[BreachExchange] Neiman Marcus data-breach settlement requires info-sharing initiatives, other controls

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 22 16:31:07 EDT 2017


http://oakridgeobserver.com/2017/03/22/neiman-marcus-data-breach-settlement-requires-info-sharing/

On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as
part of a proposed settlement
<https://www.huntonretailindustryblog.com/wp-content/uploads/sites/16/2017/03/neiman-marcus-settlement.pdf>
(the "Settlement") to a consumer class action lawsuit stemming from a 2013
data breach that allegedly compromised the credit card data of
approximately 350,000 customers. Plaintiffs filed suit, seeking to
represent a class of approximately 350,000 Neiman Marcus customers affected
by the hacking.

According to the lawsuit [PDF
<https://consumermediallc.files.wordpress.com/2017/03/n-d-ill-_null_null_0.pdf>],
between July 16 and October 30, 2013 malicious software contained on the
payment systems used by Neiman Marcus attempted to collect the payment data
of 1.1 million customers. Neiman estimated 9,200 customer ended up being
used fraudulently.

While members of the proposed class will have to show that their financial
information was subject to the breach in order to receive up to $100 in
payment, lead plaintiffs of the proposed class said even those who do not
receive payment have benefitted from the litigation. Of the $1.6 million,
about $900,000 will go to plaintiffs' legal fees and litigation costs, with
the rest being allocated to the payment fund.

An Illinois federal court is expected to rule
<http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2015/D07-20/C:14-3122:J:Wood:aut:T:fnOp:N:1590360:S:0>
on the settlement and a request that the class be certified for claim
notification purposes by June.

Under the proposed settlement, Neiman Marcus would provide reimbursements
to any USA resident who held a credit card or debit card account that as
used at a Neiman Marcus store between July 16, 2013 and January 10, 2014.
Some customers sued, alleging negligence.

The lawsuit, which was first filed in March 2014, claimed that Neiman
Marcus failed to notify customers of the hack immediately after being
informed of the issue by credit card processor in mid-December.

In the settlement papers, plaintiffs said consumers will also benefit from
"changes to [Neiman's] business practices created to further strengthen its
information technology security".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170322/1b257f80/attachment.html>


More information about the BreachExchange mailing list