Forensic investigation reports: the question of privilege remains – Singtel Optus v Robertson

Legal professional privilege (LPP) is still causing problems where commercial decisions are made under pressure which can cause fundamental difficulties when LPP claims are later made, challenged and rejected by the courts. Companies need to exercise considerable care when experts or independent consultants are engaged, and to ensure there is a proper basis for LPP, even if that means senior executives and directors give evidence on why decisions were made to obtain legal advice and/or an opinion from independent, expert advisers. If this is not handled with care, any LPP, even if it is established, may be lost.

Following our previous article in November last year, the Full Court of the Federal Court of Australia has  recently dismissed an application^[1] made by Optus for leave to appeal the first instance decision by Justice Beach.^[2]

The Full Court’s decision (on 27 May 2024) again reaffirmed the fundamental ‘dominant purpose’ test in respect of determining LPP claims, in relation to a forensic investigation report prepared by Deloitte (the Deloitte Report). The Deloitte Report was commissioned by Optus in response to the aftermath of its September 2022 cyber-attack data breach, which saw approximately 9.5 million customers’ private information compromised.

It was determined that the Deloitte Report was not covered by LPP as Optus could not establish that the report was procured for a dominant legal purpose, but rather served a range of legal and non-legal purposes.

This article will consider the key takeaways from the Full Court decision and subsequent consideration of this issue in the IG Energy and the current Medibank class action cases.

Snapshot – Optus’s proposed grounds of appeal

Further to the background contained in our previous article, Optus presented five grounds of appeal, these being, that Justice Beach made errors in:

1. not finding that the Deloitte Report was commissioned for the dominant purpose of obtaining legal advice for impending investigations and anticipated legal proceedings;
2. determining the correct point in time at which to assess Optus’s purpose in procuring the Deloitte Report;
3. placing limited weight upon the evidence of its general counsel and company secretary in circumstances where that evidence was unchallenged and not cross-examined;
4. drawing adverse inferences from the fact that there was no evidence given by Optus’s CEO; and
5. assessing Optus’s purpose in procuring the Deloitte Report by reference to a media release its CEO had issued on 3 October 2022.

The Full Court of the Federal Court rejected the appeal on all grounds.

Decision

The Full Court upheld Justice Beach’s determination that Optus did not satisfy its onus to establish that the Deloitte Report was prepared for the dominant purpose of obtaining legal advice. Instead, while it was accepted that it did serve a legal purpose, the Deloitte Report was found to be prepared for a number of other non-legal purposes.

In our opinion, the primary judge was correct to find on the evidence that there were multiple purposes for which the Deloitte Report was commissioned and that the evidence did not establish that the Deloitte Report was procured for the dominant purpose of Optus obtaining legal advice or for use in litigation or regulatory proceedings.^[3]

These purposes included developing Optus’ response to the data breach, as well as instigating strategies and crisis management policies to avoid future reoccurrences. Such non-legal purposes were directly addressed in a public media release by the CEO, through a statement that “this review will help ensure we understand how [the cyber-attack] occurred and how we can prevent it from occurring again.”^[4]

The Full Court stressed that it will therefore not be enough to establish that an investigation served a legal purpose. Rather, where non-legal purposes are associated with a decision to engage an independent consultant, it is necessary to establish that the legal purpose is the dominant one.

How does the test apply? Whose mind is relevant?

The Full Court held that a dominant purpose can be achieved in a variety of ways and largely depend on the facts and on a case-by-case analysis. To support the existence of a dominant legal purpose, ‘focused and specific’ evidence is critical.^[5]

It was determined that Optus failed to produce ‘focused and specific’ evidence that the legal purpose was the dominant purpose. Such evidence could have come from communications between relevant decision-makers, such as the CEO and/or board members, about their state of mind and overarching purpose for engaging Deloitte.

The importance of ‘focused and specific’ evidence is also reflected in the Full Court’s finding that Optus’ General Counsel provided evidence that was “vague, generalised, and ambiguous in key respects” and therefore insufficient in claiming LLP.^[6] While the evidence about the Deloitte Report’s purpose remained “unchallenged”, it was not enough to discharge Optus’ onus. The mere fact that the evidence of Optus’ General Counsel was not cross-examined did not make the evidence determinative.^[7]

When does the test apply?

The Full Court reinforced the initial ruling, in that the relevant timeframe that the dominant legal purpose is required to be shown will depend upon the particular circumstances of the case. However:

Having said that, it will usually be the case that, where a party has commissioned a report from a third-party provider the relevant time to assess the party’s purpose for doing so will be at the time of commissioning. But that is not to say that evidence as to later events will not be relevant.[8]

Following Optus – key LLP principles reinforced in IG Energy and Medibank

The ‘dominant legal purpose’ requirement was similarly subject of consideration in the decision of the Federal Court of Australia on 13 June 2024 in Sparks, in the matter of IG Energy Holdings (Australia) Pty Ltd (Administrators Appointed).^[9]

Following an explosion of a power unit, which resulted in extensive power outages and risks associated with worker safety, legal counsel were engaged to provide legal advice.^[10] Expert opinion was then sought from Dr Sean Brady to investigate the incident and the cause of the explosion.^[11]

In relation to the engagement of Dr Brady, the CEO released a media statement, stating that Dr Brady was “engaged to lead an external, independent investigation and review of the incident” and that “CS Energy [was] committed to understanding the facts” that led to the explosion in order to learn from it and improve the safety at the plant.

In his judgment, Justice Dennington extensively referenced the Optus Full Court decision in producing the following principles:

1. the party seeking to claim LPP bears the onus of establishing that it exists, including each factual element necessary to establish the dominant purpose^_[12]
2. LPP only applies to “confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings”.^[13]
3. “It is not sufficient to show a substantial purpose or that the privileged purpose is one of two or more purposes of equal weighting; rather it must predominate, and be the paramount or most influential purpose. The ordinary meaning of dominant purpose indicates the need for a ruling, prevailing or most influential purpose”^[14]

The difficulties of asserting LPP over such reports has also been the subject of argument in the ongoing Medibank class action on foot in the Federal Court of Australia.^[15]

Also before Justice Beach, the Court has heard counsel for the Applicant seek to draw parallels with the Optus Full Court decision, contending that Medibank cannot assert LPP over an investigation report that has been referred to, in substance, in a public release to the market. As at the date of this article, Justice Beach has yet to deliver his judgment on that matter.

Key takeaways and practical steps to protect LLP

In the age of rising cyber data incidents, the use of external forensic investigation reports is only expected to increase. The Full Court decision illustrates the core challenges associated in maintaining LLP over such multi-purpose reports.

In light of this, key decision-makers, including in-house legal counsel, should ensure that the purpose of an investigation report is for the dominant purpose of obtaining legal advice, and is adopted and accepted through a whole-of-business approach, at the time of the creation of a relevant communication (e.g. at the time a forensic investigator is engaged to prepare a report). Any media releases or public statements should be carefully considered in light of these developments.

Where it is accepted across a business that a report is for a dominant legal purpose, the following steps can increase the likelihood of a LLP claim being upheld:

1. the client retains lawyers for legal advice in connection with an incident;
2. the lawyers take responsibility for commissioning any third party reports, to ensure they are for the purposes of identifying facts in order for legal advice to be given to the client;
3. the report is the primary responsibility of lawyers (including external or in-house) and all engagement of and with an independent third party should be by the lawyers;
4. the legal purpose of the report being clear from the outset, consistent and reflected in discussions or if required, public and media statements;
5. exercise caution in making any public statements that indicate non-legal purposes or reasons for decisions; and
6. consistent and direct instructions are provided by the lawyers to any third party in relation to maintaining confidentiality and LLP.

If there is any doubt about an approach to adopt, companies and internal counsel should consult with experienced litigation lawyers to ensure unexpected LPP issues do not arise.

For any questions about LLP or comments on this article, please contact Robert Johnston or Robert Wyld

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).