Press Release, Office of Maryland Attorney General Brian Frosh
Neiman Marcus Must Pay $1.5 Million to the States; More Than 8,000 Marylander Consumers’ Payment Data Compromised
BALTIMORE, MD (January 8, 2019) – Maryland Attorney General Brian E. Frosh announced today that he, along with the Attorneys General of 42 other states and the District of Columbia, has reached a settlement with The Neiman Marcus Group, LLC. Under the terms of the settlement, Neiman Marcus has agreed to pay $1.5 million and implement a number of policies to resolve a multistate investigation into the 2013 breach of customer payment card data at 77 Neiman Marcus stores.
The breach took place over the course of several months and compromised the names and payment card data collected at Neiman Marcus retail stores throughout the United States. The states’ investigation determined that approximately 370,000 payment cards were compromised, including 8,323 associated with Maryland consumers. At least 9,200 of the payment cards compromised in the breach were used fraudulently.
“Businesses that collect and hold consumers’ payment card data have a responsibility to make sure that data is protected from hackers,” said Attorney General Frosh. “This settlement requires Neiman Marcus to bolster its protection of consumers’ information to prevent a breach like this from reoccurring.”
In addition to the monetary settlement, Neiman Marcus has agreed to a number of injunctive provisions aimed at preventing similar breaches in the future, including:
- Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
- Maintaining an appropriate system to log and monitor its network activity;
- Maintaining working agreements with two qualified Payment Card Industry forensic investigators, operating separately, to allow for speedy investigation and remediation of any future concerns;
- Updating all software associated with maintaining and safeguarding personal information;
- Implementing appropriate industry-accepted payment security technologies relevant to the company’s business; and
- Use technologies like encryption and tokenization to obscure payment card data.
Under the settlement, Neiman Marcus is also required to obtain an information security assessment and report from a third-party professional, and detail any corrective actions that the company may have taken or plans to take as a result of this report.
The Maryland Attorney General’s Office was a member of the Executive Committee that led the investigation.
Information on how to protect your identity and what to do in the event of a data breach can be found in the Maryland Office of Attorney General’s Identity Theft Guide. Consumers who believe they may be a victim of identity theft should contact the Attorney General’s Identity Theft Unit at 410-576-6491 or by sending an email to firstname.lastname@example.org.
In making today’s announcement, Attorney General Frosh thanked Assistant Attorney General Richard Trumka, Jr. for his work on the case.