In the ongoing Federal Court class action against Optus concerning the significant data breach in September 2022, the Federal Court has recently determined that a Deloitte report on Optus’ data breach review was not legally privileged. This decision came despite Optus’ claim that the report was primarily intended to assist its legal counsel in providing advice on the cyberattack. Consequently, the Court granted access to the full report to Slater & Gordon, the plaintiff law firm in the class action.
Key lessons:
- For external reports to qualify for privilege, their primary intent must be providing or receiving legal advice or utilization in litigation.
- To enhance legal privilege claims for advisory reports, early consideration is crucial. Implement processes for managing communication creation, distribution, and purpose description.
- Evaluate whether legal advice should be distinct from non-legal materials to mitigate privilege risks.
- Exercise caution when articulating the purpose of investigative advice and reports
Background to the case
In October 2022, Optus released a public statement disclosing its decision to engage Deloitte for an impartial external assessment of the cyberattack incident and an evaluation of its security systems, controls, and processes (Media Release). In the Media Release, Optus stated that the decision to request the review had been proposed by Optus’ CEO and had received unanimous endorsement from the Singtel board. A statement from the CEO said that Optus intended to communicate ‘lessons learned’ to its customer base.
The Optus board subsequently endorsed a circular resolution to engage Deloitte for the review (Resolution). The Resolution outlined Deloitte’s mandate, including to:
- identify the circumstances and root causes of the cyberattack;
- review Optus’ management of cyber risk within the framework of relevant cyber risk management policies and processes; and
- review the cyberattack incident response and assess the appropriateness of actions taken.
After commencement of the class action against Optus concerning the cyber incident, Deloitte submitted its report to Optus’ General Counsel and external solicitors. The Applicants sought access to the Deloitte report and primary materials, claiming the report was not chiefly prepared for the purpose of legal advice, and alternatively that any privilege was waived due to Optus’ public statements on Deloitte’s work.
Report not subject to privilege
The Court determined that, while the anticipation of litigation and regulatory proceedings was a purpose for commissioning the report, it was evident that the more general objectives of identifying the causes of the cyberattack and reviewing Optus’ management of cyber-risk were more prominent in the minds of the CEO and other directors when commissioning the report. The Court placed significant emphasis on the Media Release and Resolution in reaching this conclusion.
Optus sought principally to rely upon the state of mind of its General Counsel in supporting its dominant purpose contention. Whilst acknowledging that the General Counsel was concerned with potential litigation and legal risks, the Court found his evidence to be lacking in the necessary detail and clarity to establish the dominant legal purpose. This included concerns about the General Counsel’s roles, where ambiguity existed regarding whether the General Counsel was acting in the capacity of General Counsel, company secretary, or both.
Optus also said that the terms of Deloitte’s engagement letter made clear the purpose of the investigation was to assist its external solicitors in providing legal advice in connection with the cyber-attack. Despite the privilege framework outlined in this engagement letter, the Court saw an artificiality to the letter, which was finalised after Deloitte had commenced its investigation.
Separately, the Court stated that were the report deemed privileged, Optus would not have waived this privilege through public statements that it would share ‘lessons learned’, as this was not a commitment to sharing the contents or findings of the report.
Implications
This decision holds significant implications for organisations navigating post-incident investigations and commissioning reports more broadly. The Court determined that the report’s primary purpose wasn’t the acquisition of legal advice or the assessment of legal risk, despite Optus’ assertion that the General Counsel commissioned it to address class action risks. The court examined various elements, including Optus’ public statements describing alternative purposes for the Deloitte report, such as understanding the incident and preventing its recurrence. While legal advice was a purpose, it wasn’t the dominant one.
The court acknowledged that certain parts of the report might still be eligible for legal privilege, but the overall denial stemmed from how Optus publicly portrayed the report’s purpose.
Practical steps to take to maximise a privilege claim over external reports:
- Swiftly define and implement terms explicitly stating the legal purpose of the work to bolster a privilege claim.
- Assign legal professionals from in-house or externally to oversee the review, ensuring a legal perspective in support of litigation or advice.
- Exercise care in making public statements, to avoid compromising legal professional privilege.
- Consider if two separate reports are required, so that legally privileged material can be properly quarantined from commercial and operational issues.
If you have any questions about this article, or matters involving privilege claims, please don’t hesitate to contact us.
Want Litigation & Dispute Resolution updates delivered straight to your inbox? Click here to subscribe.
