Maryland, Other States, Settle Neiman Marcus 2013 Data Breach For $1.5M
BALTIMORE (WJZ) — Maryland Attorney General Brian E. Frosh announced Tuesday that he, along with the Attorneys General of 42 other states and D.C., have reached a settlement with the Neiman Marcus Group, LLC.
Under the terms of settlement, Neiman Marcus agreed to pay $1.5 million and put in place a number of policies to resolve the multistate investigation into the 2013 breach of customer payment card data at 77 Neiman Marcus stores.
The breach occurred over a course of several months and compromised the names of the names and payment card data collected at the retailer's stores throughout the U.S., a state press release said Tuesday.
The states' investigation found that around 370,000 payment cards were compromised, including 8,323 associated with Maryland consumers.
At least 9,200 of the payment cards compromised in the breach were used fraudulently.
"Businesses that collect and hold consumers' payment card data have a responsibility to make sure that data is protected from hackers," said Attorney General Frosh. "This settlement requires Neiman Marcus to bolster its protection of consumers' information to prevent a breach like this from reoccurring."
Along with the settlement payment, Neiman Marcus has agreed to some injunctive provisions aimed at stopping similar breaches in the future, including:
- Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
- Maintaining an appropriate system to log and monitor its network activity;
- Maintaining working agreements with two qualified Payment Card Industry forensic investigators, operating separately, to allow for speedy investigation and remediation of any future concerns;
- Updating all software associated with maintaining and safeguarding personal information;
- Implementing appropriate industry-accepted payment security technologies relevant to the company's business; and
- Use technologies like encryption and tokenization to obscure payment card data.
Under the settlement, the retailer is also required to obtain an information security assessment and report from a third-party professional, and detail any correction actions the company may have taken or plans to take because of this report.
Follow @WJZ on Twitter and like WJZ-TV | CBS Baltimore on Facebook
for more features.