News

Actions

Idaho part of $1.5M Neiman Marcus data breach settlement

Posted: 12:49 PM, Jan 08, 2019
Updated: 2019-01-08 19:51:13Z

BOISE — The Neiman Marcus Group LLC, a worldwide retailer, has agreed to pay $1.5 million -- and implement a number of policies -- to resolve an investigation with 43 states and the District of Columbia into a 2013 data breach, Idaho Attorney General Lawrence Wasden said Tuesday.

In January, 2014, the retailer disclosed that payment card data collected at 77 of its U.S. stores had been compromised by an unknown third party. The states’ investigation determined that approximately 370,000 payment cards -– 204 of which were associated with Idaho consumers -– were compromised in the breach, which took place over the course of several months in 2013. At least 9,200 of the payment cards compromised in the breach were later used fraudulently.

Idaho’s share of the settlement is $17,312. The money will be deposited into the state’s Consumer Protection Fund.

In addition to the monetary settlement, Neiman Marcus has agreed to a number of steps aimed at preventing similar breaches in the future, according to a news release from Wasden’s office.

They include:

-Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;

-Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;

-Maintaining working agreements with two, separate, qualified Payment Card Industry forensic investigators;

-Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;

-Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and

-Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report, according to the release.