Federal Court hands down a privilege lesson for cyber and critical incident responses

When Optus suffered a significant data breach on 22 September 2022, an immediate and sustained outcry arose from the public and from Australian politicians, demanding an explanation and action from Optus.

On 3 October 2022, Optus issued a media release announcing that it had engaged Deloitte to carry out “a forensic assessment of the cyber-attack and the circumstances surrounding it” and that “the review would ensure [Optus] understood how [the data breach] occurred and how [Optus] can prevent it from happening again”.

Affected customers commenced a class action against Optus in the Federal Court in April 2023. When the claimants sought access to the Deloitte report, Optus resisted and argued that the report was subject to legal professional privilege as it had been commissioned for the ‘dominant purpose’ of obtaining legal advice.

On 10 November 2023, Beach J of the Federal Court disagreed.

Privilege

Legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or professional legal services in actual or anticipated litigation or regulatory investigations or proceedings.

As a general proposition, it is perfectly appropriate for an investigation (including a forensic investigation into a cyber security breach) to be conducted for the dominant purpose of a client receiving such legal advice and representation.

However, if (objectively) the document would have been brought into existence irrespective of the client’s wish to obtain legal advice, then it is unlikely the document would satisfy the dominant purpose test.

Ultimately, Justice Beach decided that whilst legal advice for prospective litigation and/or regulatory proceedings was a relevant purpose when the Deloitte report was commissioned, there were two other competing and dominant purposes:

• to identify the circumstances and root causes of the cyberattack for management purposes and rectification; and
  
  
• to review Optus’s policies and processes for managing cyber risk.

External communications, the role of the board and retainers

In reaching this view, Justice Beach gave significant weight to three factors:

1. Optus’ media release of 3 October 2022.
   
   
2. The broader role of the Board in the engagement of Deloitte.
   
   
3. The Deloitte letter of retainer dated 21 October 2022.

The media release stated that “the review would ensure [Optus] understood how [the data breach] occurred and how [Optus] can prevent it from happening again”. It also stated that “the review was recommended by Optus Chief Executive Kelly Bayer Rosmarin, and was supported unanimously by the Singtel Board, which has been closely monitoring the situation…”.

Optus was required to produce drafts and finals of the signed board resolution, as well as the General Counsel’s accompanying email, none of which identified that a dominant purpose for Optus to commission the report was to receive legal advice or professional legal services.

Further, Justice Beach considered it was not clear in what capacity the General Counsel (who also held the position as company secretary at the time) was communicating with the board – which also made it less clear whether the recommendation to engage Deloitte was for a privileged dominant purpose.

The Deloitte letter of retainer contained references to privilege protocols which Justice Beach acknowledged were consistent with it being commissioned for a privileged purpose. However, His Honour emphasised that this did not “cloak material with any privilege that it did not otherwise have” and did not supersede the dominant purpose indicated at the time of the board resolution when the decision was made.

Five takeaways for in-house counsel and boards

At times of crisis, there will be an understandable imperative for organisations to put themselves in a position where they can provide reassurance that they are in control of the situation as soon as possible. For Optus, there were likely very sound reasons for announcing the retainer of Deloitte in the manner that occurred, and for the board and the company to want to know how the data breach occurred.

A post-data breach forensic investigation undertaken for the dominant purpose of the company seeking legal advice is a prudent risk mitigation strategy, but to make clear that legal advice is the main reason the report has been committed, the company must ensure that dominant purpose is manifested in its communications and related actions.

To do that, we would recommend:

1. Reviewing Incident Response Plans to ensure that:
   
   • responsibility for managing internal and external stakeholders is clearly defined between the board, legal, company secretary, public relations and the information technology team;
   
   • there are processes in place to avoid inconsistent messaging in both internal and external communications and authorisation by legal of any communications that might be relevant to legal strategy; and
   
   • for privileged exercises, the company delegates management of the engagement of forensic investigators to a small group to ensure that confidentiality (and privilege) is maintained.
   
   
2. As part of the Incident Response Plan, giving consideration in advance to the circumstances when forensic investigators will need to be retained in a data breach and which parts of the organisation need to be involved. Work with your external lawyers to ensure that retainer agreements for forensic investigators are able to be put in place immediately and that the scope and purpose of the investigation is clear.
   
   
3. Ensuring that stakeholders are aware of the difference between ‘incident response’ (for example, locking down IT systems immediately upon discovering an incident) and a forensic investigation (or root-cause analysis).
   
   
4. A cautious approach to ‘post-mortem’ investigations, whether those are conducted internally or by external providers. It is appropriate for companies to commit to uncovering problems and learning lessons, but any work done for that purpose is unlikely to be privileged and may need to be produced to regulators and in court proceedings, in due course.
   
   
5. Having a crisis response communications protocol developed as part of the incident response plan, which includes clear internal guidelines on ensuring that communications are made with potential privilege and other legal consequences in mind.