Questions raised over how NZTA protects sensitive information

11:31 am on 31 July 2019

Major questions have been asked about how the beleaguered Transport Agency protects its sensitive information.

Man typing on a computer.

Deloitte's review prompted the agency to approach the former head of Connected Journeys, Martin McMullan, to ask about his internet start-up Frenzy. Photo: 123rf.com

A scathing review by Deloitte found IT controls at the agency's Connected Journeys unit were patchy or missing.

"There are gaps in both HR [human resources] and technology practices that make it difficult to monitor the use and distribution of intellectual property [IP]," the report said.

"This exposes NZTA to risk of intellectual property loss or theft."

The review prompted the agency to approach the former head of Connected Journeys, Martin McMullan, to ask about his internet start-up Frenzy.

He set up Frenzy App in January this year while still at NZTA, and set up Frenzy Holdings in April, after he left the agency in March, at the time the Deloitte review began.

Three senior people who worked under Mr McMullan as director of Connected Journeys have taken stakes in Frenzy since themselves leaving NZTA recently, including the former acting head of engineering.

"NZTA wrote to Mr McMullan, as the founder of Frenzy, to ensure that the company was not in possession of any NZTA trademarks or IP," the agency told RNZ in a statement.

"We have received written confirmation through his legal representatives that Frenzy is a newly-created internet advertising business with no IP or technology at this stage, other than a logo trademark and a basic website, and that Mr McMullan has not retained access to the Agency's IP in any form."

The Frenzy website says it is developing an app that allows people to get discounts on transport by watching sponsored online content such as TV show promos.

Mr McMullan did not respond to RNZ's requests for comment.

Deloitte did not seek his input to its review.

It found that Connected Journeys did not properly inform contractors and employees about their contractual obligations around intellectual property.

Some were given greater network access than necessary, put sensitive commercial information in third-party email accounts or used unapproved cloud data storage.

They used their personal devices and personal emails to do work without monitoring, and personally registered some NZTA domain names.

"There has been a clear lack of management controls and processes implemented around such registration activity, with even the CJS Director involved."

Contractors made up 90 percent of staff at Connected Journeys, which rapidly grew from eight people to 100 as it developed transportation apps.

"The high use of contractors means that a large amount of IP sits with individuals who are only meant to have short-term roles in the organisation," Deloitte said.

The combined effect was "gaps which could be exploited by individuals wishing to use NZTA intellectual property for their own purposes and benefit".

"NZTA data and IP is freely transferrable to the private sphere."

Deloitte declined to comment on whether it had, in fact, investigated if IP had been exploited, as opposed to merely identifying the weaknesses.

The Transport Agency said it was not aware of any cases of IP loss or theft, and that the Deloitte review did not find any, but identified vulnerabilities.

It was strengthening IP clauses in its hiring contracts, and rules around how devices are used, it said.

The Transport Agency refused to give RNZ an interview about its intellectual property security.

A lawyer specialising in intellectual property Virginia Nichols said the Deloitte review showed the problems that could arise from not managing or controlling contractors properly.

"Particularly in a section of Government that is working innovatively, and generating IP, care should be taken to make sure the terms of each contract are sufficiently robust before work starts, so that ownership of IP is held by the department," she said.

"Ownership of IP by the Government is not inconsistent with Open Government. It is, in fact, essential to it, because the Government should not release or share what it does not own or control."