On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.
The consumer plaintiffs sued Neiman Marcus in March 2014, alleging that the company failed to protect customers’ privacy and waited 28 days to inform affected customers of the breach. Neiman Marcus claimed that, rather than 350,000 customers, the breach affected only 9,200 customers. The case initially was dismissed on the grounds that the affected customers lacked standing, having been reimbursed for their losses; the Seventh Circuit reversed and remanded, finding that costs for preventative measures like credit monitoring sufficiently established standing.
Under the terms of the Settlement, each class member who submits a valid claim is entitled to receive up to $100. Each class representative will receive up to $2,500 in service awards, and class counsel will seek up to $530,000 in attorneys’ fees and costs. The Settlement also requires Neiman Marcus to maintain the data security measures it implemented in the wake of the breach, including the (1) appointment of a Chief Information Security Officer, (2) creation of an Information Security organizational unit, (3) increase in frequency and depth of cybersecurity reporting to the executive team and Board of Directors, (4) use of chip-based payment card infrastructure in stores, (5) education and training of employees on privacy and data security matters, (6) collection and analysis of logs of Neiman Marcus systems for potential security threats and (7) information sharing initiatives. The Settlement awaits preliminary approval from the United States District Court for the Northern District of Illinois.