11 June 2024

Check your privilege — Legal professional privilege in the context of cyber incidents

Tom Kench
Manager

elevenM’s Tom Kench looks at the reasons behind Optus’ failed claim for legal professional privilege (LPP) to provide advice about how organisations can maximise their prospects of claiming LPP in the context of data breach response.

The Full Federal Court has rejected­­ Optus’ appeal of legal professional privilege (LPP) over an investigation report commissioned from Deloitte following their infamous 2022 data breach.

The Court rejected this claim initially in November 2023 on the basis that Optus had not established that the dominant purpose of the Deloitte report was a legal advice or litigation purpose, and this decision affirms this.

The report must now be disclosed to Slater & Gordon, the law firm acting on behalf of Optus customers impacted by the data breach.

This decision is a reminder of the difficulties faced by organisations seeking to claim privilege over documents and reports associated with a cyber incident, particularly where they are commissioned for a variety of purposes, the organisation does not have cyber incident privilege protocols, and there is a lack of evidence to support the assertion that the legal purpose was the dominant purpose.

This issue — legal professional privilege following a cyber or data breach — is not one that has previously been addressed by the Australian courts. So, this case provides some useful and potentially important direction for organisations in what they do, and how they do it, following a cyber incident.

What is legal professional privilege?

Legal professional privilege protects confidential communications and documents between a lawyer and a client that are made for the dominant purpose of the lawyer providing legal advice or professional legal services to the client (‘advice privilege’), or for use in current or anticipated litigation (‘litigation privilege’).

LPP empowers clients by creating a safe space to exchange information with their lawyers. This, in turn, enables clients to confidently seek informed advice on navigating legal requirements.

But context is king. The existence and maintenance of privilege must always be considered in the context of all facts, circumstances and types of parties that are involved.

In the original November hearing on the Optus claim, the Court stated:

‘It is not sufficient to show a substantial purpose or that the privileged purpose is only one of two or more purposes of equal weighting…It must be the paramount or most influential purpose. One practical test is to ask whether the communication would have been made (whether the document would have been brought into existence) irrespective of the obtaining of legal advice’.

As this shows, legal advice must the most influential or dominant purpose.

Legal advice for cyber incident response

When an organisation experiences a cyber incident they may seek legal advice for a range of reasons, including on how and what they communicate to stakeholders, whether they can legally pay a ransom or purchase data from the dark web, contracting post-incident services, third-party liability, questions on Director’s duties, commissioning incident analysis, and responding to regulators or litigators, to name just a few.

The Optus ruling

Following their 2022 breach, Optus issued a media release announcing the appointment of Deloitte to conduct an independent external review of the cyber-attack and Optus’ security systems, controls and processes.

Deloitte commenced work as the scope of the engagement was ironed out. The Optus board then formally appointed and scoped the engagement to:

  • identify the circumstances and root causes leading to the cyber attack
  • review Optus’ management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the cyber attack
  • review the cyberattack incident response, and the appropriateness of actions taken.

The Deloitte engagement was subsequently referenced in further media releases and website announcements by Optus CEO Kelly Bayer Rosmarin. Around this time, Optus’ external legal counsel provided privilege guidelines to Deloitte, in what the Court considered a belated attempt to preserve privilege between the parties.

When Slater and Gordon filed a consumer class action against Optus in the Federal Court in April 2023, the claimants sought access to the report and associated materials. However, Optus resisted the application for access on the basis that the report and the associated materials were privileged.

First Ruling

On 10 November 2023, the Federal Court handed down its decision on the issue, finding that the report was not subject to LPP. The Court based this decision on several factors:

  • Optus had not established that the dominant purpose of the Deloitte report was a legal advice or litigation purpose. Instead, the report had been commissioned for various purposes including:
    • a legal advice or litigation/regulatory proceedings purpose
    • a more general purpose to identify the circumstances and root causes of the cyber attack
    • a more general purpose of reviewing Optus’ management of cyber risk in relation to policies and processes.
  • The Court put great emphasis on Optus’ media release in October 2022 about their intent to seek an independent external review of the cause of the breach and website communications which included reference to ‘sharing lessons’ and made no reference to Deloitte being appointed for legal purposes. Additionally, Ms Rosmarin had said the report would help “inform the response to the incident”, which in turn has bearing on the dominant purpose test.
  • The Court also considered the board’s states of mind and intent when scoping the engagement.
  • Finally, the court rejected the claim that Ashurst were directing the Deloitte engagement, seeing it rather as an attempt to cloak the report in privilege, stating ““channeling material through lawyers…belatedly, cannot cloak material with any privilege that it did not otherwise have”.

Second Ruling

Optus appealed this decision, on the basis that the Court “erred in failing to find that the Deloitte Report had been created for the dominant purpose of enabling Optus to obtain legal advice or the provision of legal services to Optus for the purpose of actual or anticipated legal proceedings.”

Optus argued the Court incorrectly assessed Optus’ purpose in procuring the report, rejected the finding that the media statements established a mixture of purposes, claimed the evidence of Optus General Counsel Nicholes Kusalic was given limited weight, and said an adverse inference was drawn from the fact no evidence was called from Ms Rosmarin.

In the Court’s ruling, Ms Rosmarin’s public statements from 2022 were referenced and the Court concluded that at no point did the company claim that it commissioned the external digital forensic assessment of the attack primarily to protect itself from future litigation or regulatory investigations.

Even though Optus had various reasons for commissioning the investigation, the Court determined there was little evidence indicating a “legal purpose” was the primary motivation for Optus. Proof of the dominant purpose can be achieved in a variety of ways, and in proving this assertion, “focused and specific” evidence is needed, although the nature and extent of evidence to prove the existence of privilege is fact-and-circumstance dependent.

Furthermore, the Court noted the absence of any mention of such a legal purpose in the correspondence between Optus’ Board of Directors and the Company Secretary, as well as in the company’s public statements following the breach.

The application for leave to appeal was dismissed.

Tips for organisations

There may be circumstances where an organisation needs to ensure LPP around a breach (and others where it is not called for or appropriate). There are ways to maximise your claim to LPP and to ensure that everyone is taking the right steps to maintain it.

  1. Develop A Cyber Incident Privilege Policy
    A cyber incident privilege policy outlines the steps to take in relation to specified activities and documents to maximise the prospect of claiming LPP and reduce the risk of inadvertent waiver of LPP. The Optus ruling underlines the importance of adopting proper privilege protocols prior to a cyber incident. Establishing privilege protocols following an incident will not retroactively confer privilege upon documents and reports. Creating this policy further limits the potential for inadvertent waivers of privilege.
  2. Update Your Cyber Incident Response Plan
    The cyber incident privilege policy should also be linked in the cyber incident response plan. This will ensure privilege is adequately considered and triggers for contacting legal are included.
  3. Build Organisational Understanding
    Incident response teams are comprised of a diverse group of employees and business functions, and it is crucial to ensure the team understands the importance of maintaining LPP, avoiding waiver of LPP, and understanding the interoperability of the cyber incident privilege policy and cyber incident response plan.
  4. Early Legal Engagement
    Engaging legal counsel early in relation to a cyber incident is important not only for incident management but privilege maintenance. To successfully assert privilege, the legal purpose must be clearly stated and supported by contemporaneous evidence. Additionally, it is crucial to maintain consistent messaging in both internal and external communications, a practice that Optus did not effectively implement.
  5. Treat In-House Counsel Differently Than External Counsel
    Artefacts prepared by in-house counsel are more likely to be deemed as lacking the ‘dominant purpose’ of legal advice. In-house counsel may wear different hats, and act in a capacity other than as legal counsel in providing non-legal business and strategic advice. In-house counsel can play a valuable role in requesting, disseminating, and restricting access to reports.
  6. Exercise Caution with Public Communications
    Confidentiality is at the crux of LPP claims — ensuring legal and public relations oversight in this space mitigates the risk of waiver. Optus’ CEO spoke to the media about the report’s findings, which helped undermine their claim.
  7. Start The Paper Trail
    It is crucial for preserving legal professional privilege that an organisation is able to produce evidence strong enough to meet their onus to prove that the dominant purpose in creating the document was to obtain legal advice (or for litigation). Optus produced limited evidence to support the claims of privilege over the report and associated documentation.

Conclusion

There is a significant caveat on this advice, which is that implementing the above considerations will not necessarily guarantee a claim to privilege. The issue of LPP in the context of a cyber incident is new ground for Australian courts and there is likely to be further developments in this area. If the direct right of action is passed as part of the ongoing Privacy Act reform and more large-scale breaches occur, we will see more class actions and more discussion given to this topic.

There is useful commentary from the Court about investigation and root-cause reports. In these matters, the courts pointed to investigation and root-cause reports being prepared for a mixture of legal, compliance, reporting, operational and/or risk mitigation purposes, and as such not attracting the ‘dominant purpose’ shield. Conversely, there is some case law to support investigation reports attracting privilege where there is a more confined scope and clearer evidence available.

All eyes now turn to Optus’ next move. Although the report is not likely to be released publicly, components of the report will be made public during proceedings, and Optus may seek confidentiality orders to keep parts of the report shielded. These orders may be sought on the basis that confidentiality is necessary to ensure the protection of customer data and security of systems from malicious actors.

Contact us

If you’re interested in learning more about how to develop and implement data breach or cyber incident response processes, contact us at hello@elevenM.com.au or on 1300 003 922.