After three years of litigation, Neiman Marcus has agreed to pay $1.6 million to settle a class action over a security breach that exposed the credit card information of about 350,000 customers.
Settlement papers were filed with a federal judge Friday in a case that alleged Neiman was liable for the breach because it failed to adopt adequate data security measures and kept the hack secret from consumers so it would not be affected during the lucrative holiday shopping season in 2013.
The retailer was informed of the issue by a credit card processor in mid-December 2013 but did not notify customers until Jan. 10, 2014.
According to the lawsuit, hackers used malicious software they had installed in the payment systems used by Neiman to attempt to collect the payment data of customers. Neiman estimated 9,200 customer ended up being used fraudulently.
Members of the proposed class will receive up to $100 each from the settlement if they can show that their financial information was subject to the breach. Of the $1.6 million, bout $900,000 will go to plaintiffs’ legal fees and litigation costs, with the rest being allocated to the payment fund.
About half a dozen class actions over the breach were consolidated in Illinois federal court. In September 2014, U.S. District Court Judge James B. Zagel dismissed the case, finding that the plaintiffs did not have standing to sue Neiman because all of the fraudulent purchases cited by the named plaintiffs had been reimbursed by their credit card companies.
But an appeals court said customers had satisfied standing requirements by alleging they could be exposed to fraudulent charges or identity theft in the future.
“The Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” the U.S. 7th Circuit Court of Appeals ruled.
In the settlement papers, plaintiffs said consumers will also benefit from “changes to [Neiman’s] business practices designed to further strengthen its information technology security.”