ITEM 4.CONTROLS AND PROCEDURES
We maintain disclosure controls and procedures (as defined in Rule 13a-15(e) promulgated under the Securities Exchange Act of 1934, as amended (the “Exchange Act”)) that are designed to ensure that information required to be disclosed in Exchange Act reports is recorded, processed, summarized and reported within the time periods specified in the Securities and Exchange Commission’s rules and forms, and that such information is accumulated and communicated to our management, including our Chief Executive Officer and Chief Financial Officer, as appropriate, to allow timely decisions regarding required disclosure.
As of June 30, 2017, we carried out an evaluation, under the supervision and with the participation of our management, including our Chief Executive Officer and Chief Financial Officer, of the effectiveness of the design and operation of our disclosure controls and procedures. Based on the foregoing, our Chief Executive Officer and Chief Financial Officer concluded that our disclosure controls and procedures were effective as of the end of the period covered by this report.
ITEM 1.LEGAL PROCEEDINGS
For information regarding legal proceedings, see Note 7. “Commitments and Contingencies” in our notes to condensed consolidated financial statements included in Item 1. “Financial Statements”.
ITEM 1A.RISK FACTORS
There have been no material changes in our risk factors since our annual report on Form 10-K for the year ended December 31, 2016, except as set forth below.
We may be harmed by security risks we face in connection with our electronic processing and transmission of confidential customer and employee information.
We accept electronic payment cards for payment in our restaurants. During 2016 approximately 70% of our sales were attributable to credit and debit card transactions, and credit and debit card usage could continue to increase. A number of retailers have experienced actual or potential security breaches in which credit and debit card information may have been stolen, including a number of highly publicized incidents with well-known retailers in recent years.
In April 2017, our information security team detected unauthorized activity on the network that supports payment processing for our restaurants, and immediately began an investigation with the help of leading computer security firms. We also self-reported the issue to payment card processors and law enforcement. Our investigation detected malware designed to access payment card data from cards used at point-of-sale devices at most Chipotle restaurants, primarily in the period from March 24, 2017 through April 18, 2017. We have removed the malware from our systems and continue to evaluate ways to enhance our security measures. However, we expect to be subject to payment card network assessments and may incur regulatory fines or penalties, for which our insurance coverage is limited and the amount of which may be material, in connection with this matter.
A number of lawsuits have also been filed against us in connection with this incident, as further discussed in Note 7. “Commitments and Contingencies” within Item 1. “Financial Statements”, and we may be subject to additional lawsuits or other proceedings in the future relating to the incident or any future incidents in which payment card data may have been compromised. Proceedings related to theft of credit or debit card information may be brought by payment card providers, banks and credit unions that issue cards, cardholders (either individually or as part of a class action lawsuit), or federal and state regulators. Any such proceedings could distract our management from running our business and cause us to incur significant unplanned losses and expenses. Consumer perception of our brand could also be negatively affected by these events, which could further adversely affect our results and prospects.
We are also required to collect and maintain personal information about our employees, and we collect information about customers as part of some of our marketing programs as well. The collection and use of such information is regulated at the federal and state levels, by the European Union and its member states, and the regulatory environment related to information security and privacy is increasingly demanding. At the same time, we are increasingly relying on cloud computing and other technologies that result in third parties holding significant amounts of customer or employee information on our behalf. We have seen an increase over the past several years in the frequency and sophistication of attempts to compromise the security of several of these systems. If the security and information systems that we or our outsourced third party providers use to store or process such information are compromised or if we, or such third parties, otherwise fail to comply with these laws and regulations, we could face litigation and the imposition of penalties that could adversely affect our financial performance. Our reputation as a brand or as an employer could also be adversely affected from these types of security breaches or regulatory violations, which could impair our sales or ability to attract and keep qualified employees.