Blumenthal: “I Am Troubled By The Failure Of Your Company To Immediately Notify Affected Customers”
(Washington, DC) – In a letter to Neiman Marcus President and CEO Karen Katz, U.S. Senator Richard Blumenthal (D-Conn.) today urged the retail chain to take immediate, proactive steps to protect consumers whose personal and financial information may have been exposed to hackers as a result of a recent data breach at its stores. Blumenthal also criticized Neiman Marcus for failing to notify affected customers of the breach.
Along with Target, Neiman Marcus is one of at least two major national retailers hit by hackers during the holiday season. Blumenthal has already called for an FTC investigation into the massive data breach that exposed the personal and financial information of as many as 100 million Target shoppers. Full text of the letter is below.
January 13, 2014
Ms. Karen W. Katz
President and Chief Executive Officer
The Neiman Marcus Group
1618 Main Street
Dallas, Texas 75201
Dear Ms. Katz:
I write regarding the recent reported data security breach at Neiman Marcus, which may have exposed the credit and debit card information of Neiman Marcus customers this holiday season. I am troubled by the failure of your company to immediately notify affected customers of the breach and believe it is important for your company to take immediate proactive steps to protect consumers affected by this breach.
When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. It is troubling to me that Neiman Marcus did not proactively report this to the public, but rather news of the breach was first reported via newspapers and online security blogs.
It has been reported that your company was made aware in mid-December of a data security breach, which may have left the credit and debit card account information of your customers vulnerable to hackers and thieves. News reports indicate that a third party confirmed this on New Year’s Day, but your company has only come forward recently to inform customers that their financial identities are at risk. Waiting so long to inform the public about this cyber-attack may further complicate consumers’ and banks’ efforts to protect themselves.
This incident reminds us that cyber threats are real and can have devastating consequences for American citizens. It underscores the importance of enhancing cyber security and creating stronger protections for sensitive consumer data. As Congress revisits legislation in both of these areas, I would appreciate your answers to the questions below.
Based on reports about the incident, there was close to a month between the discovery of the breach and public disclosure. Please explain the reason for this delay, whether Neiman Marcus was working with law enforcement officials during this time period, and whether your company had plans to announce this breach to the public prior to the information being disclosed in the media. Can you please explain how you plan to identify and notify the Neiman Marcus shoppers that have been impacted by this security breach? What protections are you prepared to extend to your customers that may be at risk of having their sensitive financial information compromised? Can you please indicate whether Neiman Marcus was using encryption software to protect its customers' data, and whether your company was following a set of best practices with regard to cyber security?
Lastly, proactive measures by Neiman Marcus in response to this breach would go a long way in helping put your customers’ minds at ease. For example, Neiman Marcus shoppers should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by your company. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.
Neiman Marcus shoppers deserve more complete information about this security breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.
United States Senate