This article was co-authored by Jennifer Reynolds, Litigation Assistant, Manchester.
2021 has presented retailers with numerous risks, many of which relate to COVID-19, whether borne out of the pandemic or exacerbated by it. In this article, we set out a number of these risks from both UK and US perspectives and offer some practical considerations for businesses and insurers.
Employers’ liability/public liability – thoughts from the UK
Employers have a legal duty to take reasonable care for the health and safety of their employees. If that duty is breached, they can be found liable to compensate employees for injury and losses which they prove were caused, or materially contributed to, by that failure. COVID-19 has presented additional responsibilities, with an employer’s obligation to protect employees from the harm of COVID-19, ensuring the completion of risk assessments, implementing social distancing and heightened cleaning regimes.
Front line retail workers sadly face the daily risk of both verbal and physical abuse from customers, and the number of such incidents are statistically increasing year on year. Against this background, the pandemic’s impact on mental health cannot be underestimated. Despite face masks no longer being mandatory in England’s shops, some retailers are still asking shoppers to don a mask, a request that is not well received by all.
Brexit and COVID-19 related haulage difficulties have resulted in gaps on the shelves of some shops and predictions are that this situation will only worsen in the run up to the festive period. As such, the risk to workers is unlikely to decline without legislative intervention and actions from the retailers themselves.
In Scotland, the escalating risk has very recently been acknowledged through the Protection of Workers (Retail and Age-restricted Goods and Services) (Scotland) Act 2021. The Act makes it an offence to threaten or abuse a retail worker, either as a single act or a course of conduct. The offence is aggravated if the complaint is linked to the enforcement of statutory age restrictions. The punishments range from a fine to one year imprisonment.
In England, the Abuse of Public-facing Workers (Offences) Bill underwent its first reading in the House of Commons on 15 September 2021. Speaking in the House of Commons, Olivia Blake MP said: “If the existing legislation reflects the situation in which we’re seeing spiralling levels of abuse, then it is time that we changed it because the status quo simply isn’t working.”
However, the success of this legislation in deterring customers from committing an assault, will depend on:
- Retail workers’ willingness to report the offence to the police and to provide a witness statements. It is foreseeable and understandable that workers who work in their local home area may be fearful that the customer will harass them either in person or via online platforms.
- The level of punishment issued.
- The coverage the punishments receive in the media.
In July 2021, the Co-op pledged to invest £70 million over the next three years into innovative technology to keep their workers safer, to include issuing front line workers body worn cameras. However, not all retailers will have Co-op’s budget, especially retailers who have been finically hit by the pandemic.
Legally, retailers are required to take reasonable steps to eliminate the foreseeable risk posed to its workforce. Retailers should revisit their risk assessment(s) each time an incident of verbal or physical abuse occurs. Further, they should provide their workers with full training to ensure they are educationally armed to deal with volatile customers, with roll play scenario training being advisable. Finally, retailers will need to offer post-incident support to their workers and identify any knowledge gaps that need to be addressed via post incident training.
Employers’ liability/public liability – thoughts from the US
Never has the safety of retail and restaurant employees been so scrutinized in the United States, than in the wake of the COVID-19 pandemic. On 18 May 2020, the American Federation of Labor and Congress of Industrial Organizations (AFL-CIO) filed a petition for a writ of mandamus in the US Court of Appeals seeking to compel the Occupational Safety and Health Administration (OSHA) to issue an emergency temporary standard protecting US workers against the coronavirus. Although the petition was denied by the Court of Appeals, OSHA released approximately fifteen directives and guides for employees and workers in connection with worker safety in response to the pandemic.
However, the need to protect retail and restaurant employees extends beyond the immediate concern of how best to protect workers against the contraction of the virus. Entities such as OSHA’s Young Workers Initiative and the National Employment Law Project (NELP) have long recognized the need for better training to protect retail and restaurant employees from irate customers and other security concerns. In 2018, NELP issued a report highlighting the risks employees of fast food restaurants face, and questioning whether inadequate training is the root cause. The report looked at a staggering number of incidents at McDonalds restaurants across the US involving injuries to workers resulting from confrontations with customers, many due to “petty grievances, such as a lack of straws, waiting too long, or missing items from their orders.” These risks have only multiplied in the last year and a half as employees are now tasked with enforcing mask and vaccination mandates. For example, on 17 March 2021, a restaurant manager was stabbed multiple times by a customer who refused to wear a mask at a Jack in the Box restaurant just outside of Houston.
The late night hours of operation of many retail and fast food restaurants also increases the risk of violence associated with burglaries and other crimes. For example, in 2018, two employees of a Chili’s Grill and Bar in DeWitt, New York were murdered by a former Chilis’ employee during a robbery just after the restaurant closed around 01:00. The assailant was familiar with the employees’ closing routine, and knew that the lock to the security cage was broken. None of the workers were aware that there was a silent panic alarm located next to the safe.
In addition to pressing charges against the assailant, the injured worker may also have a negligence claim against their employer, the property owner, and/or any security guard companies responsible for securing the premises. As in the UK, employers in the US are charged with the responsibility to protect workers from “recognized hazards” in the workplace. As such, in addition to any potential cause of action the injured employee may have, employers could also be susceptible to heavy fines if it is determined that the common risks associated with COVID-19 or risks associated with customer violence are “recognized hazards” from which they are required to protect their employees.
Additional training for retail and restaurant workers could prevent future tragedies. Training such as location and use of panic buttons and other violence hazard controls, as well as mechanisms to avoid other potential security hazards is imperative to improving worker safety. Additional training in how to deescalate an angry customer, could prevent future workplace violence. Further, the implementation of the directives and guides issued by OSHA related to the pandemic would also potentially limit an employer’s potential liability.
Cybersecurity risk – a UK perspective
UK retail companies are subject to a wide range of legal and regulatory obligations relating to cybersecurity and data protection. Failure to comply with these obligations can result in serious financial consequences to the company (and by extension, insurers).
The nature of online retail transactions necessitates the processing of personal data. Customers may input their payment card details, along with their name, email address, telephone number and postal address on the payment page of a retailer’s e-commerce website. In these circumstances, the retailer will usually find itself acting as a data controller in respect of its customers’ personal data.
Data controllers are the entity that decides the purpose and means of processing personal data and are subject to Article 5(1)(f) of the UK GDPR, which sets out the principle of “integrity and confidentiality”, also known as the security principle. This requires that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
A personal data breach involving financial personal data (such as customer payment card details) is likely to trigger legal notification obligations under UK GDPR to both the regulator (the ICO) and the affected customers. As many UK-based retailers with online shops allow shipping to other countries, there is also the potential that the breach will also trigger multi-jurisdictional notification obligations to other data protection authorities and customers around the globe.
Retailers that process card payments will be aware that, in addition to UK GDPR, they also need to comply with the Payment Card Industry Data Security Standard (PCI DSS) rules, the security standard designed to ensure the protection of cardholders’ data and to minimise card fraud. If a personal breach involves cardholder data, the retailer may find itself facing not only an ICO investigation (and potential fine) but also a PCI investigation (and potential fine).
Furthermore, the ICO has indicated that when deciding on regulatory action (including the issuing of a monetary penalty), it will take a breach of applicable PCI DSS standards into account. It has been widely reported that this impacted the decision of the ICO against Ticketmaster, which was fined £1.25 million in November 2020 for a personal data breach involving the harvesting of payment card data from its website.
The ICO found that Ticketmaster failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot (hosted by a third party) installed on its online payment page. The ICO also considered that Ticketmaster had failed to comply with PCI DSS as the chat-bot was connected to the cardholder environment and therefore should have met PCI DSS requirements.
It is paramount that UK retail companies with an e-commerce site take steps to ensure that their security measures in place meet the standards set by both UK GDPR and PCI DSS. They should also check the terms of their cyber policies to ensure there is the necessary coverage.
Cybersecurity risk – a US perspective
Following a number of high-profile, high-exposure retail data breaches in the US – particularly the 2013 Target breach – payment card security technology has significantly advanced. But while this improved technology has led to a decrease in card-present fraud, threat actors are now targeting card-not-present transactions to gain access to consumer data.
In the aftermath of the Target breach as well as a shift of liability for payment-card fraud liability from banks to merchants, chip-and-pin technology was widely adopted in the US. That technology uses full end-to-end encryption during card-present transactions, adding a much needed layer of security. A 2019 Visa report stated that 75% of US stores accepted chip cards, marking a 771% increase since the beginning of their use in the US. Additionally, US merchants that have implemented the chip upgrade on their point-of-sale devices saw a 76% drop in counterfeit payment fraud since the transition to chip-and-pin technology in the US.
Despite the uptake of chip-and-pin security for card-present transactions, the increase in online shopping and card-not-present transactions poses a new risk. “Card-not-present” refers to purchases where the physical presentation of a payment card is not required, such as online and phone transactions. Card-not-present fraud rose from US$4 billion in 2016 to a staggering US$7.2 billion in 2020. A 2020 study estimates that retailers will lose approximately US$130 billion due to card-not-present fraud by 2023.
Given the threat of costly class action litigation following a cybersecurity incident, as well as the promulgation of new privacy laws in various states, retailers are advised to protect themselves by carefully reviewing and updating their cyber and privacy policies and procedures to address emerging threats and risks, and to closely monitor their compliance with applicable laws and regulations. Retailers should also carefully consider cyber insurance coverage, which can provide crucial technical and financial support in the event of a cyber or privacy incident and access to an immediate 24/7 legal team, such as our crisis management service.
Data breaches in both the UK and US have generated extensive attention from the media and the regulators, such as the ICO. Retailers are therefore faced with both reputational risk as well as a financial hit in relation to such breaches.
Retail is increasingly moving online, a trend that has been accelerated by the impact of the pandemic. Regardless of retailers’ pre-COVID-19 business models, when physical shops closed, there was an increased demand for online customer experiences, which in turn has driven an increase in cybersecurity risks. This trend looks set to stay as consumers have got used to e-commerce, and many physical shops have not re-opened. Now, more than ever, retailers must tackle the challenge of online fraud and cybercrime.
The COVID-19 pandemic has also resulted in the levels of abuse directed at retail workers soar, despite such employees being recognised as essential ‘key workers’. Employers have a duty to keep their employees safe, and failing to do so could lead to both legal action and reputational damage due to complaints and/or comments being shared on social media.