Print Page  |  Close Window

SEC Filings

CHIPOTLE MEXICAN GRILL INC filed this Form 10-K on 02/08/2018
Entire Document
 << Previous Page | Next Page >>

In April 2017, our information security team detected unauthorized activity on the network that supports payment processing for our restaurants, and immediately began an investigation with the help of leading computer security firms.  We also self-reported the issue to payment card processors and law enforcement.  Our investigation detected malware designed to access payment card data from cards used at point-of-sale devices at most Chipotle restaurants, primarily in the period from March 24, 2017 through April 18, 2017.  We have removed the malware from our systems and continue to work to enhance our security measures. However, we expect to be subject to payment card network assessments and may incur regulatory fines or penalties, for which our insurance coverage is limited, and as a result, we recorded a $30 million estimated liability. We may ultimately be subject to liabilities greater than or less than the amount accrued. See Note 10. “Commitments and Contingencies” included in Item 8. “Financial Statements and Supplementary Data,” for further discussion of potential liabilities and pending litigation filed against us in connection with this incident.

We may be subject to additional lawsuits or other proceedings in the future relating to the incident or any future incidents in which payment card data may have been compromised.  Proceedings related to theft of credit or debit card information may be brought by payment card providers, banks and credit unions that issue cards, cardholders (either individually or as part of a class action lawsuit) and federal and state regulators. Any such proceedings could distract our management from running our business and cause us to incur significant unplanned losses and expenses. Consumer perception of our brand could also be negatively affected by these events, which could further adversely affect our results and prospects.

We also are required to collect and maintain personal information about our employees, and we collect information about customers as part of some of our marketing programs as well. The collection and use of such information is regulated at the federal and state levels, and by the European Union and its member states, and the regulatory environment related to information security and privacy is increasingly demanding. For example, a new privacy regulation in the European Union called the General Data Protection Regulation, or GDPR, is scheduled to become effective in May 2018 and requires companies to meet new requirements regarding the handling of personal data, including its use, protection and the ability of persons whose data is stored to correct or delete such data about themselves. Failure to meet GDPR requirements could result in penalties of up to 4% of worldwide revenue. At the same time, we are relying increasingly on cloud computing and other technologies that result in third parties holding significant amounts of customer or employee information on our behalf. We have seen an increase over the past several years in the frequency and sophistication of attempts to compromise the security of several of these systems. If the security and information systems that we or our outsourced third party providers use to store or process such information are compromised or if we, or such third parties, otherwise fail to comply with these laws and regulations, we could face litigation and the imposition of penalties that could adversely affect our financial performance. Our reputation as a brand or as an employer could also be adversely affected from these types of security breaches or regulatory violations, which could impair our sales or ability to attract and keep qualified employees.

If we experience a significant failure in or interruption of certain key information technology systems, our business could be adversely impacted.

We use a variety of applications and systems to securely manage the flow of information within each of our restaurants, and within our centralized corporate infrastructure. The services available within our systems and applications include restaurant operations, supply chain, inventory, scheduling, training, human capital management, financial tools, and data protection services. The restaurant structure is based primarily on a point-of-sale system that operates locally at the restaurant and is integrated with other functions necessary to restaurant operations. It records sales transactions, receives out of store orders, and authorizes, batches, and transmits credit card transactions. The system also allows employees to enter time clock information and to produce a variety of management reports. Select information that is captured from this system at each restaurant is collected in the central corporate infrastructure, which enables management to continually monitor operating results.  Our ability to efficiently and effectively manage our business depends significantly on the reliability and capacity of these and other systems, and our operations depend substantially on the availability of our point-of-sale system and related networks and applications.  These systems may be vulnerable to attacks or outages from security breaches, viruses and other disruptive problems, as well as from physical theft, fire, power loss, telecommunications failure or other catastrophic events. Any failure of these systems to operate effectively, whether from security breaches, maintenance problems, upgrades or transitions to new platforms, or other factors could result in interruptions to or delays in our restaurant or other operations, adversely impacting the restaurant experience for our guests or negatively impacting our ability to manage our business. If our information technology systems fail and our redundant systems or disaster recovery plans are not adequate to address such failures, or if our business interruption insurance does not sufficiently compensate us for any losses that we may incur, our revenues and profits could be reduced and the reputation of our brand and our business could be materially adversely affected. In addition, remediation of any problems with our systems could result in significant, unplanned expenses.




 << Previous Page | Next Page >>