Press Releases
01/08/2019
Conn. Leads $1.5M Settlement with Retailer Neiman Marcus over 2013 Data Breach
The Neiman Marcus Group LLC has agreed to pay $1.5 million and implement a number of policies to resolve an investigation with 43 states and the District of Columbia into the 2013 breach of customer payment card data at 77 Neiman Marcus stores in the United States, Attorney General George Jepsen and state Department of Consumer Protection Commissioner Michelle H. Seagull said today.
In January 2014, Neiman Marcus disclosed that payment card data collected at certain of its retail stores had been compromised by an unknown third party. The states' investigation determined that approximately 370,000 payment cards – 3,016 of which were associated with Connecticut consumers – were compromised in the breach, which took place over the course of several months in 2013. At least 9,200 of the payment cards compromised in the breach were used fraudulently.
"Retailers have a responsibility under Connecticut law to keep consumer information safe and to make accurate representations to consumers through their privacy policies about the security of the personal information they collect," said Attorney General Jepsen. "All retailers need to take this responsibility seriously. I'm pleased to have resolved this matter with Neiman Marcus, and I'm hopeful that the reforms included in this settlement will prevent another similar breach of consumer information in the future."
"While consumers need to work harder than they've had to in the past to keep their information safe, businesses also need to play a role," said Commissioner Seagull. "Businesses have a responsibility to ensure the safety of their customers' information by maintaining and improving their security systems. I am pleased that we have reached an agreement, and hope that more businesses will proactively work to protect consumer information."
Connecticut co-led the multistate investigation with the Illinois Attorney General's Office. As a leading state, Connecticut's share of the settlement funds is $102,574.09, which will be deposited in the state's General Fund.
In addition to the monetary settlement, Neiman Marcus has agreed to a number of injunctive provisions aimed at preventing similar breaches in the future, including:
• Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
• Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
• Maintaining working agreements with two, separate, qualified Payment Card Industry forensic investigators;
• Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
• Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and
• Devaluing payment card information, using technologies like encryption and tokenization, to obfuscate payment card data.
Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.
Assistant Attorneys General Michele Lucan, John Neumon and Jeremy Pearlman, head of the Privacy and Data Security Department, assisted the Attorney General with this matter.
Please click here to view the settlement document.
###
- Twitter: @AGWilliamTong
- Facebook: CT Attorney General
Media Contacts:
Office of the Attorney General:
Jaclyn M. Severance
jaclyn.severance@ct.gov
860-808-5324 (office)
860-655-3903 (cell)
Department of Consumer Protection:
Lora Rae Anderson
lorarae.anderson@ct,gov
860-713-6019 (office)
Consumer Inquiries:
860-808-5318
attorney.general@ct.gov
Social Media:
Facebook: Attorney General George Jepsen
Twitter: @AGJepsen