The Neiman Marcus Group LLC has agreed to a $1.5 million settlement with 43 states and the District of Columbia over a 2013 data breach of customer payment card information.
Neiman Marcus will put in place measures to prevent breaches in the future, such as complying with Payment Card Industry Data Security Standard requirements, having a system to collect and monitor its network activity, and updating software that maintains and safeguards personal information, according to a statement by South Carolina Attorney General Alan Wilson (R). The company also must have a third party conduct an information security assessment and report, under the settlement.
“Consumers are entitled to have their privacy protected and safeguards against fraud not compromised,” Wilson said in his statement. “The message to these companies is: protect your customers.”
Companies are facing intensifying pressure from state regulators over corporate data handling practices. Uber Technologies Inc. agreed to pay $148 million to settle data breach claims in a multi-state settlement in September 2018. Twelve state attorneys general banded together in December 2018 to sue two medical IT companies for alleged poor security practices.
Neiman Marcus is “pleased this matter is now resolved,” the company said in a statement provided to Bloomberg Law.
New York, Massachusetts, Connecticut, Georgia, and Iowa are among the states that joined the Neiman Marcus settlement.
Neiman Marcus in 2014 disclosed that a third party had compromised payment card data collected at 77 of its stores. An investigation by the states found that about 370,000 payment cards were compromised and at least 9,200 were used fraudulently, according to Wilson’s statement.