Neiman Marcus Agrees to $1.5 Million Penalty and Cybersecurity Improvements in Multi-State Data Breach Settlement

NJ Attorney General Gurbir Grewal announced Tuesday that New Jersey has entered into a multi-state settlement with Neiman Marcus that resolves allegations the chain failed to protect the personal information of shoppers, who made in-store purchases using payment cards.

A December 2013 hacking incident targeting Neiman Marcus’s point-of-sale systems, compromised account numbers, expiration dates and other personal data linked to an estimated 370,000 payment cards nationwide. Approximately 17,000 payment cards associated with New Jersey addresses were impacted by the breach.

New Jersey was part of the eight-member Executive Committee that investigated the data breach. As part of the settlement Neiman Marcus will pay the participating states $1.5 million, of which New Jersey will receive $57,465.

In addition to the monetary terms of settlement, Neiman Marcus has agreed to a variety of injunctive terms aimed at preventing a similar data breach in the future.

Among other terms, the department store chain must ensure that its cardholder data systems comply with the Payment Card Industry (PCI) Data Security Standard and must maintain a system for the collection and monitoring of network activity, with the capability of flagging any unusual or suspicious activity.

Neiman Marcus also must maintain up-to-date software for the storage and safeguarding of consumers’ personal information and ensure that any related software that is nearing the end of its life or its support date is either replaced or updated.

In addition, the retailer must take steps to review industry-accepted payment card security technologies relevant to its business -- such as chip and PIN technology -- and, where appropriate, adopt such improvements. Neiman Marcus also must maintain independence between any consultant it hires to assess its data security systems and any forensic auditor it retains to investigate a data breach. 

The settlement agreement also calls for Neiman Marcus to undergo an information security assessment, which will be made available to states upon request.