Menu
ComCom provider ‘in breach’ of contractual obligations after data loss

ComCom provider ‘in breach’ of contractual obligations after data loss

The stolen computer equipment at the centre of the security incident is thought to have contained a range of documents relating to the Commission’s work.

Anna Rawlings (Commerce Commission)

Anna Rawlings (Commerce Commission)

Credit: Supplied

The Commerce Commission has reviewed and overhauled its supplier engagement processes after a report into the theft last year of an external provider’s computer equipment containing more than 200 meeting and interview transcripts.

The stolen computer equipment at the centre of the security incident is thought to have contained a range of documents relating to the Commission’s work, including some confidential information from businesses and individuals.

Now, the Commerce Commission has released two reviews into the October 2019 security incident, accepting all findings and recommendations.

The first report, by Richard Fowler QC, looked into the circumstances relating to the specific incident and, according to Commission Chair Anna Rawlings, found that the external provider whose computer equipment was stolen was “plainly’ in breach of certain contractual obligations.

“The report finds the external provider was clearly under contractual obligations with regard to information security and the retention and disposal of confidential material, that they understood these obligations and were plainly in breach of them,” Rawlings said.

“While this incident resulted from criminal activity and our provider failing to meet its obligations, it is our job to keep sensitive information safe and we take responsibility for that. 

“There was more that the Commission could have done to ensure the contractor complied with their obligations and Mr Fowler QC has made some recommendations on how we could better mitigate the type of risk raised by the security incident,” she added.

The second report, by consulting firm KPMG, looked into the Commission’s information management and security, including information held or accessible by third-party suppliers.

“KPMG found that the Commission has a moderate overall level of maturity in security and noted that the majority of its findings are consistent with what it sees in many other public and private sector organisations,” Rawlings said.

“It found a strong information security culture and awareness among staff but also makes recommendations for improvements in a number of areas including policies, procedures and work practices and our management of external providers,” Ms Rawlings said.

“We accept the findings and recommendations from both reviews. We have already made a number of improvements in the areas identified by Mr Fowler QC as directly related to the security incident. 

“We are also embarking on a broad ranging information management and security programme, to help ensure that those we interact with can continue to have confidence in our ability to protect confidential and commercially sensitive information provided to us,” she added. 

The changes already implemented by the Commission include terminating its contract with the external provider and having the work done in house by Commission staff or on-site by external providers using Commission devices.

Additionally, the Commission has contacted current and past suppliers of services to seek assurances they have appropriate security processes and protocols in place and to obtain details of those processes and protocols.

It has also recruited a procurement manager to improve contract management and is reviewing contracts with external providers to ensure they include appropriate security and confidentiality obligations, as well as changing the internal contract approvals process.

Moreover, the Commission is making a number of changes to improve the way information is exchanged with external providers and third parties.

The Commission has also committed to voluntarily adopting the government’s Protective Security Requirements.

“These measures, together with the information management and security programme, respond to the findings of the reviews and reflect the Commission’s commitment to continued improvement of our overall information security maturity,” Rawlings said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags ComComCommerce Commission

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments