Press Release  AG Healey Joins $1.5 Million Multistate Settlement With Neiman Marcus Over 2013 Data Breach

Boston — Attorney General Maura Healey joined a $1.5 million multistate settlement by 44 attorneys general to resolve an investigation alleging that The Neiman Marcus Group LLC violated consumer protection and data security laws by failing to appropriately respond to the data breach in 2013 that impacted stores across the country. The AG’s Office secured $51,600 for Massachusetts as part of the agreement with the retailer.

In January 2014, Neiman Marcus disclosed that payment card data collected at 77 of its retail stores had been compromised as a result of a breach by unknown hackers that took place over several months in 2013. The multistate investigation determined that approximately 370,000 payment cards – 6,000 of which were used in Neiman Marcus retail stores in Massachusetts – were compromised in the breach. At least 9,200 of all payment cards compromised in the breach may have been used fraudulently.

“Through this settlement, Neiman Marcus will take several steps to protect consumers and their data,” said AG Healey. “Retailers must safeguard the financial information of their customers.”

As part of the multistate settlement, Neiman Marcus has agreed to several injunctive provisions aimed at preventing similar breaches in the future, including:

• Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
• Maintaining an appropriate system to collect and monitor its network activity and ensuring logs are regularly reviewed and monitored;
• Maintaining working agreements with two separate qualified payment card industry forensic investigators;
• Updating all software associated with maintaining and safeguarding personal information and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
• Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and
• Devaluing payment card information, using technologies like encryption and tokenization, to obfuscate payment card data.

Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.

The multistate was led by the state attorney general from Connecticut and includes attorneys general from Alaska, Arizona, Arkansas, Colorado, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, and Washington.

###