Neiman Marcus responded to the breach by appointing a CISO
Neiman Marcus responded to the breach by appointing a CISO

Neiman Marcus are to pay up for failing to protect its customers' data. The US retailer will settle a class action suit in an Illinois federal court for US$1.6 million (£1.2 million).

The settlement means that any valid claim from a class member could pay out US$100 (£80). The counsel which represented the claimants will ask for up to $530,000 (£427,000) in costs. Aside from a payout, the settlement also says that Neiman Marcus must continue to strengthen its customer data protection practices.

A breach on Neiman Marcus in 2013, revealed the credit card information of 350,000 customers. It took the retailer nearly a month, 28 days, to inform their customers. This, and the simple failure to protect customer data formed the basis of the lawsuit, filed in March 2014, against the Dallas-based company.

In its defence, the company claimed that the breach had only impacted 9200 of its customers, and victims were reimbursed for their losses. Neiman Marcus bolstered its defences in the ensuing weeks and months, investing in training for employees and establishing a CISO position.

The settlement comes after a long series of delays. The case was dismissed in 2014 on that basis but revived in July 2015. The Seventh Circuit Court of Appeals said that the attendant costs of further protecting yourself against your revealed details being exploited was enough to resurrect the lawsuit.

It has often been hard to successfully sue a company for a data breach. While many try to use the courts to get compensation out of companies that did not adequately protect data, claimants often run into trouble when it comes to proving damage.

If no proof can be provided of harm, known as standing, claimants will have to rest arguments on risk of future harm. One 2015 ruling, which dealt with a class action suit against eBay for a data breach the previous year, dismissed the suit due to the lack of evidence that the 145 million victims of the breach had suffered from fraud or theft in wake of the breach.

Experts often point to a February 2013 Supreme Court ruling. In Clapper v Amnesty International, Amnesty had attempted to challenge a section of the Foreign Intelligence Surveillance Act. The court rejected Amnesty's claims about the potential future injury that the act might cause.

Barry Goheen of law firm King & Spaulding explained in an interview with Reuters, “Data breach defendants frequently challenge plaintiffs' (claimants) standing in their initial responsive pleading to the complaint.” Over the last several years, added Goheen, federal courts have dismissed the majority of such cases for “lack of standing”.