Nebraska Office of the Attorney General issued the following announcement on Feb. 11.
Nebraska Attorney General announced the Neiman Marcus Group LLC has agreed to pay a $1.5 million settlement and implement a number of policies. This results from an investigation by 43 states and the District of Columbia into the 2013 breach of customer payment card data at seventy-seven Neiman Marcus stores in the United States.
In January 2014, Neiman Marcus disclosed that payment card data collected at a certain number of its retail stores had been compromised by an unknown third party. The breach took place over the course of several months in 2013. The states' investigation determined that approximately 370,000 payment cards were compromised in the breach. Nebraska had 227 consumers who were affected. At least 9,200 of the payment cards compromised in the breach were used fraudulently.
“This settlement reemphasizes the importance of safeguarding the personal information of Nebraska consumers,” said Attorney General Peterson. “Entities that receive payment card data from Nebraska consumers have a responsibility to reasonably protect the information from unauthorized acquisition and misuse.”
Nebraska’s share of the settlement funds is $17,921.01.
In addition to the monetary settlement, Neiman Marcus has agreed to a number of injunctive provisions aimed at preventing similar breaches in the future, including:
-Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
-Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
-Maintaining working agreements with two, separate, qualified Payment Card Industry forensic investigators;
-Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
-Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company's business; and
-Devaluing payment card information, using technologies like encryption and tokenization, to obfuscate payment card data.
Original source can be found here.