In order to end an investigation into the 2013 breach of customer payment card data at 77 U.S. stores, Neiman Marcus has agreed to pay $1.5 million to 43 states and the District of Columbia, including New Jersey, attorneys general across the country announced Tuesday.
New Jersey’s share of the settlement in $57,465, according to a release from the state Attorney General’s Office.
“As more shoppers choose to go cashless, it becomes even more important for businesses to properly safeguard the databases they use to store consumers’ personal information,” Attorney General Gurbir Grewal said in a statement, noting that Deputy Attorney General Elliott M. Siebers handled the matter. “We’re gratified to have been part of the multi-state Executive Committee that played a role in achieving this outcome on behalf of consumers both here in New Jersey and across the country.”
Texas-based Neiman Marcus disclosed the data breach in January 2014, saying payment card information at certain stores had been compromised by an unknown third party. The states’ investigation determined that approximately 370,000 payment cards were involved, and at least 9,200 of the total payment cards compromised in the breach were used fraudulently, according to the attorneys general.
In addition to the money, Neiman Marcus has agreed to a series of changes intended to prevent similar breaches in the future. Those include working agreements with two separate forensic investors, updating all software involved in payments, reviewing industry-accepted technologies and encrypting payment card information.
Asked for comment on the settlement, the company sent this statement: “We are pleased this matter is now resolved.”
Connecticut Attorney General George Jepsen, whose office took a lead role in the matter, said in a news release, “Retailers have a responsibility under Connecticut law to keep consumer information safe and to make accurate representations to consumers through their privacy policies about the security of the personal information they collect.”
Connecticut co-led the multijurisdiction investigation along with the Illinois Attorney General’s Office, and Connecticut’s share of the settlement funds is $102,574.
Several other state attorneys general applauded the settlement.
“New Yorkers deserve to shop with confidence, which includes trusting that their personal information will be protected,” New York Attorney General Letitia James said in a news release. “With the monetary settlement and the implementation of several new data security policies, this marks a significant win for those who shop in New York. This office will continue its commitment to combat inadequate data security in the state of New York.”
Texas Attorney General Ken Paxton said his state law requires businesses to “maintain reasonable safeguards against cyberattacks to protect consumers’ personal information from unlawful use or disclosure.” Paxton added, “I urge companies to evaluate whether they have in place a thorough and ongoing written information security program that serves to safeguard their customers’ information.”
“When a retailer collects and retains credit card information, they owe a duty to their customers,” Georgia Attorney General Chris Carr said in a release. “We will remain vigilant in working with public and private sector partners to protect Georgia consumers and their personal information.”