Privilege after a cyber attack: what businesses must get right
In October 2022, Medibank suffered a cyber attack during which a threat actor stole approximately 520GB of customer data that was later published on the dark web. A class action has since been commenced against Medibank by affected customers.
On 7 March 2025, the Federal Court handed down its decision in McClure v Medibank Private Limited [2025] FCA 167 (Medibank Case). The case dealt with an application for the production of third-party reports that Medibank obtained relating to the attack. Medibank opposed the application on the basis that the reports were protected by legal professional privilege.
The Court found that some of the reports were privileged and were protected from disclosure to the applicants. Significantly, this is the first time a court has found that privilege can apply to reports prepared by a company following a cyber incident. However, not all of Medibank’s expert reports were found to be privileged.
The decision shows that courts will closely examine privilege claims over reports created for more than one purpose, especially in the wake of a cyber incident. Notably, the decision is also largely consistent with the Full Federal Court’s findings in Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 (see our previous article here) (Optus Case). In that judgment, the Court ruled that Optus could not claim privilege over a report prepared by Deloitte following a cyber incident because it was not prepared for the dominant purpose of providing legal advice.
Recap on privilege
Legal professional privilege applies to confidential communications made for the dominant purpose of obtaining legal advice or for use in ongoing or anticipated litigation. The party claiming the privilege bears the onus of proving the privilege applies.[1] In this case, Medibank had to show that legal professional privilege applied to the multi-purpose reports.
Background
As part of the ongoing class action, Medibank engaged various third parties to prepare reports in relation to the cyber incident. These included:
- Deloitte reports: three reports – a ‘post incident review’, ‘root cause analysis’ and a compliance report prepared in accordance with Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234;
- CrowdStrike reports: two reports – an investigation report based on the data the CrowdStrike software collected during the incident, and the ‘Atlassian Crowd Analysis’ report, which set out findings about the threat actor’s activity inside Medibank’s systems;
- Threat Intelligence reports: two reports – a ‘Digital Forensics and Incident Response’ report and a dark web monitoring report; and
- CyberCX and Coveware communications: email communications between CyberCX, Coveware and Medibank’s solicitors regarding the effect of making a ransom payment to a threat actor on the statutory duties of company directors and officers.
What was found to be privileged?
The Court found that legal professional privilege attached to the CrowdStrike reports, Threat Intelligence reports and the CyberCX and Coveware communications.
Medibank’s evidence showed that the dominant purpose of these reports was for the provision of legal advice or use in the ongoing litigation. In particular, Medibank’s solicitors used the materials to:
- advise Medibank on its obligations under the Privacy Act 1988 (Cth), its regulatory obligations and the legality of paying a cyber ransom;
- respond to compulsory notices issued by the Office of the Australian Information Commissioner;
- prepare summaries and notes regarding the factual and legal issues relevant to the proceeding; and
- draft Medibank’s defence in the proceeding and prepare a brief to counsel.
As a result, Medibank did not have to disclose these documents in response to the application.
What was not protected by privilege? – Deloitte reports
The Court found that the Deloitte reports were not protected by legal professional privilege, as Medibank could not show that the dominant purpose of the reports was to provide legal advice (or any other privileged purpose).
Justice Rofe found that the Deloitte reports were commissioned for other purposes that were at least equally dominant, if not more dominant, than any legal purpose. These other purposes were:
- ASX/PR purpose: Deloitte were engaged to help Medibank make public ASX announcements and communicate with customers, health partners and employees. In each public statement, Medibank stated it – not its solicitors – commissioned the Deloitte reports to help safeguard customers after the cyber breach.
- APRA purpose: Medibank wanted to carry out its own internal review of the cyber breach to avoid an independent review by APRA. Importantly, Medibank’s solicitors were not involved in these communications or in meetings between Medibank, APRA and Deloitte.
In short, Medibank’s public commitment to sharing Deloitte’s findings was very different from how it treated the other privileged reports. The Court found this to be inconsistent with a claim for legal professional privilege.
The applicants also argued that the Deloitte reports served a ‘governance’ purpose, as Medibank’s Board closely oversaw their production. The Court did not find that this governance purpose was equally dominant to the legal purpose of the reports, however the Board’s close involvement and the emphasis on them commissioning the review weighed against the reports being prepared for a dominant legal purpose.
Lastly, the Court found that even if the Deloitte reports has been privileged, Medibank had waived any privilege over the ‘post-incident’ report. Justice Rofe said at paragraph 445:
"In my view, by making this reference to the Deloitte PIR Report, Medibank was seeking to take advantage of its implementation of the recommendations resulting from the external incident review conducted by Deloitte to deflect criticism and enhance or maintain its good standing in the eyes of its shareholders and customers and its share price. It cannot at the same time maintain privilege in that part of the report setting out the recommendations to enhance Medibank’s IT processes and systems. I consider that by making the statements in the 28 April 2023 ASX Announcement, Medibank has waived privilege in that part of the PIR Report relating to the recommendations to enhance Medibank’s IT processes and systems."
These findings are generally consistent with the decision in the Optus Case, reaffirming longstanding authority that the legal purpose must be the dominant – not equal or lesser – purpose.
Comparison with the Optus Case
To help compare the Medibank Case and the Optus Case on legal professional privilege, we have prepared the below table.
Aspect | McClure v Medibank Private Limited [2025] FCA 167 | Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 |
|---|---|---|
| Privileged Documents | Narrowly focused reports/communications (eg CrowdStrike reports, CyberCX communications) for legal advice or regulatory responses were privileged. | No documents were found to be privileged (the proceeding concerned only one document). |
| Non-Privileged Documents | Deloitte reports (root cause, PIR and APRA CPS 234 reports) were not privileged due to there being other dominant purposes (ie public announcements and avoiding an APRA review). | Deloitte report was not privileged due to contemporaneous events at Optus suggesting the dominant purpose was not a ‘defensive legal or litigation strategy’. |
| Evidence | Medibank provided evidence from the CEO, Chair and General Counsel, but this was insufficient to outweigh documentary evidence indicating the Deloitte reports were commissioned for other dominant purposes. | Optus relied solely on General Counsel’s affidavit, which lacked specificity and ignored non-legal purposes of the Deloitte report. |
| Waiver | The Court found that had privilege attached to the Deloitte PIR report, it would have been waived due to Medibank’s public statements. | Not explicitly addressed, but Optus’ public statements weakened its privilege claim. |
| Consistency | Consistent with Optus v Robertson: multi-purpose reports are not privileged unless for a dominant legal purpose. | Set a precedent for McClure v Medibank: multi-purpose reports require strong evidence of dominant legal purpose |
Key takeaways
When businesses are affected by cyber breaches, they often engage third party experts to help manage the response. It is critical for businesses to be clear about how those experts are engaged and what the dominant purpose of their work is.
This decision emphasises that businesses can claim legal professional privilege over reports prepared by third parties after a cyber incident – but only if the dominant purpose of the report is to obtain legal advice or for use in anticipated or ongoing litigation. If a report is prepared for another non-legal purpose that is equally or more dominant than the legal purpose, legal professional privilege will not apply.
In particular, the Court will closely look at:
- the actual content of the report, rather than any labels of privilege (which are “largely meaningless and not determinative”);[2]
- the timeline of the incident, the advice sought, and any related documents contemporaneously with the report; and
- whether public statements have been made by which privilege might have been waived, even unintentionally.
It is not enough to simply label a report as privileged. Businesses and Boards should ensure:
- the predominant (or only) purpose of the report is in fact a legal purpose;
- clear messaging is given to all relevant staff that the report is intended to be privileged and should be treated as such;
- instructions to experts are narrowly focused on legal advice, not broader business issues;
- separate reports are commissioned to isolate non-legal matters and avoid a multi-purpose report containing sensitive legal information from being required to be disclosed;
- communications with the experts include the business’ solicitors and that the solicitors have conduct of and oversight over the commissioning of the report; and
- public statements about the findings of a multi-purpose report are carefully managed to avoid suggesting the report was sought for a non-legal purpose.
We will continue to monitor these proceedings and any developments in this area and provide updates.
If you would like to learn more about cyber risk, cyber litigation, data breach class actions, legal professional privilege, or how these issues could affect you or your business, please contact our Hall & Wilcox team.
This article was written with the assistance of Charlotte Van de Poll, Paralegal.
Contacts
