READ MOREThe settlement resolves a multistate investigation led by Madigan after a 2013 breach that compromised customer credit card data at 77 Neiman Marcus stores.
In the settlement executed today, Neiman Marcus will pay $1.5 million and implement policies to prevent future data breaches.
Madigan launched the multistate investigation with Connecticut Attorney General George Jepsen after Neiman Marcus disclosed in January 2014 that payment card data collected at retail stores across the country had been compromised by an unknown third party.
Madigan’s investigation found that approximately 370,000 payment cards – including more than 19,000 belonging to Illinois consumers – were compromised in the breach, which took place over the course of several months in 2013.
Nationwide, at least 9,200 of the payment cards compromised in the breach were used fraudulently.
“Neiman Marcus has a duty to protect sensitive customer data,” Madigan said. “Under this settlement, Neiman Marcus must prioritize protecting consumer data and put in place protections to prevent future data breaches.”
Under the settlement, Illinois will receive more than $124,000. In addition, Neiman Marcus agreed to a number of provisions aimed at preventing similar breaches in the future, including:
- Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
- Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
- Maintaining working agreements with two, separate, qualified Payment Card Industry forensic investigators;
- Updating all software associated with maintaining and safeguarding personal information and creating written plans for the replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
- Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and
- Devaluing payment card information, using technologies like encryption and tokenization, to obfuscate payment card data.
Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.
Privacy Unit Chief Matt Van Hise and Consumer Fraud Bureau Chief Elizabeth Blackston handled the settlement for Madigan’s Consumer Fraud Bureau. ■