Neiman Marcus data breach settlement tells us plenty about the ROI of security

When breaches cost so little, there's not much incentive to avoid them

neiman marcus
Credit: REUTERS/Rick Wilking

There is a security ROI dance in retail today. Executives know that they can skimp on security and have a statistically decent chance the company won't get caught by a cyberthief before someone else has their job. The only way that security has a chance of achieving a reasonable ROI is if the pain that results from a breach is massive. It rarely is, as the recent data breach settlement from Neiman Marcus illustrates only too well.

Back in January 2014, Neiman Marcus announced a data breach, even though it had known about it for roughly a month. The chain initially reported that the attack — which happened in 2013, between July 16 and Oct. 30 — impacted 1.1 million customers, a number that the retailer later reduced to 370,385. About 9,200 shoppers experienced actual fraud.

The company settled a class-action lawsuit for $1.6 million, much of it covered by insurance. And even that may be more than it ends up paying. Shoppers — many of whom will not even learn of the settlement — need to go through an elaborate paperwork process to apply for a tiny share of that money.

Neiman Marcus hardly has an incentive to make its shoppers aware. The amount slated for consumers is just one-fourth of that amount, $400,000, with the rest going to attorneys' fees and expenses. (The fact that 75% of this consumer settlement isn't going to consumers is a topic for another day.)

From the settlement filing: "In the event that the Settlement Administration Charges amount to less than Four Hundred Thousand Dollars and No Cents ($400,000), Neiman Marcus will retain the difference between such Settlement Administration Charges and Four Hundred Thousand Dollars and No Cents ($400,000)." In other words, if an insufficient number of shoppers successfully apply for the money, the retailer gets to pocket the difference. That's an impressive reverse incentive.

The most interesting part of the Neiman Marcus settlement filing is where the retailer lists a bunch of things it has done to improve its security post-breach. Before we delve into that list, it's important to note that this is all part of the poor ROI structure for security matters. Even when a retailer has horrible security, it can be comforted by the fact that it can catch some slack if it improves it post-breach.

This forces the question: How much did Neiman Marcus improve security post-breach? And how meaningful were those changes?

The first item the chain listed was this: "Neiman Marcus created and filled the position of Chief Information Security Officer (CISO), an executive position with responsibility to coordinate and be responsible for Neiman Marcus’s program(s) to protect the security of customers’ Personal Information."

Wait a second. A $5 billion retailer did not have a CISO before? I love how the chain is taking a bow for creating this role and hiring someone. But what authority will the CISO have? Can he or she block any initiatives that don't pass security guidelines? Hiring a CISO doesn't help much if that officer isn't listened to, any more than hiring a chief counsel will, on its own, prevent lawsuits from being filed and won.

The chain also touted hiring people for a new information security organization. And then there's this: "Neiman Marcus increased the frequency and depth of reporting to its executive team and members of its board of directors about its cybersecurity efforts and the cybersecurity threat landscape."

This, again, sounds encouraging until you realize what's missing. Having senior management aware of security issues is great, but it won't help much if management isn't willing to do what security requires, such as providing adequate security funding and enforcing workflow processes such as having security sign off before a project is deployed (that should include a willingness to torpedo potentially profitable initiatives if security can't adequately protect them).

Then Neiman Marcus touted this accomplishment: "Neiman Marcus equipped all of its Stores with devices that allow customers to pay for purchases using payment cards containing embedded computer chips."

Really? Complying with years-old card-brand requirements for accepting EMV is something to tout? Yes, it's a slight security improvement, but it wouldn't have done much to avert this breach.

Neiman Marcus also tossed in this one: "Neiman Marcus invested in a new tool to automatically collect and analyze logs generated by Neiman Marcus systems for potential security threats." No indication of what the tool is, not that it makes any difference. And that's the whole point.

I am confident that multiple IT people at Neiman Marcus had flagged security shortcomings before the breach. Having mechanisms in place to identify a potential problem does little good if senior management chooses not to act on it.

What if the chain put real power into the hands of professional security executives? I am routinely amazed by how much power senior management is willing to give its financial executives and investor relations over what to report to the SEC and Wall Street, compared with how little power they give IT and security executives over IT and security matters.

Putting people and tools in place is nice. Giving those people actual power is very different.

Related:
Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon