Consistent with state data breach notification laws, the Neiman Marcus Group, LLC publicly announced in January 2014 that its customers’ payment card information had potentially been compromised at 77 Neiman Marcus retail locations between March 2013 and January 2014. In total, 370,000 credit cards were compromised as a result of the intrusion, and at least 9,200 credit cards are known to have been used fraudulently.

Almost five years later, state attorneys general from 43 states and the District of Columbia entered into an Assurance of Voluntary Compliance with Neiman Marcus, closing the Multistate’s investigation after Neiman Marcus agreed to pay a $1.5 million civil penalty. Additionally, this Multistate settlement ensures that the business will take the following actions:

  1. Ensure that storage, process, and transmission of credit card data comply with the Payment Card Industry Data Security Standard;
  2. Maintain an appropriate system to collect and monitor network activity to report suspicious activity, including activity logs that are regularly reviewed and monitored in near real-time;
  3. Maintain agreements with at least two qualified Payment Card Industry forensic investigators;
  4. Update software associated with protecting cardholder data and create a written plan for updating and replacing this software;
  5. Implement steps to review and ensure that its practices are consistent with industry-accepted payment card technologies, such as use of chip and PIN technology;
  6. “Devalue payment card information” through encryption and tokenization and other methods “to obfuscate payment card information throughout the course of retail transaction” at Neiman Marcus retail locations; and
  7. Engage a third-party assessor who will report on the safeguards utilized by Neiman Marcus to meet its information security program goals and provide this report to the signatory state attorneys general.

Attorneys general for Illinois and Connecticut led the investigation. Additionally, a class action settlement related to this data breach has already been filed, and affected claimants were able to receive a payment of up to $100. The claim period for this class action ended in 2018.

This is already the third Multistate settlement this year. Specifically, state attorneys general have entered into Multistate settlements with for-profit education company Career Education Corporation to resolve claims of unfair and deceptive practices and with Fiat-Chrysler and Bosch related to their installation of defeat device software to conceal actual emissions levels in diesel motor vehicles.