Chipotle Provides Yet More Reminders of D&O and Food Safety Risks

chipotle food borne illness outbreaks

If the average food safety crisis or product recall forces companies to weather a storm, Chipotle has spent the past year trying to weather a category 4 hurricane. Now months into their recovery effort, it seems they are still seeing significant storm surges.
Last week, a group of Chipotle shareholders filed a federal lawsuit accusing executives of “failing to establish quality-control and emergency-response measures to prevent and then stop food-borne illnesses that sickened customers across the country and proved costly to the company,” the Denver Post reported. The suit accuses executives, the board of directors, and managers of unjust enrichment and seeks compensation from Chipotle’s co-CEOs, while also asking for corporate-governance reforms and changes to internal procedures to comply with laws and protect shareholders.

Sales remain significantly impacted by the series of six foodborne illness outbreaks last year. The company reported in July that same-store sales fell another 23.6% in Q2, marking the third straight quarter of declines for performance even lower than analysts had predicted. The company’s stock remains drastically impacted, currently trading at about $394 compared to a high of $749 before the outbreaks came to light a year ago.

In addition to the most recent shareholder lawsuit, the bad news for directors and officers specifically has also been further compounded recently. Shareholder lawsuits were filed earlier this year alleging the company had misled investors about its food safety measures, made “materially false and misleading statements,” and did not disclose that its “quality controls were not in compliance with applicable consumer and workplace safety regulations.” In June, a group of shareholders sued a number of top executives for allegedly violating their fiduciary responsibilities and engaging in insider trading. Relying on insider knowledge about insufficient food safety protocols, the suit alleges that the executives sold hundreds of thousands of shares in the first half of 2015 before the food poisoning scandal was made public.

Check out previous coverage of the Chipotle crisis in the Risk Management March cover story “Dia de la Crisis: The Chipotle Outbreaks Highlight Supply Chain Risks.”

Delta Limping Back to Normalcy

After two days of cancellations due to a system-wide outage, leaving thousands of customers stranded, Delta today announced it will return to normal operation by mid-to-late afternoon. It added a caveat, however, that “a chance of scattered thunderstorms expected in the eastern U.S. may have the potential to slow the recovery.”

Delta said that by late morning on Wednesday it had canceled 255 flights whileDelta 1,500 departed. About 800 flights were canceled on Tuesday and there were around 1,000 cancellations on Monday. It also extended its travel waiver and continued to provide hotel vouchers, of which more than 2,300 were issued Tuesday night in Atlanta alone.

“The technology systems that allow airport customer service agents to process check-ins, conduct boarding and dispatch aircraft are functioning normally with the bulk of delays and cancellations coming as a result of flight crews displaced or running up against their maximum allowed duty period following the outage,” Delta said.

The company’s chief operating officer, Gil West, said on Aug. 9:

Monday morning a critical power control module at our Technology Command Center malfunctioned, causing a surge to the transformer and a loss of power. The universal power was stabilized and power was restored quickly. But when this happened, critical systems and network equipment didn’t switch over to backups. Other systems did. And now we’re seeing instability in these systems. For example we’re seeing slowness in a system that airport customer service agents use to process check-ins, conduct boarding and dispatch aircraft. Delta agents today are using the original interface we designed for this system while we continue with our resetting efforts.

Reuters reported:

Like many large airlines, Delta uses its proprietary computer system for its bookings and operations, and the fact that other airlines appeared unaffected by the outage also pointed to the company’s equipment, said independent industry analyst Robert Mann.

Critical computer systems have backups and are tested to ensure high reliability, he said. It was not clear why those systems had not worked to prevent Delta’s problems, he said.

“That suggests a communications component or network component could have failed,” he said.

The airline has not yet detailed the financial impact of the event.

Phishing: Understanding Your Cyber Adversaries

Nearly two years ago, an infamous incident occurred where stolen pictures of celebrities flooded the internet. Originally, it was thought that this was due to an iCloud vulnerability that allowed a brute force attack. But it now turns out it was because of a simple social engineering phishing hack.

Phishing usually involves sending mass emails that masquerade as legitimate communications, coming from a trustworthy source like a big bank or credit card company. The phisher seeks to trick the recipient into clicking on a link or opening an attachment that downloads malware onto the victim’s computer. The malware can then be used for criminal activity including theft of sensitive data or money. While phishers may send thousands of emails, all they need are a few or even one individual to fall for their trick to get into the IT system. It’s easy to forget that security threats aren’t always the work of sophisticated technology geniuses with malevolent intent. As in the case of the celebrity photos, the method was relatively simple. However, it still caused reputational damage.

Cyber attacks don’t appear out of nowhere. At the beginning and right through development and attack, humans are involved. Recently, we profiled half a dozen types of attackers. We call them the “Unusual Suspects.” An attack might start with the Professional working in the digital shadows seeking to make the most money possible from the damage they cause. Then you’ve got the Mules and Getaways who are on the front line, and will be the first to get caught when the law comes knocking. There are also Activists and Nation State Actors who are looking to change the world or steal information on behalf of their country’s government. And then there’s the Insider leaking sensitive information accidentally or on purpose with malicious intent.

bae - the usual suspects

These are all just some of personas BAE Systems recently identified as key threats to businesses and without them, cybercrime can’t exist.

Wising up to phishing attacks

In the IT space, one of the most common ways cyber criminals target employees of a company is through phishing. In the aforementioned celebrity photos case, court documents said Ryan Collins, 36, of Pennsylvania, hacked more than 100 people. According to reports in the press he used email names like ‘’ and asked for password details.

With these credentials, the hacker was able to go through email accounts looking for photos and videos, managing to get into around 50 iCloud accounts and 72 Gmail accounts mostly belonging to celebrities. It’s quite easy to imagine the damage hackers could cause if they got hold of corporate emails – think of the damage the 2014 Sony hack inflicted.

You can’t patch a human

Employees will always be a weak spot, and clever social engineering is leading to more examples of how this weakness can be exploited. The effects can be devastating. For example: a company that collects credit card data from its customers is at risk of a major data breach from a single employee clicking on an email leading to a website laced with malware. The financial and/or reputational damage and the related fines or compensation claims that result could be significant.

At its core, combating social engineering is a human problem that requires human solutions. In certain cases victims may violate policies, but it may often be the case that the rules or training were not clear enough for the employee to know they were doing something that could have serious consequences. And because humans are behind social engineering attacks, they are capable of evolving, matching the way the business world is using technology.

To mitigate against social engineering attacks, there needs to be security awareness and culture from top to bottom. This might mean ongoing training for employees to understand the threats, as well as the right policies and procedures in place. This helps employees understand the risk from social engineering and what role they have in preventing it. Remember, this all has to be done in tandem with putting the right technology in place.

Defeating the Unusual Suspects

Defending against cyber threats is all well and good, but what about catching these Unusual Suspects? This is difficult, because they use sophisticated tactics to escape detection–they are located all over the world, and use secure software to escape detection and remain anonymous, often routing communications through multiple countries to avoid being caught.

Fortunately this is a case where human fallibility is a good thing–criminals will make mistakes and leave digital finger prints that sophisticated analytics and forensic analysis can pick up. Finally don’t underestimate the power of human ingenuity–thanks to the efforts of security professionals, we’re finally getting to a point where the investigation of online crime is being slowly demystified and defenses put in place to mitigate the threat.

Legal Woes Highlight Dangers of the Food Industry Supply Chain


A spate of recent cases offers a clear warning for the food industry about the legal and reputational perils of not getting more serious about supply chain control.

On Monday, the U.S. Supreme Court declined to consider an appeal from Nestle, Archer Daniel Midlands Co. and Cargill Inc., allowing a slave and child labor lawsuit to proceed against the three food industry giants.

Three plaintiffs who claim they were trafficked from Mali as child slaves and forced to work harvesting and cultivating beans in Cote d’Ivoire, and allege that the companies aided, abetted or failed to prevent the torture, forced labor and arbitrary detention they suffered.

According to Reuters:

The plaintiffs, who were originally from Mali, contend the companies aided and abetted human rights violations through their active involvement in purchasing cocoa from Ivory Coast. While aware of the child slavery problem, the companies offered financial and technical assistance to local farmers in a bid to guarantee the cheapest source of cocoa, the plaintiffs said.

The defendants knew about the child slavery problems in the region and offered both financial and technical farming assistance to support the agriculture methods in place, the plaintiffs claim. What’s more, they say, the defendants could have used their leverage in the cocoa market to stop or limit the alleged child labor practices and failed to do so.

According to the Wall Street Journal:

Mark Theodore, a partner at Proskauer Rose, said that the ruling reinforces to companies that they need to be socially responsible employers. And while there is no way to ever completely prevent such risks, he said the ruling is a reminder to companies that they “should be monitoring and also maybe doing a little bit of introspective thinking about their own practices to avoid these things, or prevent them from happening, or to put themselves in legally defensible position if they can’t prevent them.”

In September, the Justice Department finalized a landmark conviction of the former head of the Peanut Corporation of America, who was sentenced to 28 years in prison for knowingly shipping salmonella-tainted products that sickened 714 people and killed nine. That may be the department’s first step in a new approach to taking food industry product safety more seriously, and more aggressively pursuing wrongdoing on a criminal level. The Justice Department has now opened formal investigations into the e. coli outbreak at Chipotle and the listeria outbreak at Blue Bell Creameries, both of which sickened hundreds of consumers.

The department has already signaled a broad intention to focus more efforts on individual law-breakers in corporate crimes. Now, the government appears to be showing the food industry that things are changing in terms of corporate responsibility and food safety, according to Andrew Lankler, partner at Baker Botts. Lankler told the Wall Street Journal that the Department of Justice is signaling that whatever standard the food industry thought it needed to meet for food safety, the bar is higher. “The department is going to step up enforcement in areas where they can prove they sold tainted product,” he said.

And the trouble at Chipotle shows little sign of abating. The CDC is still investigating multiple outbreaks, and the chain has now been served a subpoena as part of a criminal probe by the U.S. Attorney’s Office and the Food and Drug Administration’s Office of Criminal Investigations regarding an isolated norovirus incident in August.

A fourth lawsuit was recently filed by a customer who claims he was sickened by the same strain of e. coli linked to Chipotle, but this case dates back to July, meaning far more people may have been affected in the outbreaks. At least nine suits have been filed by customers, and Bill Marler, a food and safety litigator in Seattle, claims more are coming from the 75 Chipotle-related clients he represents.

At this week’s ICR conference this week, CEO Steve Ells said he is hopeful that the CDC will soon declare the restaurant’s e. coli outbreak over, adding, “we know that Chipotle is as safe as it’s ever been before.”

To that end, Chipotle announced today that it will close all of its stores on Feb. 8 to have a corporation-wide meeting with all staff regarding food safety.

But customers remain extremely wary. Indeed, while it may be an e. coli cliché, it would not at all be a stretch to say public opinion about the brand remains in the toilet, with YouGov’s BrandIndex score for the company seeing a drop equal to that of GM during its crisis.

yougov poll chipotle

To combat that, the company also announced plans to launch a sizable new marketing campaign to win back customers, using direct mail and traditional advertising to attempt to win back consumer confidence. As Fortune reported, executives said the campaign will attempt to provide a “detailed story of what happened” to explain to customers why they are now safe, and that it will not focus overtly on food safety, but will have “an undertone” of humility.

Chipotle’s stock dropped nearly 42% in the wake of the outbreaks, and according to an SEC filing, sales at stores open more than a year were down 30% last month. Ells and his team admitted they could not guess how much the fallout will impact 2016 financial results, but expect it will be a “messy” year. Costs are expected to go up from the marketing campaign and new food safety measures, including processing more food through centralized kitchens in an attempt to better control the conditions of ingredients.

The company darkened its outlook for Q4 results, and As Wells Fargo Securities wrote in a recent research note, “We expect CMG to point to a hard-fought and long-tailed [same-store sales] recovery across 2016, and to stress that there is still much work to be done in assessing the sizeable costs associated with the company’s supply chain overhaul.”

For more about food safety crises and product recall, check out the following articles from Risk Management:

Feeding an Appetite for Trust, A Q&A with Center for Food Integrity CEO Charlie Arnot

Food Safety Updates Stalled by Funding

Maximizing Coverage for a Product Recall