New Court Cases Show Liability for Security Lapses Can Go Beyond What Retailers Might Expect


Three recent verdicts exemplify the importance of proactive security, as plaintiff’s attorneys often find ways around efforts to limit liability. In one case, after an employee assault on a coworker, a retailer learns it must face a lawsuit without its insurance carrier. In another, a state Supreme Court issues a verdict that reflects a growing intolerance for employer security breaches involving employee data. Lastly, despite a favorable ruling in the US Supreme Court, retailers learn they can still be on the hook for time that workers spend in post-shift anti-theft security lines.

Case 1. When Insurance Protection Fails

When prevention fails, and workers are hurt on the job, retailers often hope to mitigate their losses through liability limits afforded under state workers’ compensation schemes or company insurance policies. In many cases, they keep losses in check; but, as a recent case in Texas suggests, protection sometimes has gaps.

Workers’ compensation usually provides employees an exclusive remedy for injuries sustained on the job, including injuries caused by on-the-job violence. Under certain circumstances, however, laws allow employees to sue their employer for injuries that were intentionally inflicted or due to the employer’s negligence. Some of the possible legal rationales under which a retailer might be sued or face penalties for violence-related injuries sustained by employees include: foreseeable violence, sexual harassment, and negligent hiring, retention, training, and supervision.

- Sponsors -

Kent Distributors, a convenience store chain in Texas, faces just such a lawsuit. A store clerk sued the retailer, claiming that another Kent employee from a different store attacked and sexually assaulted her while she locked the store at closing time. The worker alleged that Kent negligently hired, retained, trained, and supervised its employees; failed to identify the threat posed by the employee; failed to warn her of the threat; failed to correct the dangerous condition; and that she sustained physical and mental injuries as a result.

Still, the retail chain probably hoped to limit financial harm from the incident. It had purchased two liability policies from United Fire and Casualty Company, a commercial general liability policy and a commercial liability umbrella policy. Hit with the lawsuit, the retailer turned to its insurer to defend it in court and to indemnify it under those policies.

United initially agreed to defend Kent but later denied coverage and withdrew from the defense, asserting that the employee’s claims against the retailer were excluded from coverage under both insurance policies. Kent then sued the insurance carrier.

In its verdict in January, the Fifth Circuit affirmed that United had no duty to defend or indemnify the retailer in the lawsuit, agreeing with a Texas federal judge that the worker’s claims fall within policy exclusions. The first, the Employer’s Liability Exclusion, excluded coverage for an employee’s “bodily injury” suffered during employment or while “performing duties related to the conduct of” the business. The second, the Texas Abuse or Molestation Exclusion, excluded coverage for molestation or actual or threatened abuse of anyone in Kent’s “care, custody, or control,” or arising out of Kent’s negligence in the employment, investigation, supervision, or retention of the alleged assailant.

The retailer tried to argue that the assaulted worker did not specifically allege “abuse” or “molestation,” and that it was unclear if she had finished her work duties at the time of the attack. However, on both points, the Fifth Circuit court concluded that the facts alleged “unambiguously exclude coverage under Kent’s insurance policies.” (United Fire and Casualty Company v. Kent Distributors, Incorporated, United States Court of Appeals for the Fifth Circuit, Case No. 18-50134, Jan. 11, 2019.)

Case 2. An Employer’s Duty to Protect Employee Data

On the issue of data breaches involving employee data, several courts have held the risk of future harm is insufficient to give workers the standing to sue. This view has shielded employers from expensive class action claims in the past. However, a new ruling by the Pennsylvania Supreme Court suggests the tide may be turning in favor of employee victims.

In Dittman et al. v. University of Pittsburgh Medical Center, the Court reversed two lower court decisions and concluded that employers have an affirmative legal responsibility to protect the confidential information of their employees. The justices ruled that by collecting and storing employees’ personal information as a pre-condition to employment, employers had the legal duty to take reasonable steps to protect that information from a cyberattack (Case No. 43 WAP 2017, Nov. 21, 2018).

Some legal analysts suggest the case could be a watershed. “The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer,” according to a research note by the Privacy and Data Security Group at labor law firm Ballard Spahr LLP. “This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania, as negligence is now a viable cause of action for inadequate data security under Pennsylvania law.”

The firm expects to see a spike in data breach-related claims brought in Pennsylvania courts and under Pennsylvania negligence law, and that entities that operate in Pennsylvania or collect personal information about Pennsylvania residents need to review the reasonableness of their current cybersecurity policies and procedures to protect personal information from unauthorized access or acquisition.

Case 3. Security Screenings and Compensated Time

Following eight years of litigation, in 2014, the US Supreme Court ruled that a staffing company’s employees, working in Amazon warehouses, were not entitled to be paid for the time they spent in anti-theft security lines at the end of their shifts. That did not end the matter, however.

The Sixth Circuit Court of Appeals revived the workers’ claims under Nevada law because time undergoing a security screening is compensable according to that state’s wage law. The court noted that some state laws don’t apply the same test as federal law when determining whether certain time at the workplace is considered work time that must be compensated. So, Amazon and its staffing company may have to pay warehouse workers for their time going through anti-theft security screenings at the end of their shifts, the federal appeals court ruled.

“Employers must carefully scrutinize the interplay between applicable federal and state laws to ensure they are in compliance,” said Elayna Youchah, an attorney with the law firm Jackson Lewis, in an analysis of the verdict. (Busk v. Integrity Staffing Solutions, 6th Cir., No. 17-5784, Sept. 19, 2018.)

Stay Updated

Get critical information for loss prevention professionals, security and retail management delivered right to your inbox.