Chipotle 2006 Annual Report Download - page 17

Download and view the complete annual report

Please find page 17 of the 2006 Chipotle annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 68

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68

competitors in the fast-casual and quick-service segments of the restaurant industry also emphasize lower-cost,
“value meal” menu options, a strategy we do not pursue. Our sales may be adversely affected by these products
and price competition.
Moreover, new companies may enter our markets and target our customers. For example, additional
competitive pressures have come more recently from the deli sections and in-store cafés of several major grocery
store chains, including those targeted at customers who want higher-quality food, as well as from convenience
stores and casual dining outlets. These competitors may have, among other things, lower operating costs, better
locations, better facilities, better management, more effective marketing and more efficient operations than we
have.
All of these competitive factors may adversely affect us and reduce our sales and profits.
We may have experienced a security breach with respect to certain customer credit and debit card data,
and we have incurred and may continue to incur substantial costs as a result of this matter. We may also incur
costs resulting from other security risks we may face in connection with our electronic processing and
transmission of confidential customer information.
In August 2004, the merchant bank that processes our credit and debit card transactions, which we refer to
as the acquiring bank, informed us that we may have been the victim of a possible theft of credit and debit card
data. Together with two forensic auditing firms, we investigated the alleged theft and reviewed our information
systems and information security procedures. We also reported the problem to federal law enforcement
authorities and cooperated in their investigation. While to date we have not discovered conclusive evidence that a
theft occurred, we identified some restaurant practices that may have made information systems at our restaurants
vulnerable during periods before August 2004. Notably, without our knowledge, the card processing software we
used inadvertently retained credit and debit card “Track 2” data, consisting of, among other items, the customer’s
name, card number, card expiration date and card verification number. In addition, the internet gateways on our
computers in some restaurants may not have been fully secure at all times. As a result, outside parties may have
gained access to stored information. It is possible that all of the cards we processed since we began accepting
them in 1999 may have been vulnerable. In the three months prior to being notified of the problem, we processed
between 1.3 million and 1.5 million credit and debit card charges each month.
We may in the future become subject to additional claims for purportedly fraudulent transactions arising out
of this matter. As long as a credit or debit card is active, fraudulent charges may be made using that card until the
card’s expiration date. We may also be subject to lawsuits or other proceedings by various interested parties,
including banks and credit unions that issue cards, cardholders (either individually or as part of a class action
lawsuit) and federal and state regulators. The statutes of limitation for pursuing some of these potential claims
may extend for six years or more in some cases, depending on the circumstances. Moreover, the application of
the law and the rules and procedures of the major card associations in these circumstances is generally untested.
Any lawsuit or other proceeding will likely be complex, costly and protracted, which could in turn divert
financial and management resources from execution of our business plan. We have no way to predict the level of
claims or the number or nature of proceedings that may be asserted against us, nor can we quantify the costs that
we may incur in connection with investigating, responding to and defending any of them. If we litigate these
matters, we may not be able to defend against penalties successfully. The ultimate outcome of this matter could
differ materially from the amounts we have recorded in our reserve and could have a material adverse effect on
our financial results and condition. Consumer perception of our brand could also be negatively affected by these
events, which could further adversely affect our results and prospects.
Despite the changes we have made to our information systems as a result of this matter, we still need to
periodically upgrade our software. We rely on commercially available software and other technologies to provide
security for processing and transmission of customer credit card data. During 2006 and 2005, approximately half
of our sales were attributable to credit card transactions, and we expect credit card usage to increase. Our systems
11