Attorney General: Neiman Marcus Pays $1.5M Penalty For Personal Data Breach

  TRENTON – New Jersey has entered into a settlement, alongside various other states, with Neiman Marcus that resolves allegations that the company failed to protect shopper’s personal information, announced Attorney General Gurbir S. Grewal.

In December 2013, Neiman Marcus’s systems were hacked, comprising the personal data linked to approximately 370,000 payment cards nationwide, about 17,000 of which have been associated with New Jersey.

The settlement stipulates that Neiman Marcus pay the participating states $1.5 million, of which New Jersey will receive $57,465.

“As more shoppers choose to go cashless, it becomes even more important for businesses to properly safeguard the databases they use to store consumers’ personal information,” said Attorney General Grewal. “Retailers have a responsibility to protect consumers’ personal information, and when companies fall short of their obligations, we take action to protect New Jersey’s residents.”

When companies fall short of their obligation to consumers we take action, as we’ve done with Neiman Marcus that requires them to improve their practices going forward.”

Neiman Marcus has also agreed to a variety of injunctive terms aimed at preventing a similar data breach in the future, according to the Attorney General, including:

  • Neiman Marcus must ensure that its cardholder data systems comply with the Payment Card Industry (PCI) Data Security Standard
  • It must maintain a system for the collection and monitoring of network activity, with the capability of flagging any unusual or suspicious activity
  • It must maintain up-to-date software for the storage and safeguarding of consumers’ personal information
  • It must efficiently replace any related software that is nearing the end of its life.
  • It must review industry-accepted payment card security technologies like chip and PIN technology and adopt improvements where necessary.
  • Neiman Marcus also must maintain independence between any consultant it hires to assess its data security systems and any forensic auditor it retains to investigate a data breach. 

Neiman Marcus will undergo an information security assessment, which can be made available to participating states upon request. “Under this settlement, Neiman Marcus must implement new policies and procedures that will strengthen its cyber security efforts and better protect the personal information of its customers,” said Attorney General Grewal. “We’re gratified to have been part of the multi-state Executive Committee that played a role in achieving this outcome on behalf of consumers both here in New Jersey and across the country.”