NJ Enters Multi-State Settlement with Neiman Marcus Who Agrees to Improve Cybersecurity
Attorney General Gurbir S. Grewal announced today that New Jersey has entered into a multi-state settlement with Neiman Marcus that resolves allegations the chain failed to protect the personal information of shoppers who made in-store purchases using payment cards. A December 2013 hacking incident targeted Neiman Marcus’s point-of-sale systems, compromising account numbers, expiration dates and other personal data linked to an estimated 370,000 payment cards nationwide. Approximately 17,000 payment cards associated with New Jersey addresses were impacted by the breach.
New Jersey was part of the eight-member Executive Committee that investigated the data breach. As part of the settlement Neiman Marcus will pay the participating states $1.5 million, of which New Jersey will receive $57,465. In addition to the monetary terms of settlement, Neiman Marcus has agreed to a variety of injunctive terms aimed at preventing a similar data breach in the future. “As more shoppers choose to go cashless, it becomes even more important for businesses to properly safeguard the databases they use to store consumers’ personal information,” said Attorney General Grewal. “Retailers have a responsibility to protect consumers’ personal information, and when companies fall short of their obligations, we take action to protect New Jersey’s residents.” When companies fall short of their obligation to consumers we take action, as we’ve done with Neiman Marcus, that requires them to improve their practices going forward.” Among other terms, the department store chain must ensure that its cardholder data systems comply with the Payment Card Industry (PCI) Data Security Standard, and must maintain a system for the collection and monitoring of network activity, with the capability of flagging any unusual or suspicious activity. Neiman Marcus also must maintain up-to-date software for the storage and safeguarding of consumers’ personal information, and ensure that any related software that is nearing the end of its life (or the end of its support date) is either replaced or updated. In addition, the retailer must take steps to review industry-accepted payment card security technologies relevant to its business -- such as chip and PIN technology -- and, where appropriate, adopt such improvements. Neiman Marcus also must maintain independence between any consultant it hires to assess its data security systems and any forensic auditor it retains to investigate a data breach. The settlement agreement also calls for Neiman Marcus to undergo an information security assessment, which will be made available to states upon request. In announcing the settlement, Attorney General Grewal noted that data breaches like the one at issue have potential to cause significant harm. Personal consumer information obtained by hackers in this instance could have been used to make fraudulent on-line purchases, the Attorney General noted, or could have been copied and imprinted to a blank magnetic strip card, allowing for fraudulent purchases at Neiman Marcus stores.
“Under this settlement, Neiman Marcus must implement new policies and procedures that will strengthen its cyber security efforts and better protect the personal information of its customers,” said Attorney General Grewal. “We’re gratified to have been part of the multi-state Executive Committee that played a role in achieving this outcome on behalf of consumers both here in New Jersey and across the country.”