Walmart will soon begin testing a grocery delivery program that uses autonomous vehicles, the retailer announced November 10. The pilot program, a partnership with California-based driverless car company Cruise LLC, will send grocery orders directly to customers in Cruise’s electric, self-driving cars.
The program, set to launch in Scottsdale, Arizona early next year, builds on an express delivery service Walmart rolled out in April, which is now available at more than 2,800 stores.
It is one of many high-tech transformations being made in the restaurant and food retail industry as businesses adapt to an increasingly contactless society. In Highland Falls, New York, Chipotle recently opened its first digital restaurant, consisting only of a lobby for food pick-up. The chain’s new Digital Kitchen will take orders exclusively through its website, app or third-party delivery partners.
Though COVID-19 precautions have necessitated a greater digital presence for businesses,1 the announcements from both Walmart and Chipotle are likely part of a trend that was well underway prior to the pandemic, said Steele Hutto, Broker, Burns & Wilcox Brokerage, Nashville, Tennessee. “The pandemic has expedited these changes, but more and more companies are starting to think this way,” he said.
Reliance on tech definitely complicates things from a liability standpoint—particularly from a cyber liability standpoint, considering how a potential hacking incident could interrupt business operations.
Increased reliance on online platforms comes with its own set of risks and related need for protection. “Reliance on tech definitely complicates things from a liability standpoint—particularly from a cyber liability standpoint, considering how a potential hacking incident could interrupt business operations,” Hutto said.
Companies and the consultants advising them have to be forward-looking, said Rahmad Bauldrick, Director, Regional Practice Group Leader, Professional Liability, Burns & Wilcox, Chicago, Illinois. “Anytime there is a change in the landscape of a business, its cybersecurity plan must also change in response,” he said.
Revenue, reputation on the line following a network breach
Cyberattacks are a growing threat, increasing dramatically in the U.S.2 and Canada3 during the coronavirus pandemic. Any company that stores customers’ personal information, such as credit card numbers, health information, names or addresses, is exceptionally vulnerable to a breach and should be protected by Cyber and Privacy Liability Insurance, Hutto said. This type of insurance can help with costs following a breach, such as breach coach and forensic investigations expenses, notifying customers and getting a business back online quickly. It can also help pay ransoms demanded in a ransomware attack, credit monitoring fees for affected customers, regulatory fines and the costs of any breach-related lawsuits.
“Cyber and Privacy Liability Insurance is an essential investment for any business, and is relatively inexpensive compared to the full cost of a network breach,” Hutto explained. “If the personal information held by a business gets into the wrong hands, there is a cost to address the breach but also liability regarding the compromised information. If it is a major breach, class-action lawsuits could be filed.”
In 2020, the average cost of a data breach reached $8.64 million in the U.S.4 and $6.35 million in Canada.5 Cyberattacks can disrupt a company’s digital infrastructure for days at a time, making business interruption coverage an important component of a Cyber and Privacy Liability Insurance policy. A digital-only restaurant, for example, could forfeit days of revenue, incur extra expenses to sustain operations and even have trouble repairing its reputation after a breach, Hutto said.
“A Cyber and Privacy Liability Insurance policy has business interruption built into it,” he said. “Lost income from being unable to operate could create big problems. From a reputation and public relations standpoint, if a business fails to safeguard others’ data and implement adequate security controls, it might affect it customers’ confidence in that business.”
Cyberattacks could lead to bodily injury, other risks
Coverage for Third-party Lawsuits, Business Interruption and Extra Expense Losses, and Cyber Crime and Social Engineering are some key protections that companies may wish to include in their Cyber and Privacy Liability Insurance policies, as the implications of a cyberattack can be far-reaching. “A plausible scenario could be a hack that interferes with a food product’s listed ingredients online, for example, and someone is allergic to an ingredient, that could be a bodily injury exposure,” Hutto said.
Businesses that use third-party data storage providers can be held liable for breaches of those services’ networks. Cyber and Privacy Liability Insurance policies can include coverage for costs related to these types of breaches, Hutto explained. “Regardless of what cloud storage system it uses, a business will still be considered responsible for safeguarding its customers’ data.”
If a business rolls out a cybersecurity plan and the consultant missed something, or gave misleading or incorrect advice, the liability for a data breach and the costs associated with that breach could fall back on the consultant.
Greater awareness of cyber-related risks has prompted more companies to invest in Cyber and Privacy Liability Insurance, especially as Commercial General Liability (CGL) Insurance policies and others increasingly exclude cyber liability, but some businesses still do not recognize the threat. “Every business needs this insurance,” Hutto said. Smaller businesses are popular targets for hackers and typically the least able to absorb the expense and reputational challenges of a network breach.
Bauldrick agreed: “In this digital world, a business without this coverage really opens themselves up to the possibility of going bankrupt.”
Tech consultants face liability risks for data breaches
Technology consulting firms that establish or monitor a company’s cybersecurity protocols could also be held responsible in the event of a breach — a point underscored by two recent court rulings that did not release consultants for Marriott International Inc. and Capital One Financial Corp. from liability after those companies experienced large-scale network breaches.
A U.S. District Court judge ruled in October that Accenture Plc, the cybersecurity consultant for Marriott, must face consumer claims over a 2018 hack that exposed up to 500 million guests’ data.6 In June, a judge ruled that consumers suing Capital One after a 2019 cloud hack exposed 100 million customers’ data7 could be permitted access to a post-hack report by Capital One’s consultant, cybersecurity firm Mandiant.
Companies working with clients on digital ordering systems, delivery services or other programs should obtain Errors & Omissions (E&O) Insurance, Bauldrick said. This insurance generally covers errors, negligence, misrepresentation and inaccurate advice.
A consultant advising a client through a major change, such as a shift to deliveries by autonomous vehicles, should evaluate their current information technology infrastructure for its sustainability or capability to adapt to that new system, Bauldrick explained. “Consultants will assess whether a client has a comprehensive plan ready to combat a variety of threats and how well it is equipped to monitor its infrastructure,” he said. “A consultant’s agile reaction to these changes will have a great impact as a company evolves in an effort to keep up with the times.”
E&O Insurance is critical for consultants in order to protect their assets in the event of a lawsuit, Bauldrick said. “COVID-19 has placed us all in the digital age, whether or not we were ready or willing,” he said. “If a business rolls out a cybersecurity plan and the consultant missed something, or gave misleading or incorrect advice, the liability for a data breach and the costs associated with that breach could fall back on the consultant.”
Businesses must stay ahead of the curve on newer risks that are happening and make sure they have the most robust coverage available. A policy that was adequate three years ago may not be appropriate today, just because things change so rapidly.
Consulting firms can be proactive by reviewing their contracts and hold-harmless agreements with clients and ensuring the cybersecurity plans they provide are clear, concise and match the ever-evolving cyber risk environment, Bauldrick said. “Consultants should make sure that the companies they represent are being diligent with training their employees on proper procedures and the necessary precautions that should be taken when collecting and storing customer data,” he added.
Navigating insurance needs amid industry changes
Beyond Cyber and Privacy Liability Insurance, businesses’ needs for Employment Practices Liability Insurance (EPLI), Directors & Officers (D&O) Insurance, Commercial Property Insurance, Commercial General Liability Insurance, Workers’ Compensation Insurance and Business Auto Insurance can also be impacted when they introduce new technology or services, depending on the details of their operation.
A knowledgeable broker who is familiar with the industry can help business owners understand the different insurance products and which are needed, Hutto said. “Businesses must stay ahead of the curve on newer risks that are happening and make sure they have the most robust coverage available,” Hutto emphasized. “A policy that was adequate three years ago may not be appropriate today, just because things change so rapidly. Partner with a good broker who understands the marketplace and the carriers—there are dozens of carriers offering Cyber and Privacy Liability Insurance, but they are not all created equal.”
It is vital that companies not only have the right policy to address their coverage needs, but also an adequate amount of insurance.
Risk management cannot be overlooked. Businesses, including restaurants and food retail companies, need a strong cybersecurity posture, Hutto said. “Invest in insurance protection for the risk transfer, but also implement all possible security measures,” he said. “Good cybersecurity measures are essential, and can ultimately lower premiums.”
Risk management strategies go hand in hand with insurance, Bauldrick added. “It is vital that companies not only have the right policy to address their coverage needs, but also an adequate amount of insurance.”
Sources 1 Rios, Luis Jorge. “How Covid-19 Is Accelerating Digital Transformation for Small and Medium Businesses.” Entrepreneur, September 18, 2020. 2 Sheng, Ellen. “Cybercrime ramps up amid coronavirus chaos, costing companies billions.” CNBC, July 29, 2020. 3 Canadian Internet Registration Authority. “New survey finds one-quarter of Canadian organizations targeted with a COVID-19 themed cyber-attack.” GlobeNewswire, October 6, 2020. 4 Clement, J. “Average organizational cost to a business in the United States after a data breach from 2006 to 2020.” Statista, August 27, 2020. 5 Shekar, Shruti. “Cost of data breaches in Canada up 6.7% in 2020.” Yahoo! Finance, August 5, 2020. 6 Perlroth, Nicole; Tsang, Amie; and Satariano, Adam. “Marriott Hacking Exposes Data of Up to 500 Million Guests.” New York Times, November 30, 2018. 7 Flitter, Emily; and Weise, Karen. “Capital One Data Breach Compromises Data of Over 100 Million.” The New York Times, July 29, 2019.
