Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers.
On Jan. 10, 2014, Neiman Marcus publicly announced that it had experienced a security incident involving its payment processing system that may have resulted in unauthorized access to the payment card data of thousands of its customers. Through its investigation of the incident, Neiman Marcus determined that, beginning in 2013, unauthorized parties had infected its payment processing system with malware that was capable of capturing customer payment card information. Shortly after Neiman Marcus provided notice of the incident, the AGs of 43 states and the District of Columbia launched a multistate investigation of the incident.
In addition to the $1.5 million payment, Neiman Marcus also agreed that its payment card system would comply with the Payment Card Industry Data Security Standard (PCI DSS) and that it would monitor its network and utilize security information and event management tools to report suspicious activity. Neiman Marcus also agreed to implement new software and technology to encrypt and safeguard personal information, including payment card data. The settlement, which takes the form of an assurance of voluntary compliance, also requires that Neiman Marcus maintain nondisclosure agreements with a minimum of two separate, qualified Payment Card Industry forensic investigators capable of investigating future security incidents. To assure that Neiman Marcus complies with the terms of the settlement, it is also required to obtain an information security assessment and report from a third-party professional no later than two years from the date of the settlement.
Although the settlement ends the multiyear, multistate investigation, Neiman Marcus is still facing a class action lawsuit in federal court related to the breach.