Legal professional privilege (LPP) is still causing problems where commercial decisions are made under pressure which can cause fundamental difficulties when LPP claims are later made, challenged and rejected by the courts. Companies need to exercise considerable care when experts or independent consultants are engaged, and to ensure there is a proper basis for LPP, even if that means senior executives and directors give evidence on why decisions were made to obtain legal advice and/or an opinion from independent, expert advisers. If this is not handled with care, any LPP, even if it is established, may be lost.
Following our previous article in November last year, the Full Court of the Federal Court of Australia has recently dismissed an application[1] made by Optus for leave to appeal the first instance decision by Justice Beach.[2]
The Full Court’s decision (on 27 May 2024) again reaffirmed the fundamental ‘dominant purpose’ test in respect of determining LPP claims, in relation to a forensic investigation report prepared by Deloitte (the Deloitte Report). The Deloitte Report was commissioned by Optus in response to the aftermath of its September 2022 cyber-attack data breach, which saw approximately 9.5 million customers’ private information compromised.
It was determined that the Deloitte Report was not covered by LPP as Optus could not establish that the report was procured for a dominant legal purpose, but rather served a range of legal and non-legal purposes.
This article will consider the key takeaways from the Full Court decision and subsequent consideration of this issue in the IG Energy and the current Medibank class action cases.
Further to the background contained in our previous article, Optus presented five grounds of appeal, these being, that Justice Beach made errors in:
The Full Court of the Federal Court rejected the appeal on all grounds.
The Full Court upheld Justice Beach’s determination that Optus did not satisfy its onus to establish that the Deloitte Report was prepared for the dominant purpose of obtaining legal advice. Instead, while it was accepted that it did serve a legal purpose, the Deloitte Report was found to be prepared for a number of other non-legal purposes.
In our opinion, the primary judge was correct to find on the evidence that there were multiple purposes for which the Deloitte Report was commissioned and that the evidence did not establish that the Deloitte Report was procured for the dominant purpose of Optus obtaining legal advice or for use in litigation or regulatory proceedings.[3]
These purposes included developing Optus’ response to the data breach, as well as instigating strategies and crisis management policies to avoid future reoccurrences. Such non-legal purposes were directly addressed in a public media release by the CEO, through a statement that “this review will help ensure we understand how [the cyber-attack] occurred and how we can prevent it from occurring again.”[4]
The Full Court stressed that it will therefore not be enough to establish that an investigation served a legal purpose. Rather, where non-legal purposes are associated with a decision to engage an independent consultant, it is necessary to establish that the legal purpose is the dominant one.
The Full Court held that a dominant purpose can be achieved in a variety of ways and largely depend on the facts and on a case-by-case analysis. To support the existence of a dominant legal purpose, ‘focused and specific’ evidence is critical.[5]
It was determined that Optus failed to produce ‘focused and specific’ evidence that the legal purpose was the dominant purpose. Such evidence could have come from communications between relevant decision-makers, such as the CEO and/or board members, about their state of mind and overarching purpose for engaging Deloitte.
The importance of ‘focused and specific’ evidence is also reflected in the Full Court’s finding that Optus’ General Counsel provided evidence that was “vague, generalised, and ambiguous in key respects” and therefore insufficient in claiming LLP.[6] While the evidence about the Deloitte Report’s purpose remained “unchallenged”, it was not enough to discharge Optus’ onus. The mere fact that the evidence of Optus’ General Counsel was not cross-examined did not make the evidence determinative.[7]
The Full Court reinforced the initial ruling, in that the relevant timeframe that the dominant legal purpose is required to be shown will depend upon the particular circumstances of the case. However:
Having said that, it will usually be the case that, where a party has commissioned a report from a third-party provider the relevant time to assess the party’s purpose for doing so will be at the time of commissioning. But that is not to say that evidence as to later events will not be relevant.[8]
The ‘dominant legal purpose’ requirement was similarly subject of consideration in the decision of the Federal Court of Australia on 13 June 2024 in Sparks, in the matter of IG Energy Holdings (Australia) Pty Ltd (Administrators Appointed).[9]
Following an explosion of a power unit, which resulted in extensive power outages and risks associated with worker safety, legal counsel were engaged to provide legal advice.[10] Expert opinion was then sought from Dr Sean Brady to investigate the incident and the cause of the explosion.[11]
In relation to the engagement of Dr Brady, the CEO released a media statement, stating that Dr Brady was “engaged to lead an external, independent investigation and review of the incident” and that “CS Energy [was] committed to understanding the facts” that led to the explosion in order to learn from it and improve the safety at the plant.
In his judgment, Justice Dennington extensively referenced the Optus Full Court decision in producing the following principles:
The difficulties of asserting LPP over such reports has also been the subject of argument in the ongoing Medibank class action on foot in the Federal Court of Australia.[15]
Also before Justice Beach, the Court has heard counsel for the Applicant seek to draw parallels with the Optus Full Court decision, contending that Medibank cannot assert LPP over an investigation report that has been referred to, in substance, in a public release to the market. As at the date of this article, Justice Beach has yet to deliver his judgment on that matter.
In the age of rising cyber data incidents, the use of external forensic investigation reports is only expected to increase. The Full Court decision illustrates the core challenges associated in maintaining LLP over such multi-purpose reports.
In light of this, key decision-makers, including in-house legal counsel, should ensure that the purpose of an investigation report is for the dominant purpose of obtaining legal advice, and is adopted and accepted through a whole-of-business approach, at the time of the creation of a relevant communication (e.g. at the time a forensic investigator is engaged to prepare a report). Any media releases or public statements should be carefully considered in light of these developments.
Where it is accepted across a business that a report is for a dominant legal purpose, the following steps can increase the likelihood of a LLP claim being upheld:
If there is any doubt about an approach to adopt, companies and internal counsel should consult with experienced litigation lawyers to ensure unexpected LPP issues do not arise. For any questions about LLP or comments on this article, please contact Robert Johnston or Robert Wyld
[1] Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 (Optus Full Court decision). [2] Optus Full Court decision at [2]. [3] Optus Full Court decision at [46]. [4] Optus Full Court decision at [13]. [5] Optus Full Court decision at [25]. [6] Optus Full Court decision at [68]. [7] Optus Full Court decision at [66] [8] Optus Full Court decision at [88] [9] Sparks, in the matter of IG Energy Holdings (Australia) Pty Ltd (Administrators Appointed) [2024] FCA 613 (IG Energy) [10] IG Energy at [11]. [11] IG Energy at [72]. [12] IG Energy at [50]; Full Court decision at [86]-[88]. [13] IG Energy at [50]; Full Court decision at [87]. [14] IG Energy at [50]; Full Court decision at [91]. [15] Zoe Lee McClure v Medibank Private Limited (ACN 080 890 259) (VID64/2023, Federal Court of Australia, Victoria Registry, Beach J)
The Supreme Court of Western Australia recently dismissed a defamation claim brought by a plaintiff who had not given a concerns notice before commencing the relevant proceedings. In dismissing the...
In proceedings brought in the Federal Court of Australia, ASIC has successfully established that one of the world’s largest investment managers contravened the ASIC Act when it made a series of...
The latest signpost on the long road to defamation law reform appears to point to another departure from national uniformity with the announcement that not all states are on-board for a revised set...