Neiman Marcus 2014 Annual Report Download - page 17

Download and view the complete annual report

Please find page 17 of the 2014 Neiman Marcus annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 161

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161

Table of Contents
alter historical credit and payment terms available to us or take other actions. Any of these actions could have an adverse impact on our relationship with
such designers or vendors, or constrain the amounts or timing of our purchases from such designers or vendors, and, ultimately, have an adverse effect on our
revenues, results of operations and liquidity.
A breach in information privacy could negatively impact our operations.
The protection of our customer, employee and company data is critically important to us. We utilize customer data captured through both our
proprietary credit card programs and our in-store and online activities. Our customers have a high expectation that we will adequately safeguard and protect
their personal information. Despite our security measures, our information technology and infrastructure may be vulnerable to criminal cyber-attacks or
security incidents due to employee error, malfeasance or other vulnerabilities. Any such incident could compromise our networks and the information stored
there could be accessed, publicly disclosed, lost or stolen. In addition, we outsource certain functions, such as customer communication platforms and credit
card transaction processing, and these relationships allow for the storage and processing of customer information by third parties, which could result in
security breaches impacting our customers.
We discovered in January 2014 that malicious software (malware) was clandestinely installed on our computer systems (the Cyber-Attack). Based on
information from our forensic investigation, it appears that the malware actively attempted to collect payment card data from July 16, 2013 through October
30, 2013 at 77 of our 85 stores, on different dates at each store within this time period. During that time period, information from approximately 370,000
customer payment cards could have been potentially collected by the malware.
We have been cooperating with the U.S. Secret Service in its investigation into the Cyber-Attack. In testimony before Congress in February 2014, a
Secret Service official explained that the attack on our systems was exceedingly sophisticated, and was unprecedented in the manner in which it was
customized to defeat our defenses and remain undetected. The Secret Service official also testified that we used a robust security plan to protect customer
data, but that, given its level of sophistication, the attacker nevertheless succeeded in having malware operate on our systems.
In light of the Cyber-Attack, we have taken steps to further strengthen the security of our computer systems, and continue to assess, maintain and
enhance the ongoing effectiveness of our information security systems. Nevertheless, there can be no assurance that we will not suffer a similar criminal
attack in the future, that unauthorized parties will not gain access to personal information, or that any such incident will be discovered in a timely way. In
particular, the techniques used by criminals to obtain unauthorized access to sensitive data change frequently and often are not recognized until launched
against a target; accordingly, we may be unable to anticipate these techniques or implement adequate preventative measures.
As described in Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” we incurred costs in fiscal years
2015 and 2014 associated with the Cyber-Attack, including investigative, legal and other costs. In the future, payment card companies and associations may
require us to reimburse them for unauthorized card charges and costs to replace cards and may also impose fines or penalties in connection with the Cyber-
Attack, and federal and state enforcement authorities may also impose fines or other remedies against us. We expect to incur additional costs to investigate
and remediate the matter in the foreseeable future. Such costs are not currently estimable but could be material to our future results of operations.
As described in Item 3, "Legal Proceedings" and Note 12 of the Notes to Consolidated Financial Statements in Item 15, the Cyber-Attack has given
rise to putative class action litigation on behalf of customers and regulatory investigations. At this point, we are unable to predict the developments in,
outcome of, and economic and other consequences of pending or future litigation or government inquiries related to this matter. Any future criminal cyber-
attack or data security incident may result in additional regulatory investigations, legal proceedings or liability under laws that protect the privacy of
personal information, all of which may damage our reputation and relationships with our customers and adversely affect our business, financial condition and
results of operations.
A material disruption in our information systems could adversely affect our business or results of operations.
We rely on our information systems to process transactions, summarize our results of operations and manage our business. The reliability and
capacity of our information systems is critical to our operations and the implementation of our growth initiatives. Our information systems are subject to
damage or interruption from power outages, computer and telecommunications failures, computer viruses, cyber‑attack or other security breaches and
catastrophic events such as fires, floods, earthquakes, tornadoes, hurricanes, acts of war or terrorism and usage errors by our employees. If our information
systems are damaged or cease to function properly, we may have to make a significant investment to fix or replace them, and we may suffer losses of critical
data and/or interruptions or delays in our operations. To keep pace with changing technology,
16