43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.
In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:
- Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
- Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
- Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
- Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
- Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.
Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.
This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.