Neiman Marcus Agrees To Pay $1.5M To Settle Payment Card Breach

Neiman Marcus Agrees To Pay $1.5M To Settle Payment Card Breach

The Maryland Attorney General Brian Frosh announced Tuesday (Jan. 8) that his office, as well as 42 other state attorney generals, have settled with Neiman Marcus over a 2013 breach of customer payment card data at 77 of the retailer’s stores.

In a press release, the Maryland AG said Neiman Marcus agreed to pay $1.5 million and put policies in place to resolve the litigation that involved the investigation of multiple states.

According to Frosh, the data breach lasted, which lasted for several months back in 2013, compromised the names and payment card data that Neiman Marcus collected at retail stores around the country. The states’ investigations determined that around 370,000 payment cards were breached, including 8,323 associated with consumers in the state of Maryland. Of the cards that were breached, at least 9,200 were used for fraudulent purposes, the Maryland AG said in the press release.

“Businesses that collect and hold consumers’ payment card data have a responsibility to make sure that data is protected from hackers,” said Frosh. “This settlement requires Neiman Marcus to bolster its protection of consumers’ information to prevent a breach like this from reoccurring.”

In addition to paying the $1.5 million settlement, the department store operator has agreed to take steps to prevent another breach from happening in the future. Some of those steps include complying with the payment card industry data security standard requirements, maintaining an appropriate system to log and monitor network activity, maintaining working agreements with two qualified payment card industry forensic investigators, updating all software associated with maintaining and safeguarding personal information, and using technologies such as encryption and tokenization to hide payment card data. Neiman Marcus also has to obtain an information security assessment and report from a third party, as well as detail all corrective actions it has taken or plans to take because of the security audit.