Court guidance on privilege and cyber forensic reports in Australia

Insights15 Nov 2023
The Federal Court has ruled that Optus cannot claim legal privilege in a forensic report prepared by Deloitte following the September 2022 cyber attack and data breach.

By David Dickens, Eden Winokur and Sarah Stamp

The Federal Court ruled, on 10 November 2023, that Optus cannot claim legal privilege in a forensic report prepared by Deloitte following the September 2022 cyber attack and data breach.

This was despite sworn evidence from Optus’ general counsel/company secretary that the dominant purpose of the report was to assist Optus in assessing its legal risk and in relation to threatened legal proceedings.

Decision

The judgment of Justice Beach is detailed and closely analyses the commissioning of the Deloitte report.

The law regarding legal privilege is well established. As the Court said[1](at [87]),

Under the common law, legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings. The protection is confined to confidential communications made for the dominant purpose of giving or obtaining (including preparation for obtaining) legal advice or the provision of legal services, including legal representation in litigation or other proceedings (our emphasis).

The linchpin of Optus’ difficulty in this case was that the carefully prepared evidence of its general counsel/company secretary regarding the dominant purpose of the report sat uncomfortably with evidence of other contemporaneous events at Optus.

These other events included:

  • Optus issued a press announcement attributed to its CEO. Optus said it was appointing Deloitte ‘to conduct an independent external review of the recent cyberattack, and its security systems, controls and processes‘. Optus also said the Deloitte review ‘was recommended by Optus Chief Executive Officer, Kelly Bayer Rosmarin, and was supported unanimously by the Singtel Board, which has been closely monitoring the situation with management since the incident came to light‘. The Court noted the announcement did not state that the review was recommended by any lawyer or that it was being done for legal purposes [2](at [30]). The announcement also stated that ‘Deloitte’s global specialists will work with the Singtel and Optus teams and other international cyber experts[3](at [33]).
  • Circular resolutions being provided to Optus’ board for approval to engage Deloitte. The resolutions referred to various purposes of the report, without stating that it was to obtain legal advice. While a draft resolution referred to the involvement of the general counsel and company secretary, this was removed in the final resolution without explanation in the evidence. [4](at [43]).
  • Deloitte was formally engaged via Optus’ external legal advisers. Ordinarily, this assists in a privilege claim. However, the letter of engagement noted that it was not intended to be an appointment of an expert witness and the purpose described was an external review, not in relation to legal advice. [5][at 52]
  • There were subsequent press announcements regarding the status of the report, which referred to it as an ‘independent review‘ and said that Optus was committed to ‘sharing lessons’ [6](at [56]).

Importantly, the Court found that the relevant state of mind was not just the general counsel’s. The Court held that the state of mind of the CEO and other board members are also highly relevant [7](at [129]).

Having regard to all the evidence, the Court held that the dominant purpose in the mind of the CEO and board members ‘was not a defensive legal or litigation strategy[8](at [127]).

The Court also had regard to the vagueness in some of the general counsel’s evidence regarding conversations and how decisions were made. Justice Beach said ‘…I have an uncomfortable sense that important aspects of [the general counsel’s] affidavit concerning the time-frame prior to mid-October 2022 has involved an element of reconstruction.’ [9](at [165]).

The Court concluded that Optus has not satisfied it that the requisite dominant legal purpose can be distilled from the multiplicity of purposes in play. Optus will now be ordered to produce the report, and likely any supporting documents relating to the creation of the report.

Takeaways

A large data breach is a crisis. Boards, CEOs and general counsel need to quickly juggle a multitude of operational, reputational and legal issues.

When faced with a significant incident, it is common for companies to engage IT forensic providers to contain an incident and report on cause, scope and recommendations to prevent recurrence. Depending on the circumstances, this may be to address legal risks and/or to deal with other issues.

To maximise the prospects of privilege applying, the engagement of IT forensic providers and any report prepared must be for the dominant purpose of a lawyer advising the company in respect of legal risk. It is not sufficient to show a substantial purpose or that the privileged purpose is only one of two or more purposes of equal weighting. The privileged purpose must be the paramount or most influential purpose. One practical test is to ask whether the communication would have been made (whether the document would have been brought into existence) irrespective of the obtaining of legal advice. If so, the communication (document) may not satisfy the dominant purpose test.

The timing of engaging lawyers in critical. As Justice Beach remarked ‘Channelling material through lawyers or having lawyers make the retainer, belatedly, cannot cloak material with any privilege that it did not otherwise have[10](at [161]). Further, depending on the nature of any report prepared, it may be some parts of it are covered by privilege (those required for the dominant purpose of receiving legal advice) and other parts are not.

In addition, it is not uncommon in Australia for large companies and governments to quickly announce the commissioning of an external review. This may be done to give assurance that they are committed to improvement and ensuring those responsible are held accountable, and to try to move out of the daily media cycle. Of course, the commissioning of a review may cause subsequent challenges. What the final report will say cannot be predicted. In relation to legal risk, the independent and external review may lead to the creation of documents (eg interview reports) which would not otherwise have existed.

Just as external reviews are increasingly common, so too are subsequent privilege disputes regarding the reports[11]. Companies must recognise the rewards and risk of an external review, and clearly decide upfront whether it is for legal purposes (and so privileged) or for broader purposes (and so not privileged). Companies cannot have it both ways. The scope of non-privileged reviews should be carefully considered.

Internal and external legal teams are generally mindful of the principles of legal privilege and can prepare engagements accordingly. However, they are not the sole controlling minds. Everyone, in particular the CEO, board and publicity team, must be aligned in their understanding and statements regarding reports. Companies cannot rely on ‘legal’ to cloak reports in privilege.

When defending the privilege of a report, evidence should be led from all the decision makers. Any apparent inconsistencies in the purpose of the report should be pro-actively addressed and explained in the evidence.

[1] at [87]
[2] at [30]
[3] at [33]
[4] at [43]
[5] at [52]
[6] at [56]
[7] at at [129]
[8] at [127]
[9] at [165]
[10] at [161]
[11] Powercor Australia Ltd v Perry [2011] VSCA 239 and TerraCom Ltd v Australian Securities and Investments Commission [2022] FCA 208

Hall & Wilcox acknowledges the Traditional Custodians of the land, sea and waters on which we work, live and engage. We pay our respects to Elders past, present and emerging.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of service apply.