The Federal Court of Australia has held that an expert forensic investigation report prepared by Deloitte Touche Tohmatsu (Deloitte) for Optus in the aftermath of its September 2022 cyber attack was not subject to legal professional privilege (LPP).
This article will examine the key takeaways from this decision, handed down on 10 November 2023, including decisions made by entities to engage third-party experts in internal investigations, the preparation of reports and practical steps to protect LPP.
In setting out its reasons, the Court (Justice Beach) confirmed that the common law in respect of LPP, that is, the ‘dominant purpose’ test, was well-established and not in question:
“Under the common law, legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings. The protection is confined to confidential communications made for the dominant purpose of giving or obtaining (including preparation for obtaining) legal advice or the provision of legal services, including legal representation in litigation or other proceedings”.[1]
The Court found that Optus had not satisfied the dominant purpose test.
While the Court recognised that the general counsel (GC) was a relevant mind to consider in determining Optus’ intention in commissioning the investigation into the cyber attack (and hence, the purpose of the Deloitte Report), it only formed “part of the analysis”.[2]
In the absence of evidence from Optus’ CEO or other Board members – which the Court considered to be other ‘highly relevant’ states of minds to determine the purpose of the Deloitte Report – the Court instead placed great consideration on publicly available evidence of events which occurred at Optus to shed light on the objective assessment of the dominant purpose. This included the following.
Although the Court had accepted the GC’s evidence in that one of the reasons for the commissioning of the investigation (and by extension, the Deloitte Report), at the ‘forefront’ of the GC’s mind, was to assess the litigation and legal risks arising out of the cyber attack,[5] the above contemporaneous events which occurred at Optus strongly indicated that other general, non-legal purposes were more (or perhaps equally) prominent (dominant), these being:
For these reasons, it became apparent that the dominant purpose of the Deloitte Report was “not a defensive legal or litigation strategy” and as such, the Deloitte Report and its supporting documents were not created for the dominant purpose of Optus seeking legal advice or in connection with the conduct of anticipated or contemplated legal proceedings.[6]
Waiver of LPP
The Court commented in obiter that in the event that LPP did apply, there was no waiver of it by Optus.
The Court accepted, on well-established principles, that implied waiver occurs where there is an inconsistency between the conduct of the LPP holder and the maintenance of the confidentiality, which the LPP intends to protect. It found that none of the public statements made by Optus put the contents of the Deloitte Report in issue. Referring to a public statement in which Optus committed to “sharing lessons”, the Court held this was not a commitment to share the contents of or findings in the Deloitte report.
Investigations and reports are commonly prepared for various purposes such as for legal reasons, to identify causes of an incident, reviewing internal policies. What is critical is the purpose at the time of the creation of a relevant communication (here, the engagement of Deloitte to prepare a report).
It is not enough to commission work by a third party and then attempt to cover the work of the third party with a magical cloak of privilege. Not only will courts see through such a façade, but critically, regulators like the ATO, the ACCC and ASIC are requiring evidence to support claims of privilege before they will be accepted.
When seeking to justify a privilege claim, it is important to submit clear and detailed evidence about why a party was engaged and for what purpose from the relevant decision makers. The decision highlights the importance of submitting clear and specific evidence when establishing the dominant purpose for obtaining a report for a legal purpose.
Lastly, the engagement of Deloitte by internal counsel, in the way it was done, and by the later role of external lawyers, highlights the difficulties corporations face when trying to create privilege when arguably, none existed at the critical time.
While Optus may seek to appeal the judgment, the ruling reinforces the care that must be taken when a corporation engages an expert through an internal process, even by internal counsel, where there are clearly various purposes at play which all support why something was done. This means the seeking of legal advice may not be the dominant purpose it is hoped to be. This is all the more reason why – at the first instance of a crisis – external counsel are retained and decisions properly made and documented, so that reports or work activities are commissioned by the lawyers for the lawyers to give legal advice to the client.
[1] Robertson v Singtel Optus Pty Ltd [2023] FCA 1392, [87].
[2] Ibid [130].
[3] Ibid [30].
[4] Ibid [53].
[5] Ibid [10].
[6] Ibid [127]. See similarly Singapore Airlines v Sydney Airports Corporation [2004] NSWSC 380.
Regulators are grappling with the challenges posed by AI, and where to strike the regulatory balance. Submissions to the Australian Senate Committee tasked to consider AI reveal some of the key...
Leading independent Australian law firm Johnson Winter Slattery has appointed Phillip Magness as a Special Counsel in its national Cybersecurity, Privacy & Technology team. Phillip is based in...
Welcome to Digital Bytes, our latest quarterly update on current developments in cyber, privacy and data governance.