The Federal Court of Australia has held that an expert forensic investigation report prepared by Deloitte Touche Tohmatsu (Deloitte) for Optus in the aftermath of its September 2022 cyber attack was not subject to legal professional privilege (LPP).
This article will examine the key takeaways from this decision, handed down on 10 November 2023, including decisions made by entities to engage third-party experts in internal investigations, the preparation of reports and practical steps to protect LPP.
- In September 2022, after being subject to a cyber attack resulting in a large-scale data breach, Optus engaged external legal advisors to provide legal advice and assistance, including any regulatory investigation or class action that would arise as a result of the cyber attack.
- On 3 October 2022, Optus issued a media release announcing that Deloitte had been appointed “to conduct an independent external review of the recent cyberattack, and its security systems, controls and processes”.
- On 21 October 2022, Optus instructed their external legal advisors, Ashurst, to engage Deloitte for the purpose of “carrying out a forensic investigation into the root cause of the cyber-attack and Optus’ response to it to assist… Ashurst to give legal advice and manage legal risk”.
- Class action proceedings were commenced against Optus as a result of the cyber attack and the class action applicant sought access to the report prepared by Deloitte and the supporting documents used to prepare the report (Deloitte Report). Optus refused to produce the Deloitte Report, claiming it was subject to LPP.
- Optus relied solely on an affidavit from their general counsel (who was also a company secretary) to support their claim of LPP over the Deloitte Report.
- The Court found that Optus had multiple purposes for the commissioning of the Deloitte Report, one of which was the obtaining of legal advice or for use in litigation, regulatory investigations or legal proceedings. However, because the obtaining of legal advice (or use in proceedings) was found not to have been the dominant purpose, the Deloitte Report was not subject of LPP.
In setting out its reasons, the Court (Justice Beach) confirmed that the common law in respect of LPP, that is, the ‘dominant purpose’ test, was well-established and not in question:
“Under the common law, legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings. The protection is confined to confidential communications made for the dominant purpose of giving or obtaining (including preparation for obtaining) legal advice or the provision of legal services, including legal representation in litigation or other proceedings”.
The Court found that Optus had not satisfied the dominant purpose test.
While the Court recognised that the general counsel (GC) was a relevant mind to consider in determining Optus’ intention in commissioning the investigation into the cyber attack (and hence, the purpose of the Deloitte Report), it only formed “part of the analysis”.
In the absence of evidence from Optus’ CEO or other Board members – which the Court considered to be other ‘highly relevant’ states of minds to determine the purpose of the Deloitte Report – the Court instead placed great consideration on publicly available evidence of events which occurred at Optus to shed light on the objective assessment of the dominant purpose. This included the following.
- On 3 October 2022, Optus issued a media release in which it announced that Deloitte was appointed “to conduct an independent external review of the recent cyberattack and its security systems, controls and processes”. The Court found this to be a “real problem” for Optus’ case and “cast doubt on the picture that [the GC, in his evidence] has sought to portray”. This is because the announcement did not state that the review was being recommended by any lawyer, nor did it state it was being done for legal purposes.
- On or around 9 October 2022, resolutions had been circulated to Optus’ board for approval to engage Deloitte and none of the reasons stated the engagement was in order for Optus to be provided with legal advice.
- On 21 October 2022, Ashurst engaged Deloitte. However, the letter of engagement had expressly stated that the engagement was “not intended to be an appointment of any expert witness” and had no legal purpose.
Although the Court had accepted the GC’s evidence in that one of the reasons for the commissioning of the investigation (and by extension, the Deloitte Report), at the ‘forefront’ of the GC’s mind, was to assess the litigation and legal risks arising out of the cyber attack, the above contemporaneous events which occurred at Optus strongly indicated that other general, non-legal purposes were more (or perhaps equally) prominent (dominant), these being:
- to identify the circumstances and root causes of the cyber attack for management purposes and rectification; and
- to review Optus’ management of cyber risk in the context of its cyber risk management policies and processes.
For these reasons, it became apparent that the dominant purpose of the Deloitte Report was “not a defensive legal or litigation strategy” and as such, the Deloitte Report and its supporting documents were not created for the dominant purpose of Optus seeking legal advice or in connection with the conduct of anticipated or contemplated legal proceedings.
Waiver of LPP
The Court commented in obiter that in the event that LPP did apply, there was no waiver of it by Optus.
The Court accepted, on well-established principles, that implied waiver occurs where there is an inconsistency between the conduct of the LPP holder and the maintenance of the confidentiality, which the LPP intends to protect. It found that none of the public statements made by Optus put the contents of the Deloitte Report in issue. Referring to a public statement in which Optus committed to “sharing lessons”, the Court held this was not a commitment to share the contents of or findings in the Deloitte report.
Practical steps to protect LPP
Investigations and reports are commonly prepared for various purposes such as for legal reasons, to identify causes of an incident, reviewing internal policies. What is critical is the purpose at the time of the creation of a relevant communication (here, the engagement of Deloitte to prepare a report).
It is not enough to commission work by a third party and then attempt to cover the work of the third party with a magical cloak of privilege. Not only will courts see through such a façade, but critically, regulators like the ATO, the ACCC and ASIC are requiring evidence to support claims of privilege before they will be accepted.
When seeking to justify a privilege claim, it is important to submit clear and detailed evidence about why a party was engaged and for what purpose from the relevant decision makers. The decision highlights the importance of submitting clear and specific evidence when establishing the dominant purpose for obtaining a report for a legal purpose.
Lastly, the engagement of Deloitte by internal counsel, in the way it was done, and by the later role of external lawyers, highlights the difficulties corporations face when trying to create privilege when arguably, none existed at the critical time.
While Optus may seek to appeal the judgment, the ruling reinforces the care that must be taken when a corporation engages an expert through an internal process, even by internal counsel, where there are clearly various purposes at play which all support why something was done. This means the seeking of legal advice may not be the dominant purpose it is hoped to be. This is all the more reason why – at the first instance of a crisis – external counsel are retained and decisions properly made and documented, so that reports or work activities are commissioned by the lawyers for the lawyers to give legal advice to the client.