Neiman Marcus discloses May, 2020 incident that impacted 4.6 million customers

DALLAS, Sept. 30, 2021 /PRNewswire/ — Neiman Marcus Group (“NMG” or the “Company”) recently learned that an unauthorized party obtained personal information associated with certain Neiman Marcus customers’ online accounts. NMG notified law enforcement of the issue, which occurred in May 2020, and is working closely with Mandiant, a leading cybersecurity expert, to investigate. NMG’s investigation is ongoing and the Company is working quickly to determine the nature and scope of the matter. The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts. Approximately 4.6 million Neiman Marcus online customers are being notified of this issue. For these customers, approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid. No active Neiman Marcus-branded credit cards were impacted. At this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected. Promptly after learning of the issue, NMG began taking steps to protect its customers, including requiring an online account password reset for affected customers who had not changed their password since May 2020. The Company’s notice regarding this issue recommends steps customers can take to help protect their information. NMG has set up a dedicated call center at (866) 571-9725, which is open seven days a week (Monday through Friday, 8 a.m. to 10 p.m. CST; Saturday and Sunday, 10 a.m. to 7 p.m. CST (excluding major U.S. holidays)). Callers should be prepared to provide engagement number B019206. The Company also has set up a Neiman Marcus webpage at https://www.neimanmarcus.com/2021-customer-online-account-info with additional information. “At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, Chief Executive Officer. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.” About Neiman Marcus Group Neiman Marcus Group is a relationship business. We lead with love in everything we do for our customers, associates, brand partners, and communities. Our strategy of integrated luxury retail is about creating long-term relationships. It’s this connection that creates emotional and high lifetime value potential with everyone we serve. Through the expertise of our 9,000+ associates, we deliver across our three channels of in-store, eCommerce, and remote selling. Investments in data and technology allow us to scale a personalized luxury experience. Our brands include Neiman Marcus, Bergdorf Goodman, Neiman Marcus Last Call, and Horchow. For more information, visit www.neimanmarcusgroup.com. SOURCE Neiman Marcus Group

Neiman Marcus reaches $1.5 million data breach settlement

AP reports: More than 40 state attorneys general have announced a $1.5 million settlement with The Neiman Marcus Group LLC over a data breach the Dallas-based retailer disclosed in January 2014. The breach exposed customer credit card data at 77 Neiman Marcus stores nationwide. Over a three-month period in 2013, about 370,000 Neiman Marcus credit cards were accessed by unknown third parties unlawfully, and at least 9,200 were used fraudulently. Read more from AP on Bluefield Daily Telegraph. Here is the statement from the Texas Attorney General’s Office: Attorney General Ken Paxton today announced a $1.5 million 43-state settlement with The Neiman Marcus Group LLC, resolving an investigation into a data breach the Dallas-based retailer disclosed in January 2014. The breach, which affected 65,644 Texans, exposed customer credit card data at 77 Neiman Marcus stores nationwide. Over a three-month period in 2013, approximately 370,000 Neiman Marcus credit cards were unlawfully accessed by an unknown third party, and at least 9,200 of them were used fraudulently. “Texas law requires businesses to implement and maintain reasonable safeguards against cyberattacks to protect consumers’ personal information from unlawful use or disclosure,” Attorney General Paxton said. “I urge companies to evaluate whether they have in place a thorough and ongoing written information security program that serves to safeguard their customers’ information.” Under terms of the settlement, Neiman Marcus will maintain reasonable procedures to protect its customers’ personal information and guard against future attacks by hackers. The retailer must obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. Attorney General Paxton’s investigation was conducted pursuant to the Texas Identify Theft Enforcement and Protection Act. Texas will receive $95,000 in attorneys’ fees and costs as part of a 43-state settlement with Neiman Marcus. View a copy of the settlement here: https://www.texasattorneygeneral.gov/sites/default/files/images/admin/2019/Press/NMarcusAVC%201%208%202019.pdf

Neiman Marcus to settle long-running data breach litigation for $1.6m?

Law360 reports:  Neiman Marcus has agreed to pay $1.6 million to resolve a data breach class action in Illinois federal court over a December 2013 cyber intrusion that revealed the credit card data of 350,000 shoppers of the luxury retailer, according to a court document filed Friday. Read more on Law360 if you have a subscription. If you don’t have a subscription, don’t worry – I imagine other news outlets will also cover the settlement. Past coverage of the breach and litigation on this site are linked from here. The case may best be remembered for the Seventh Circuit’s reversal of the district court’s dismissal of the lawsuit for lack of standing. Following that someone stunning reversal, the retailer failed to get the appeal reheard en banc, and then suffered a second loss back in district court when it also failed to get the case dismissed for failure to demonstrate negligence on their part. I doubt most lawyers would have suggested that the retailer settle the suit when it was first filed, as most of these lawsuits that do not allege concrete injury actually did/do get dismissed for lack of standing. So Neiman Marcus chose not to settle at the outset, and….. I wonder how much this litigation has cost them by now? And what’s the value of the bad press of keeping their name in headlines associated with customer complaints?  With the benefit of hindsight, would they fight this all again?  

Judge Refuses to Dismiss Neiman Marcus Data Breach Class Action

Christina Davis reports: Neiman Marcus Group LLC has lost a bid to toss a class action alleging that the retail clothing chain’s negligence caused a massive data security breach and then hid the problem right before the holiday shopping season in 2013. The Neiman Marcus class action lawsuit was filed by Hilary Remijas on behalf of consumers affected by the alleged breach. The Neiman Marcus data breach class action lawsuit had landed back in district court after a somewhat surprising – but welcome – Seventh Circuit ruling reinstated the lawsuit in July, 2015. The court subsequently denied Neiman Marcus’s request for an en banc review of the ruling.  Now back in district court, the retailer argued that the claims should still be dismissed because the injuries did not demonstrate negligence. As Davis reports: The plaintiffs contended, in turn, that the Seventh Circuit had found that whether or not Neiman Marcus consumers had been reimbursed by their financial institutions for charges resulting from the data breach was factual and could not be dismissed. Additionally, the plaintiffs pointed out that at a minimum, the proposed class had claims based on the amount of time spent dealing with potentially fraudulent charges. Judge Zagel agreed with the plaintiffs and refused to dismiss the Neiman Marcus class action lawsuit. Judge Zagel stated that dismissal of the lawsuit was “not appropriate at this time.” So this hasn’t been a great month for Neiman Marcus, who just disclosed this week that they experienced another breach on December 26, 2015 that impacted over 700 California residents (and an unknown total number of consumers). Neiman Marcus reported that the websites of their Neiman Marcus, Bergdorf Goodman, Horchow, Last Call, and CUSP stores were hit with automated attacks trying various login combinations. The firm suspects that the attackers may have been using login credentials acquired in other hacks of other entities. In some cases, the attackers were able to access customer accounts (but not full credit card numbers or PIN numbers) and make purchases. Neiman Marcus has credited/restored all accounts. Neiman Marcus reports that its defenses were able to successfully repel about 99% of the attacks.

7th Circuit Declines En Banc Rehearing in Neiman Marcus Data Breach Ruling

Jody Godoy reports: The Seventh Circuit declined to rehear an appeal it decided against Neiman Marcus over a payment card data breach on Thursday, leaving in place the precedential ruling that held plaintiffs can sue for the trouble and expense of preventing fraud on their accounts. The ruling will allow the suit in Illinois federal court, which has been on ice for a year during the appeal, to move forward. The plaintiffs claim their payment card details were compromised in the 2013 breach of Neiman Marcus systems that affected a proposed class of 350,000 customers, saying the retailer cut corners on security measures that could have prevented or mitigated the breach and didn’t give them timely notice of the attack. Read more on Law360.

Neiman Marcus Asks Full 7th Circuit to Consider Standing Ruling in Breach Suit

Michael Beder writes: A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case. Read more on Covington & Burling InsidePrivacy.

Does the Seventh Circuit opinion in Neiman Marcus litigation impact FTC v. Wyndham?

Since the Seventh Circuit revived the class action lawsuit, Remijas v. Neiman Marcus, there has been a lot of buzz about how the opinion will make it easier for consumers going forward.  The opinion (appended to this file), addresses Article III standing, which has been a major stumbling block in the majority of lawsuits. But skip on over to the Third Circuit for a minute, where it appears that the FTC submitted a filing on July 24th that tries to use the Neiman Marcus opinion to support its case against Wyndham. The FTC argues, in part: … In Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (July 20, 2015) (attached), the Seventh Circuit found that the victims of a breach of credit card data had alleged an injury-in-fact that gave them standing to sue the retailer from whose computers the data were stolen. The decision reverses a district court decision relied on by Wyndham in its opening and reply briefs (Br. at 48; Reply at 34) and supports the FTC’s argument in this case that the FTC’s complaint adequately alleged consumer harm. FTC Br. 52-61. Wyndham has claimed that the FTC failed to plead facts showing consumer injury because credit card companies typically reimburse the victims of fraudulent charges. In response, the FTC has observed, inter alia, that even if Wyndham’s victims had been reimbursed, the complaint stated a valid cause of action by alleging that consumers spent “time and money resolving fraudulent charges and mitigating subsequent harm.” FTC Br. 58. Remijas supports that argument. The court there held that even though the victims were reimbursed for fraudulent charges, plaintiffs had alleged “identifiable costs associated with the process of sorting things out,” including “the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.” Slip Op. 7. Those alleged harms were sufficient to give plaintiffs standing. Wyndham’s lawyers fired back that the FTC’s contention is incorrect: As an initial matter, Remijas is inconsistent with other databreach cases, including this Court’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). More importantly, Remijas did not address the consumer-injury requirements of Section 5—only the less rigorous standing requirements of Article III. While the test for constitutional standing is exceedingly low, see, e.g., Blunt v. Lower Marion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014) (requiring only “some specific, identifiable trifle of injury”), the FTC Act contains two additional requirements: the injury must be (1) “substantial,” which, to have any meaning, must be something more than the injury required by Article III; and, (2) not “reasonably avoidable by consumers themselves.” 15 U.S.C. § 45(n). Those requirements mean that time and money spent resolving fraudulent charges cannot satisfy Section 5(n), even if they might confer standing under Article III. As the Ninth Circuit explained in Davis v. HSBC Bank Nevada, an “injury” is not actionable under Section 5(n) “if consumers are aware of, and are reasonably capable of pursuing, potential avenues toward mitigating the injury after the fact.” 691 F.3d 1152, 1168-69 (9th Cir. 2012). Davis rejected the notion that avoiding injury is itself sufficient, framing the issue as “not whether subsequent mitigation was convenient or costless, but whether it was reasonably possible.” Id.; see also Reply Br. 31-35. The FTC’s claim here is classic bootstrapping that would eviscerate the “reasonably avoidable” requirement. Finally, the FTC’s argument that Wyndham consumers suffered unreimbursed fraud loss is implausible because—after investigating the cyberattacks against Wyndham for nearly five years and contacting hundreds of consumers—the FTC admitted that it has not identified a single individual consumer who suffered unreimbursed fraud loss (let alone “substantial” loss that was “not reasonably avoidable”). So will Remijas have any impact on FTC v. Wyndham? I guess we’ll have to see when we finally get an opinion from the Third Circuit.

Neiman Marcus Customer Card Data Breach Suit Given New Life

Margaret Cronin Fisk reports: Neiman Marcus Group LLC must face a proposed class action in which the high-end retailer is accused of failing to protect customers from computer hackers who stole credit and debit card information, an appeals court ruled, saying a judge decided too soon that the victims didn’t have a case. The decision reverses a September ruling by a Chicago federal judge who found the customers didn’t show they suffered concrete harm. The consumers sued Neiman Marcus for negligence, breach of contract and deceptive business practices. Read more on Bloomberg.

Appeal of dismissal of Neiman Marcus lawsuit heard by Seventh Circuit

After the proposed class action lawsuit against Neiman Marcus (Remijas v. Neiman Marcus) was tossed in September for lack of standing (opinion and order), the plaintiffs appealed. The Seventh Circuit heard oral argument on the standing issue on January 23. You can listen to the audio (about 32 minutes) here.  The court will issue its ruling at a future date. Maybe we need a drinking game for data breach class action lawsuits where every time someone mentions Clapper, you drink. via @TeachPrivacy

Neiman Marcus Skirts Data Breach Class Action

Law360 reports: An Illinois federal judge on Tuesday tossed a proposed class action alleging that Neiman Marcus Group LLC negligently failed to protect 350,000 customers’ credit card information prior to a 2013 hack into the high-end department store’s servers, ruling the plaintiffs had lacked Article III standing. Granting the defendant’s motion to dismiss, U.S. District Judge James B. Zagel said he wasn’t convinced that unauthorized credit card charges for which the plaintiffs would be reimbursed qualify as concrete injuries warranting Article III standing. Read more on Law360 (sub. required)