain, you’re on the hook,” said Steve Burkhart, vice president and general counsel for BIC Corp., Shelton, Conn., explaining that pinpointing a responsible party is increasingly difficult and, as a result, courts and legislators are focusing on retailers. “Things are so different now.”

Product Liability

A combination of trends is saddling retail­ers with liability for hazardous or defective products, Burkhart said. First, c-stores and retailers in general have grown both in numbers and revenue over the past decades, with 14 retailers making Forbes’ list of the top 75 companies last year. The increased visibility attracts lawsuits.

Government entities have also con­nected the dots from retailer to product. For instance, the Consumer Product Safety Commission has mandated that retailers and other sellers notify it of hazardous or defective products, and required they follow set rules and dead­lines. Just last year, 10 companies were penalized $4 million for inadequately reporting product defects.

Most concerning for Burkhart is that in 2008, four executives from a U.S. importing firm were indicted on criminal charges, a precedent that puts a retailer’s liberty at risk.

Much of the problem stems from imported goods, which in some countries receive little to no manufacturing super­vision. When consumers fall victim to a faulty or unhealthy product, the govern­ments of these countries fail to allow for recourse. This scenario leaves the seller or retailer the only tie to liability.

Along these lines, another area of imminent concern is private-label goods, Burkhart said. A number of retailers have publicly committed to the expansion of private-label lines. In that scenario, not only are health standards an issue, but so are patent infringements, for which sellers are being held responsible.

In one example, Burkhart said compa­nies in China are being accused of flood­ing the U.S. market with its oversupply of honey, allegedly made with harmful products and without regard to process­ing standards. To get around restric­tions, importers will often repackage the product, disguising its origin and thereby exposing the retailer to liability.

Burkhart described an “arrogance” that translates into illegal honey coming in through India or Malaysia, with for­ eign manufacturers substituting paper­work, disguising barrels by painting them a legal color or removing elements so its roots can’t be traced.

With the trail of responsibility passing through if not ending with the retailer, Burkart insisted that retailers take an honest look at their exposure and imple­ment best practices to reduce risk.

Addressing Cybercrime

While tracking the origins of physical product is important, so is assessing the vulnerability of a company’s electronic network. Phil Kenealy, president of ACES, a Cedar Falls, Iowa-based data security and analysis firm, told attendees that the industry faces myriad data-integrity issues, many of which they can solve easily.

For instance, many times the way to the restroom is through the “employees only” hallway. The access can lead to computers with open ports, which allow for potential breaches.

Also, sometimes staff members are not properly trained. So when a breach does occur, they may fail to take critical actions to help forensic teams understand what happened.

Retailers must develop comprehen­sive plans to monitor both the physical state of the store and the firewalls and other electronic protections in place. For instance, data thieves can place false card swipes on ATMs and pumps to steal card data [CSP—May ’12, p. 107].

Another gateway to theft can occur when companies such as Microsoft issue “patches” designed to repair vulner­abilities. “In essence, they’re saying, ‘Hey, we’ve got a vulnerability,’ and [thieves] can just scan the Internet for comput­ers that have those issues,” Kenealy said. “Many times people don’t put on the patches. IT is putting out fires every day and often says, ‘I’ll get to patching later.’ ”

In another example, Kenealy said disgruntled employees often have “the keys to the kingdom” and can leave with passwords or whole databases.

Kenealy also pointed out a recently released study on 2011 data breaches done by New York-based Verizon. The report contained key points:

• 92% of breaches came from exter­nal sources, suggesting an increase in attacks on smaller organizations.
• 83% of victims were targets of opportunity vs. planned targets.
• 96% of breaches were avoidable through simple or intermediate controls.
• 89% of victims subject to PCI com­pliance had not achieved compliance.

Social-Media Caution

While social media presents retailers with an easy, cost-effective way to start a dialogue with customers, Burkhart of BIC advised attendees to be cautious.

“There are few rules,” he said. “And where regulation is lacking, you have to be careful.”

For instance, conversation on BIC’s Facebook page surrounding its lighters typically starts after a city’s happy hour. The topic of lighters comes up, and people— many of whom have been consuming alcohol—continue the conversation online.

“What do you say? What don’t you say?” he asked. “You have to be consis­tent—and monitor it 24/7.”

ADA Pressure

While technology is one piece of the liability puzzle, another more hands-on challenge is at store level, with ADA compliance.

Though allowing a spider monkey into the store may be one of the more peculiar ADA rules, others can be costly, such as lowering pumps to make nozzles and keypads accessible.

Essentially, most of the focus is on new construction or alterations to a site done after March 15, 2012, according to Mordick of Robinson Oil. Prior to then, if a site was compliant under 1991 stan­dards, then everything built before March 15, 2012, would need no upgrades.

The picture changes after that date, when alterations or new construction to a site would force compliance with 2010 standards.

The difference between the 1991 and 2010 standards affect several areas at the pump and on the sales floor, including drink fountains, display areas, ATMs and dispensers. Work areas where employees pass must also be wide enough to accom­modate wheelchairs, Mordick said.

Here are a few differences retailers need to consider:

Reach lengths to dispenser controls from a wheelchair have lowered from 54 inches to 48 inches, with the slope being level at no more than 2%

Access must exist at the pumps, and the entrance must not slope more than 5%, with cross-slopes not exceeding 2%. The exceptions are ramps or curb ramps, which should not exceed 8.3%.

• Parking must have an accessible aisle and use the shortest route possible to the entrance.
• Self-serve drink and food dispensers must have a 30-inch-by-48-inch clear floor space at the controls of the area, with the controls and product being within reach ranges (46 inches, 48 inches or 54 inches).
• Controls or handles must be operable with one hand without tight grasping, pinching or twisting of the wrist. In addi­tion, everything must require 5 pounds or less of force to operate. These rules call into question ketchup bottles that users must turn over and squeeze, as well as tightly sealed cooler doors.
• Half the shelves need to be accessible, with the assumption that the entire range of food lines can be displayed on those spaces.
• Service counters at least 36 inches wide must be no higher than 36 inches above the ground.
• ATMs and vending machines must have the requisite space around the controls. Those controls must be within reach and have Braille instructions and audio capabilities. The concern here lies with vendor-supplied ATMs and DVD kiosks: Retailers must make sure efforts are being made to comply.

The group took an afternoon walk through New Orleans to review the ADA compliance of nearby drug stores, c-stores and the hotel where attendees were staying. Many of the compliance issues surrounded shippers blocking aisles, service counters that were too high, and not placing the full line of a category in shelves within reach of anyone in a wheelchair.

Fines in the past were a straight-up $4,000 payment, Mordick said. Today, fines can range from $55,000 to $110,000 per instance.

Professional Liability

While ADA compliance can be an operational issue, many times companies fail to consider the damage and lawsuits that may come from the acts of its executives. Stewart Van Duzer, first vice president, director of special accounts marketing, for Federated Insurance, Owatonna, Minn., told attendees he’s surprised at how much exposure chains allow, especially when coverage is inexpensive.

Privately held companies aren’t immune either, he said. “Numerous instances” exist in which closely held corpora­tions have had their officers sued for actions in running the company, including bad-faith claims, mismanagement claims by employees, manufacturer or bank suits and suits brought by other officers.

Van Duzer said that in studies he has seen, 62% of respon­dents have experienced some management liability event in the past five years, and yet 33% of that pool had not purchased insurance to mitigate the risks.

Business Interrupted

Like professional liability coverage, other areas of exposure are off retailers’ radar.

For instance, if retailers thought only a fire, flood or tornado could shut down their stores, what if that fire hit a retailer’s refinery, cutting off supply for an indefinite time? Or what if the bridge that connects a store with its customers washes out in a flood? That’s the difference between casualty insurance and business-interruption coverage, according to Mississippi lawyer Collier Graham.

Graham, of Wise, Carter, Child & Caraway, Jackson, Miss., said retailers need to fully understand their coverage in that many of the true reasons they suffer damage or loss of livelihood goes beyond the physical destruction of property.

Taking the refinery shutdown example, he said, “If you do not have a rider or endorsement or if it’s not in the standard policy, you’re not [covered]. I have advised a petroleum-retail client … to sue his broker because the broker said he didn’t need it or was covered when he wasn’t.”

When a business is forced to shut down, Graham said, cer­tain costs begin to accrue, including salaries, utilities, rent and other fixed costs—for all of which a business is entitled to insurance reimbursement.

One example would be if power went out during a hurricane. A business could be up and ready to run within a day, having either been untouched or only slightly affected in the physical sense. But power to the region may be down for a month. “Are you covered? Maybe. You might have a separate endorsement for loss of utility,” he said. “Where I live we have awful infra­structure. We’re too poor to maintain it. Our sewer pipes are so bad [that after a storm], we lost water and sewer for a better part of the month.”