AG HERRING REACHES $1.5M SETTLEMENT WITH RETAILER NEIMAN MARCUS OVER 2013 DATA BREACH

~ Over 10,000 payment cards associated with Virginia consumers involved in the breach; Virginia will receive $32,588.59 as its share from the settlement ~

RICHMOND (January 9, 2019) – Attorney General Mark R. Herring announced today that he, along with 42 other states and the District of Columbia, have reached a settlement agreement with the Neiman Marcus Group LLC (Neiman Marcus) following an investigation into the 2013 breach of customer payment card data at 77 Neiman Marcus stores across the United States. Neiman Marcus has agreed to pay $1.5 million and implement a number of policies as agreed to in the settlement. Over 10,000 payment cards involved in the breach were associated with Virginia consumers and the state's share of the settlement funds is $32,588.59.

"In this age of technology, the Neiman Marcus data breach is yet another reminder that consumers need to be vigilant when it comes to their private information,” said Attorney General Herring. "Businesses like Neiman Marcus need to put more security measures in place to protect their customers and prevent further data breaches from occurring. My team and I will continue to make sure that Virginians are protected and given the tools they need to keep their personal information safe.”

 

In January 2014, Neiman Marcus disclosed that payment card data collected at some of its retail stores had been compromised by an unknown third party.  The states' investigation determined that approximately 370,000 payment cards – 10,228 of which were associated with Virginia consumers – were compromised in the breach, which took place over the course of several months in 2013.  At least 9,200 of the payment cards compromised in the breach were used fraudulently.

In addition to the monetary settlement, Neiman Marcus has agreed to a number of injunctive provisions aimed at preventing similar breaches in the future, including:

• Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
• Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
• Maintaining working agreements with two, separate, qualified Payment Card Industry forensic investigators;
• Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
• Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and
• Devaluing payment card information, using technologies like encryption and tokenization, to obfuscate payment card data.

Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.

# # #