Attorney General James Announces $1.5M Settlement With Retailer Neiman Marcus Over Data Breach 

NEW YORK- Attorney General Letitia James today announced that the Neiman Marcus Group LLC has agreed to pay $1.5 million and implement a number of data security policies to resolve an investigation with 43 states and the District of Columbia into the 2013 breach of customer payment card data at 77 Neiman Marcus retail stores in the United States.

In January 2014, Neiman Marcus disclosed that payment card data collected at several of its retail stores had been compromised by an unknown third party. The states' investigation determined that approximately 370,000 payment cards – roughly 27,600 of which were associated with New York consumers – were compromised in the breach, which took place over the course of several months in 2013. At least 9,200 of the payment cards compromised in the breach were used fraudulently.

“New Yorkers deserve to shop with confidence, which includes trusting that their personal information will be protected,” said Attorney General Letitia James. “With the monetary settlement and the implementation of several new data security policies, this marks a significant win for those who shop in New York. This office will continue its commitment to combat inadequate data security in the state of New York.”

In addition to the monetary settlement, Neiman Marcus has agreed to a number of injunctive provisions aimed at preventing similar breaches in the future, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two, separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obfuscate payment card data.

Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.

New York’s share of the settlement payment is $58,611.60.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger.