Commerce Commission steps up security

The Commerce Commission is tightening up security following two reviews into an October 2019 incident.

It follows the theft of computer equipment belonging to one of the commission’s external providers in a burglary. The equipment is thought to have contained documents relating to the commission’s work, including confidential information from businesses and individuals.

The commission has released the two reviews into the security incident and says it accepts all findings and recommendations.

Anna Rawlings, chairwoman, says the first report, by Richard Fowler QC, examined the circumstances relating to the burglary.

“The report finds the external provider was clearly under contractual obligations with regard to information security and the retention and disposal of confidential material, that they understood these obligations and were plainly in breach of them,” she explains.

“While this incident resulted from criminal activity and our provider failing to meet its obligations, it is our job to keep sensitive information safe and we take responsibility for that. There was more that the commission could have done to ensure the contractor complied with their obligations and Mr Fowler QC has made some recommendations on how we could better mitigate the type of risk raised by the security incident.”

The second report by KPMG looked into the commission’s information management and security, including information held or accessible by third-party suppliers.

“KPMG found that the commission has a moderate overall level of maturity in security and noted that the majority of its findings are consistent with what it sees in many other public and private sector organisations,” says Rawlings, pictured. “It found a strong information security culture and awareness among staff but also makes recommendations for improvements in a number of areas including policies, procedures and work practices and our management of external providers.

Rawlings adds in accepting the findings and recommendations from both reviews, the commission has already made a number of improvements.

“We are also embarking on a broad-ranging information management and security programme, to help ensure that those we interact with can continue to have confidence in our ability to protect confidential and commercially sensitive information provided to us.”

Actions already completed in response to the incident include ending the contract with the external provider and having the work done in house by commission staff or on-site by external providers using commission devices.

It has also contacted current and past suppliers of services to the commission to seek assurances they have appropriate security processes and protocols in place.

A procurement manager is being recruited to improve contract management, reviewing contracts with external providers to ensure they include appropriate security and confidentiality obligations, and changing the internal contract approvals process.

The way information is exchanged with external providers and third parties is being changed and the commission has also committed to voluntarily adopting the government’s Protective Security Requirements.

Rawlings adds: “These measures, together with the information management and security programme, respond to the findings of the reviews and reflect the Commission’s commitment to continued improvement of our overall information security maturity. “

The two reviews, along with a summary of the incident and the commission’s response to it can be found here.