Neiman Marcus has agreed to pay $1.5 million to 43 states and the District of Columbia, as well as set up new security procedures, to end an investigation into the 2013 breach of customer payment card data at 77 U.S. stores, attorneys general across the country announced Tuesday.
Texas-based Neiman Marcus disclosed the data breach in January 2014, saying payment card information at certain stores had been compromised by an unknown third party. The states’ investigation determined that approximately 370,000 payment cards were involved, and at least 9,200 of the total payment cards compromised in the breach were used fraudulently, according to the attorneys general.
In addition to the money, Neiman Marcus has agreed to a series of changes intended to prevent similar breaches in the future. Those include working agreements with two separate forensic investors, updating all software involved in payments, reviewing industry-accepted technologies and encrypting payment card information.
Asked for comment on the settlement, the company sent this statement: “We are pleased this matter is now resolved.”
“Retailers have a responsibility under Connecticut law to keep consumer information safe and to make accurate representations to consumers through their privacy policies about the security of the personal information they collect,” Connecticut Attorney General George Jepsen, whose office took a lead role in the matter, said in a news release Tuesday. “All retailers need to take this responsibility seriously.”
State Department of Consumer Protection Commissioner Michelle Seagull joined in Jepsen’s announcement. “While consumers need to work harder than they’ve had to in the past to keep their information safe, businesses also need to play a role,” Seagull said. “Businesses have a responsibility to ensure the safety of their customers’ information by maintaining and improving their security systems.”
Connecticut co-led the multijurisdiction investigation along with the Illinois Attorney General’s Office, and Connecticut’s share of the settlement funds is $102,574.09, which is to be deposited in the state’s General Fund, Jepson said.
Several other state attorneys general applauded the settlement Tuesday.
“When a retailer collects and retains credit card information, they owe a duty to their customers,” Georgia Attorney General Chris Carr said in a news release Tuesday. “We will remain vigilant in working with public and private sector partners to protect Georgia consumers and their personal information.”
“New Yorkers deserve to shop with confidence, which includes trusting that their personal information will be protected,” New York Attorney General Letitia James said in a news release. “With the monetary settlement and the implementation of several new data security policies, this marks a significant win for those who shop in New York. This office will continue its commitment to combat inadequate data security in the state of New York.”
Texas Attorney General Ken Paxton said his state law requires businesses to “maintain reasonable safeguards against cyberattacks to protect consumers’ personal information from unlawful use or disclosure.” Paxton added, “I urge companies to evaluate whether they have in place a thorough and ongoing written information security program that serves to safeguard their customers’ information.”