States Probe Neiman Marcus Breach as Bank Sues Target

Neiman Marcus Group Ltd. is being investigated by states including Connecticut and Illinois over the theft of customer credit-card data by hackers, and a bank sued Target Corp. for its data breach during the holiday season.

Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan, whose offices are already leading a multistate investigation in the Target breach, are also looking into the hack of Dallas-based Neiman Marcus, which said on Jan. 10 that some unauthorized purchases may have been made with credit cards.

The two breaches complicate matters for retailers already struggling to attract hesitant shoppers and cutting forecasts after engaging in a margin-eating price war during the holiday shopping season.

“At this point we cannot speak for any other states, but Connecticut will be looking into the Neiman Marcus breach and, to the extent that we become aware of breaches at other retailers, we will be looking those as well,” Jaclyn Falkowski, a spokeswoman for Jepsen’s office, said in an e-mail.

Madigan’s office is also looking into the Neiman Marcus breach, said her spokeswoman, Maura Possley, in an e-mail. Indiana Attorney General Greg Zoeller is aware of the situation and investigating to determine the extent of harm to consumers in the state, Erin Reece, a spokeswoman for Zoeller, said in an e-mail. Neiman Marcus has five stores in Illinois and none in Connecticut or Indiana, according to its website.

Target Probe

Other states involved in the Target probe include Florida, Iowa, Massachusetts and Pennsylvania, spokespersons for those states’ attorneys general confirmed yesterday.

Democratic U.S. Senators Claire McCaskill of Missouri and Jay Rockefeller of West Virginia today made public a letter they sent jointly to Target on Jan. 10 requesting a briefing on the data breach from the retailer’s information security officials.

The senators serve on the Committee on Commerce, Science and Transportation.

“We have been advocates for data security and breach notification legislation that would better protect consumers and improve corporate responsibility,” Rockefeller and McCaskill wrote. “Target’s recent incident demonstrates the need for such federal legislation.”

Molly Snyder, a spokeswoman for Target, said the company has received the senators’ letter and will “work with them and other elected officials to keep them informed and updated as our investigation continues,” according to an e-mailed statement.

Compromised Accounts

Ginger Reeder, a spokeswoman for Neiman Marcus in Dallas, said in an e-mail that while she was unaware of any state attorney general investigations, the company would “fully cooperate with any and all” of them.

Target, based in Minneapolis, said last month that as many as 40 million customer credit- and debit-card accounts were compromised. The retailer on Jan. 10 broadened its description of the breach, saying that names as well as home and e-mail addresses for as many as 70 million people were stolen. The company said the second theft may have affected anyone who provided basic information to the retailer during the past several years.

Within a week of Target’s disclosure about the breach, the company was facing almost two dozen lawsuits filed by customers. Yesterday, Putnam, Connecticut-based Putnam Bank filed a suit claiming that the security breakdown cost it money because it forced the bank to issue customer alerts and new cards while reimbursing account-holders for their own losses.

Federal Complaint

Target failed to tell its own customers about the security breach until four weeks after it occurred, according to the bank’s complaint, filed in federal court in Minneapolis.

“Given the magnitude of the data breach, Target’s wrongful conduct cause class member financial institutions to incur significant losses,” Putnam Bank alleged.

The bank seeks to represent a class of financial institutions that have suffered similar injury as a result of the breach. It is demanding unspecified money damages for the retailer’s alleged negligence, for failure to comply with commercial credit card operating regulations governing customer data and for breach of contract.

Snyder declined to comment on the lawsuit.

The Target breach is being probed by the “vast majority” of attorneys general in the U.S., said Andrew Friedman, a spokesman for New York Attorney General Eric Schneiderman, who yesterday urged residents of his state to take advantage of free credit-monitoring and identity-theft protection services offered by the retailer.

Schneiderman said in a statement yesterday that his office’s Consumer Protection Bureau is also looking into reports of security breaches at other retailers and called on those companies, which weren’t identified in the statement, to offer free consumer protections to customers.

Friedman declined in a phone interview to name the other retailers and wouldn’t comment when asked if Neiman Marcus is one of them.

The Putnam lawsuit is Putnam Bank v. Target Corp., 14- cv-00121, U.S. District Court, District of Minnesota (Minneapolis).

(With assistance from Renee Dudley in New York and Phil Milford in Wilmington, Delaware. Editor: Peter Blumberg)