be-nz logo
Story image

ComCom takes responsibility for external provider breach

06 Aug 2020

The Commerce Commission has this week acknowledged major flaws in its information security practices and promises to put stronger systems in place.

The review comes after an incident in October 2019, when one of the Commission’s external providers was burgled. Thieves stole computer equipment that contained documents and transcripts related to the Commission, businesses, and individuals. The Commission’s own equipment and network was not affected.

The case remains open but not active, as police have not found the stolen equipment and have not made any arrests related to the incident.

KPMG and Mr Fowler QC conducted independent investigations and presented their findings.

KPMG’s report focuses on the Commission’s information management and security processes, including that of third-party suppliers.

According to Commerce Commission chair Anna Rawlings, KPMG found that the Commission has a ‘moderate’ level of security maturity.

“The majority of its findings are consistent with what it sees in many other public and private sector organisations. It found a strong information security culture and awareness among staff but also makes recommendations for improvements in a number of areas including policies, procedures and work practices and our management of external providers,” says Rawlings.

Mr Fowler QC focused on what happened during the incident and how the information was left unsecured.

The report found that the external provider had contractual obligations for information security, as well as the retention and disposal of confidential material. The provider also understood the obligations and was therefore in breach.

“While this incident resulted from criminal activity and our provider failing to meet its obligations, it is our job to keep sensitive information safe and we take responsibility for that. There was more that the Commission could have done to ensure the contractor complied with their obligations and Mr Fowler QC has made some recommendations on how we could better mitigate the type of risk raised by the security incident,” comments Rawlings.

The Commerce Commission accepts the findings and recommendations put forth in both reviews.

“We have already made a number of improvements in the areas identified by Mr Fowler QC as directly related to the security incident. We are also embarking on a broad ranging information management and security programme, to help ensure that those we interact with can continue to have confidence in our ability to protect confidential and commercially sensitive information provided to us.”

The Commission has so far completed the following actions: 

  • Ended the Commission’s contract with the external provider, with more  work done in house by Commission staff or on-site by external providers using Commission devices
  • Contacted current and past suppliers of services to the Commission to seek assurances they have appropriate security processes and protocols in place and to obtain details of those processes and protocols
  • Recruited a procurement manager to improve contract management, reviewing contracts with external providers to ensure they include appropriate security and confidentiality obligations, and changing the internal contract approvals process
  • Made changes to improve the way information is exchanged with external providers and third parties.
  • Voluntarily adopted the government’s Protective Security Requirements.

“These measures, together with the information management and security programme, respond to the findings of the reviews and reflect the Commission’s commitment to continued improvement of our overall information security maturity,” concludes Rawlings.