The security incident arose from the theft of computer equipment belonging to one of the Commission's external providers in a burglary. The computer equipment is thought to have contained a range of documents relating to the Commission's work, including some confidential information from businesses and individuals.

The first report, by Mr Fowler QC, looked into the circumstances relating to the specific incident.

"The report finds the external provider was clearly under contractual obligations with regard to information security and the retention and disposal of confidential material, that they understood these obligations and were plainly in breach of them," Commission Chair Anna Rawlings said.

"While this incident resulted from criminal activity and our provider failing to meet its obligations, it is our job to keep sensitive information safe and we take responsibility for that. There was more that the Commission could have done to ensure the contractor complied with their obligations and Mr Fowler QC has made some recommendations on how we could better mitigate the type of risk raised by the security incident."

The second report by KPMG looked into the Commission's information management and security, including information held or accessible by third-party suppliers.

"KPMG found that the Commission has a moderate overall level of maturity in security and noted that the majority of its findings are consistent with what it sees in many other public and private sector organisations. It found a strong information security culture and awareness among staff but also makes recommendations for improvements in a number of areas including policies, procedures and work practices and our management of external providers," Ms Rawlings said.

"We accept the findings and recommendations from both reviews. We have already made a number of improvements in the areas identified by Mr Fowler QC as directly related to the security incident. We are also embarking on a broad ranging information management and security programme, to help ensure that those we interact with can continue to have confidence in our ability to protect confidential and commercially sensitive information provided to us."

Actions already completed in response to the incident include:

  • ending the Commission's contract with the external provider and having the work done in house by Commission staff or on-site by external providers using Commission devices
  • contacting current and past suppliers of services to the Commission to seek assurances they have appropriate security processes and protocols in place and to obtain details of those processes and protocols
  • recruiting a Procurement Manager to improve contract management, reviewing contracts with external providers to ensure they include appropriate security and confidentiality obligations, and changing the internal contract approvals process
  • making a number of changes to improve the way information is exchanged with external providers and third parties.

The Commission has also committed to voluntarily adopting the government's Protective Security Requirements.

Ms Rawlings said, "These measures, together with the information management and security programme, respond to the findings of the reviews and reflect the Commission's commitment to continued improvement of our overall information security maturity. "

The two reviews, along with a summary of the incident and the Commission's response to it can be found here.