In a recent decision of the Federal Court of Australia, Robertson v Singtel Optus Pty Ltd [2023] FCA 1392, it was held that a forensic investigation report prepared following a cyber-attack suffered by Optus was not protected by legal professional privilege. Privilege entitles a party to withhold evidence (either written or oral) from production to a third party or the Court.
Although this decision is not strictly binding on the Courts in England & Wales, the reasoning provides useful guidance around engaging third-party experts in internal investigations, the requirements to satisfy the 'dominant purpose' test for legal professional privilege and practical steps to protect legal professional privilege.
Background
Following a large-scale data breach in September 2022 affecting 10 million of its customers' data, Optus confirmed it had appointed Deloitte to carry out an "independent external review of the recent cyberattack, and its security systems, controls and processes”. The report prepared by Deloitte (the Report) subsequently became the subject of a legal battle during the course of class action proceedings commenced against Optus. Optus contended that the claimants were not entitled to a copy of the Report on the basis that it was subject to legal professional privilege.
Decision
In brief, the Court found that Optus had failed to demonstrate that the Report had been prepared for the dominant purpose of receiving legal advice or litigation advice. In this instance, Justice Beach found that the Report had been prepared for "multiple purposes", including legal advice, but also to identify the cause of the cyber-attack and to conduct a broader investigation into Optus' existing cyber risk management infrastructure.As a result, legal advice was not the dominant purpose (i.e. the prevailing or most influential purpose).
In determining whether or not the Report was created for the dominant purpose of legal advice or litigation advice, Justice Beach expressed his view that the purpose of the report should be assessed at the time prior to procuring the report, as opposed to after the report had been produced.
Justice Beach held that the Report, along with the documents and brief provided to Deloitte, were not considered legally privileged.It seems that one of the key principles underpinning this decision was transparency, particularly in the period following a cyber-attack, and crucially, ensuring that key information was made available in legal proceedings to inform any potential legal action to be taken against Optus.
Practical tips and recommendations
Whilst Optus have lodged an appeal, this decision highlights the risks associated with obtaining investigation reports, which are intended to serve multiple purposes.In particular, it is a reminder of the difficulties faced by internal counsel and bringing in external lawyers after the event when trying to create privilege.
Organisations should, therefore, always consider the possible repercussions of any media release and disclosure during the investigation and report preparation process.
Our key takeaways to best protect legal privilege when investigating a cyber-attack or data breach include:
- Ensure that the purpose of the investigation and/or any report prepared is made clear and is well documented at the very outset;
- Involve external lawyers at an early stage of the investigation to support and provide legal advice or litigation support and increase the chances of sustaining privilege over any investigation reports and related documents;
- Where in-house lawyers are involved in the investigation or procurement of the report, it is important to be clear on whether they are wearing their legal hat, or simply providing commercial advice. In order to assist with this distinction, we recommend keeping privileged documents and/or communications entirely separate to those which relate to non-legal or administrative matters;
- In order to justify any potential privilege claim in court, businesses should keep a record of clear and detailed evidence, from key-decision makers within the business, which supports the dominant purpose of the investigation and/or any report produced;
- Consider having two separate reports prepared, however be alive to the difficulties of preparing a non-privileged report where sensitive information is to be included;
- At the time of instructing forensic experts to carry out any investigation, implement terms of engagement which clearly and explicitly state the dominant purpose of the investigation as being to assist with legal advice or litigation; and
- Before making any public statements or press releases, ensure these are scrutinised by lawyers to avoid inadvertently waiving legal privilege.
If you would like some further advice regarding the topic of this article or would like to hear more about our cyber risk mitigation services in general, please contact members of our specialist cyber and data privacy team or explore our cyber risk management services.