Where’s my privilege? Federal Court denies Optus’ claim of privilege over Deloitte report in data breach class action

The risk profile for organisations has also evolved, with the commencement of class action proceedings against organisations subject to these cyber attacks, such as Singtel Optus Pty Ltd (Optus) following a data breach in September 2022 (Optus Data Breach).

The response to any cyber incident will necessarily involve a multidisciplinary approach to determine the best course of action, including input from information security, legal, risk, and corporate governance teams. It follows that organisational decision-making in the immediate incident response to a cyber threat can easily impact downstream risks to the target business and can in many cases increase it.

Businesses who may wish to seek legal advice about their risks or how best to mitigate those risks in the aftermath of cyber incident may also involve various stakeholders inputting into the communications and instructions given to lawyers. It is also possible, that lawyers and other advisers will be engaged to work cooperatively together including to brief the board, assist with risk mitigation and regulatory responses.

In this environment, the purpose, let alone the dominant purpose, for the creation of documents and communications in an organisation’s incident response can become murky. Where documents are created for mixed purposes, there is a real risk that these documents and communications cannot be protected by legal professional privilege (LPP).

At its core, LPP claims in this or any context are determined by first principles. We have published a comprehensive guide on laws of privilege in Australia, which can be accessed here where the relevant common law test is summarised.

In this article, we take a look at the outcome on Optus’ claim of privilege over an external report in Robertson v Singtel Optus Pty Ltd (Optus class action). In the Optus class action, Justice Beach of the Federal Court found that a report into the external review prepared by Deloitte following the Optus Data Breach (Deloitte Report) did not attract LPP.

The Optus decision

On 10 November 2023, Optus lost its claim for LPP over the Deloitte Report in the Optus class action ([2023] FCA 1392). Justice Beach found that Optus had not satisfied the onus of demonstrating that the Deloitte Report was for the dominant purpose of obtaining legal advice, or for the use in litigation/regulatory proceedings.

As a result, Optus will now likely produce the Deloitte Report for the applicants’ inspection in discovery (although the extent of this disclosure is yet to be determined).

Justice Beach determined Optus’ claim for LPP by reference to common law principles, emphasising that it is not sufficient to show a substantial purpose or that a privileged purpose is one of two or more purposes of equal weighting. Rather, the ordinary meaning of the dominant purpose indicated the need for a “ruling, prevailing or most influential purpose”. In the present case, Justice Beach found that the Deloitte Report was prepared for “multiple purposes”, including:

• a legal advice purpose;
• a purpose to identify the root causes of the cyber incident (management and rectification purpose); and
• a purpose to review Optus’ management of cyber risk policies and processes.

Optus relied solely on an affidavit from its general counsel and company secretary to support its privilege claim over the Deloitte Report. To assess the Deloitte Report’s dominant purpose, his Honour looked to the ‘relevant state(s) of mind’ to attribute to Optus. This included the general counsel’s affidavit and went beyond Optus’ evidence where his Honour considered:

• that the general counsel of Optus was not, in the Court’s view, acting solely in the capacity of general counsel when he instructed Deloitte. Rather, he also acted in a company secretary capacity or some hybrid capacity;
• the intention of Optus’ chief executive officer when making various media statements (that a forensic review would play a crucial role in the response to the incident for Optus to support its customers); and
• a resolution passed by the Optus’ board to obtain a report from Deloitte in order to, inter alia, “review Optus’ management of cyber risk” and “review the Cyberattack incident response”, which was not consistent with Optus’ privilege claim.

Importantly, his Honour was of the view that the relevant time frame to assess the dominant purpose of the Deloitte Report was prior to its procurement, rather than the date of the report or after Optus’ decision to obtain the Deloitte Report.

Having regard to the above, Justice Beach concluded that the Deloitte Report was not for the dominant purpose of Optus obtaining legal advice or for use in litigation/regulatory proceedings.

Was there a waiver of privilege?

The applicants made an alternative argument that, even if the Deloitte Report was protected by LPP, Optus’ conduct in relying on the report for other purposes (e.g. in public statements about the actions it took in response to the data breach) gave rise to an inconsistency such that privilege was waived over the Deloitte Report.

Justice Beach rejected this argument, again relying on common law principles. His Honour found that an implied waiver can only occur where there is some inconsistency between the conduct of the privilege holder and the maintenance of confidentiality which the privilege is intended to protect. In the present case, his Honour found that Optus’ reliance on the Deloitte Report for other purposes did not result in any meaningful disclosure of the substance of Deloitte’s views, advice or report in the public statements to amount to any waiver of LPP. His Honour also found that statements Optus’ website about lessons learned from the data breach did not equate to a commitment to share the contents of or findings in the Deloitte Report.

What does this decision mean for businesses in Australia that face a data breach involving consumer or customer data?

This decision is an important reminder that documents and communications prepared in response to a data breach may be vulnerable to disclosure, particularly if those documents and communications serve multiple purposes (cyber security and remediation plans, public relations, legal advice, etc).

Our practical tips for maintaining a claim of LPP follow:

1. If you are seeking legal advice or suspect that you will need legal support, involve the legal team at an early stage.
2. Establish a privilege protocol within the organisation, which includes clear guidance on maintaining confidentiality and directing requests for advice to the legal team. We recommend it include a statement which makes it clear that the purpose of the communication relates to the seeking of legal advice.
3. Ensure that any public statements or press releases are made with input from the legal team to mitigate against risk of inadvertent waiver of LPP.
4. Ensure that in-house lawyers that wear multiple hats within an organisation clearly articulate when they are providing legal, rather than commercial advice. We also recommend that in-house lawyers keep privileged documents or communications separate from non-privileged records.
5. Make clear the purpose of obtaining any external report or engaging third party consultants, in consultation with the legal team, at the time the report is sought.

Our comprehensive guide on legal professional privilege is available here.

Optus’ appeal

Optus has filed an application on 24 November 2023 seeking leave to appeal this judgment. Further updates are to be expected and will be reported on our insights page.

Please do not hesitate to reach out to our subject matter experts mentioned in this article if you have any questions.