The Commerce Commission has released two reviews into an October 2019 security incident and accepts all findings and
recommendations.
The security incident arose from the theft of computer equipment belonging to one of the Commission’s external providers
in a burglary. The computer equipment is thought to have contained a range of documents relating to the Commission’s
work, including some confidential information from businesses and individuals.
The first report, by Mr Fowler QC, looked into the circumstances relating to the specific incident.
“The report finds the external provider was clearly under contractual obligations with regard to information security
and the retention and disposal of confidential material, that they understood these obligations and were plainly in
breach of them,” Commission Chair Anna Rawlings said.
“While this incident resulted from criminal activity and our provider failing to meet its obligations, it is our job to
keep sensitive information safe and we take responsibility for that. There was more that the Commission could have done
to ensure the contractor complied with their obligations and Mr Fowler QC has made some recommendations on how we could
better mitigate the type of risk raised by the security incident.”
The second report by KPMG looked into the Commission’s information management and security, including information held
or accessible by third-party suppliers.
“KPMG found that the Commission has a moderate overall level of maturity in security and noted that the majority of its
findings are consistent with what it sees in many other public and private sector organisations. It found a strong
information security culture and awareness among staff but also makes recommendations for improvements in a number of
areas including policies, procedures and work practices and our management of external providers,” Ms Rawlings said.
“We accept the findings and recommendations from both reviews. We have already made a number of improvements in the
areas identified by Mr Fowler QC as directly related to the security incident. We are also embarking on a broad ranging
information management and security programme, to help ensure that those we interact with can continue to have
confidence in our ability to protect confidential and commercially sensitive information provided to us.”
Actions already completed in response to the incident include:Ending the Commission’s contract with the external provider and having the work done in house by Commission staff or
on-site by external providers using Commission devicesContacting current and past suppliers of services to the Commission to seek assurances they have appropriate security
processes and protocols in place and to obtain details of those processes and protocolsRecruiting a Procurement Manager to improve contract management, reviewing contracts with external providers to ensure
they include appropriate security and confidentiality obligations, and changing the internal contract approvals processMaking a number of changes to improve the way information is exchanged with external providers and third parties.
The Commission has also committed to voluntarily adopting the government’s Protective Security Requirements.
Ms Rawlings said, “These measures, together with the information management and security programme, respond to the
findings of the reviews and reflect the Commission’s commitment to continued improvement of our overall information
security maturity. “
The two reviews, along with a summary of the incident and the Commission’s response to it can be found here
.