Print Page  |  Close Window

SEC Filings

S-1/A
CHIPOTLE MEXICAN GRILL INC filed this Form S-1/A on 12/23/2005
Entire Document
 << Previous Page | Next Page >>

enforcement authorities and have been cooperating in their investigation. While to date we have not discovered conclusive evidence that a theft occurred, we identified some store practices that may have made information systems at our stores vulnerable during periods before August 2004. Notably, without our knowledge, the card processing software we used inadvertently retained credit and debit card "Track 2" data, consisting of, among other items, the customer's name, card number, card expiration date and card verification number. In addition, the internet gateways on our computers in some stores may not have been fully secure at all times. As a result, outside parties may have gained access to stored information. We began accepting credit cards in 1999, and it is possible that all of the cards we processed since then may have been vulnerable. In the three months prior to being notified of the problem, we processed between 1.3 million and 1.5 million credit and debit card charges each month.

        To date, we have received claims through the acquiring bank with respect to fewer than 2,000 purportedly fraudulent credit and debit card charges allegedly arising out of this matter in an aggregate amount of about $1.2 million. We've also incurred $1.3 million of expense in connection with fines imposed by the Visa and MasterCard card associations on the acquiring bank. In 2004, we recorded charges of $4.0 million to establish a reserve for claims seeking reimbursement for purportedly fraudulent credit and debit card charges, the cost of replacing cards, monitoring expenses and fees, and fines imposed by Visa and MasterCard. All of the reimbursement claims are being disputed, although we've not formally protested all of the charges. At November 30, 2005, after charging these expenses against the reserve, the remaining reserve was $1.9 million, which does not take into account a fine of $0.4 million assessed by MasterCard in December 2005 that we expect to charge against that reserve. In addition to the reserve, we've also incurred about $1.5 million of additional expenses in this matter, including $1.3 million for legal fees, bringing our total expense relating to this matter to $5.5 million. We have not reserved any additional amounts to date in 2005.

        We may in the future become subject to additional claims for purportedly fraudulent transactions arising out of this matter. As long as a credit or debit card is active, fraudulent charges may be made using that card until the card's expiration date. We may also be subject to lawsuits or other proceedings by various interested parties, including banks and credit unions that issue cards, cardholders (either individually or as part of a class action lawsuit) and federal and state regulators. The statutes of limitation for pursuing some of these potential claims may extend for six years or more in some cases, depending on the circumstances. Moreover, the application of the law and the rules and procedures of the major card associations in these circumstances is generally untested. Any lawsuit or other proceeding will likely be complex, costly and protracted, which could in turn divert financial and management resources from execution of our business plan. We have no way to predict the level of claims or the number or nature of proceedings that may be asserted against us, nor can we quantify the costs that we may incur in connection with investigating, responding to and defending any of them. If we litigate these matters, we may not be able to defend against penalties successfully. The ultimate outcome of this matter could differ materially from the amounts we've recorded in our reserve and could have a material adverse effect on our financial results and condition. Consumer perception of our brand could also be negatively affected by these events, which could further adversely affect our results and prospects.

        Despite the changes we've made to our information systems as a result of this matter, we still need to periodically upgrade our software. We rely on commercially available software and other technologies to provide security for processing and transmission of customer credit card data. About 44% of our current sales are attributable to credit card transactions, and we expect credit card usage to increase. Our systems could be compromised in the future, which could result in the misappropriation of customer information or the disruption of our systems. Either of those consequences could have a material adverse effect on our reputation and business or subject us to additional liabilities.

15


 << Previous Page | Next Page >>