Attorney General Aaron Ford Reaches $1.5M Settlement with Retailer Neiman Marcus Over 2013 Data Breach

January 8, 2019

Carson City, NV – Today, Nevada Attorney General Aaron Ford, along with 43 states and the District of Columbia, announced a $1.5 million multistate settlement with The Neiman Marcus Group, LLC. The settlement resolves the states’ investigation into the 2013 breach of customer payment card data at 77 of its U.S. retail stores.

    In January 2014, Neiman Marcus disclosed that payment card data collected at several of its retail stores had been compromised by an unknown third party. The states' investigation determined that approximately 370,000 payment cards – including 3,450 cards associated with transactions at Neiman Marcus’ Nevada locations – were compromised in the breach, which took place over several months in 2013. At least 9,200 of the payment cards compromised in the breach were used fraudulently.

      “Companies have a responsibility to protect their customers’ personal information,” said AG Ford. “I’m proud that this settlement will hold responsible parties accountable and ensure Nevadans who shop from this retailer are better protected in the future.”

        Pursuant to the settlement, Neiman Marcus has agreed to pay the investigating states $1.5 million, of which Nevada’s share of the funds is $19,604.69. Additionally, Neiman Marcus has agreed to implement a number of policies and procedures to prevent future data breaches, including:

          • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;

            • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;

              • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;

                • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and

                  • Devaluing payment card information, and using technologies like encryption and tokenization to obfuscate payment card data.

                    Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.

                      In addition to Nevada, participants in the settlement include: Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, and Washington.

                        Senior Deputy Attorneys General Lucas Tucker and Laura Tucker of the Attorney General’s Bureau of Consumer Protection represented Nevada in this settlement.