WASHINGTON, D. C. – Attorney General Karl A. Racine today announced that The Neiman Marcus Group LLC will pay $1.5 million and implement several policies to resolve a multistate investigation into a 2013 data breach that exposed its customers’ personal financial information. The breach affected 4,517 customers in the District. Pursuant to the agreement, Neiman Marcus will be required to strengthen its security protocols for customers’ payment card information. Neiman Marcus will also pay the District $14,695.77 as part of the settlement. In total, 43 states plus the District joined the settlement.
Neiman Marcus is a Dallas-based chain of high-end department stores. In January 2014, the company disclosed that payment card data collected at 77 of its retail stores in the United States had been compromised by an unknown third party.
The states' investigation determined that information from approximately 370,000 payment cards was compromised in the breach, which took place over the course of several months in 2013. The investigation revealed that criminals went on to commit fraud using at least 9,200 of the payment cards compromised in the breach.
Settlement
As part of the multistate settlement, Neiman Marcus is required to put in place certain measures to prevent similar breaches in the future, including:
- Strengthening payment card security protocols: The retailer will now comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements. The PCI DSS is an industry standard for properly handling data and auditing a retailer’s data security protocols, first created by the major credit-card companies in the mid-2000s.
- Improving its Information Technology (IT) network monitoring: Neiman Marcus will implement a system to collect and monitor its IT network activity. The system will ensure that company staff regularly and promptly review network activity logs for suspicious behavior that might indicate data hacking.
- Updating security software: Neiman Marcus will update all software associated with maintaining and safeguarding its customers’ personal information. The company will also create written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date.
- Obscuring payment card information to limit exposure: Neiman Marcus will use technologies like encryption and tokenization to obscure payment card data and minimize the ability of its staff or outside parties to view and capture consumers’ actual payment card numbers.
- Retain independent professionals to assess the company’s security protocols: Neiman Marcus is also required to retain an independent professional to conduct an information security assessment of the company and issue a report. The independent professional will detail any corrective actions that the company may have taken or plans to take as a result of the third-party report. The retailer will also establish and maintain agreements with at least two forensic investigators certified by the payment card industry to detect potential security weaknesses and breaches.
The multistate settlement with Neiman Marcus is available at: http://oag.dc.gov/sites/default/files/2019-01/Neiman-Marcus-AVC.PDF
Resources to Protect Your Personal Information
If you believe you may have been the victim of a data breach or that your personal information has been compromised in some way, report it to OAG’s Office of Consumer Protection by calling our Consumer Protection Hotline at 202-442-9828 or submit a complaint online on our Consumer Protection Page. For more information on how to protect your personal information, read our online privacy and identity theft consumer protection resources.