News Releases

    Rutledge Settles with Neiman Marcus Over 2013 Data Breach


    January 8, 2019

    Arkansas to receive $20,514.17

    LITTLE ROCK – Arkansas Attorney General Leslie Rutledge today announced that she, along with 42 other states and the District of Columbia, have agreed to a $1.5 million settlement with the Neiman Marcus Group LLC to resolve allegations of a 2013 data breach that included credit card information of customers used at 77 Neiman Marcus stores, impacting 514 payment cards associated with known addresses in Arkansas. Arkansas’s share of the settlement funds is $20,514.17.

    “Data breaches continue to impact Arkansans, but settlements like this are an opportunity to urge the private sector to make protecting consumers a priority,” said Attorney General Rutledge. “The actions taken by Neiman Marcus in this agreement will help to prevent future breaches of their customers’ personal and financial information.”

    In January 2014, Neiman Marcus disclosed that payment card data collected at certain stores had been compromised by an unknown third party. The investigation determined that approximately 370,000 payment cards were compromised in the breach, which took place over the course of several months in 2013. At least 9,200 of the cards that were compromised in the breach were used fraudulently.

    In addition to the monetary settlement, Neiman Marcus has agreed to a number of injunctive provisions aimed at preventing similar breaches in the future, including:

    • Complying with Payment Card Industry Data Security Standard requirements;
    • Maintaining an appropriate system to collect and monitor its network activity and ensuring logs are regularly reviewed and monitored;
    • Maintaining working agreements with two, separate, qualified payment card industry forensic investigators;
    • Updating all software associated with maintaining and safeguarding personal information and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
    • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and
    • Devaluing payment card information, using technologies like encryption and tokenization, to obfuscate payment card data.

    Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report and detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.

    Contact Us
    Sign Up For Attorney General Alerts