No legal professional privilege for Deloitte forensic report in Optus data breach litigation
Optus has lost a bid in the Australian federal court to keep secret a Deloitte report into the giant Optus 2022 data breach arguing that the report was protected by legal professional privilege.
We have previously covered the Optus data breach – we’ve written about how the breach communications could have been better (here) and what reforms should be introduced to ensure similar breaches don’t occur (here).
The latest skirmish is a very important finding for organisations involved in a data breach, particularly those who thought that legal privilege could be used to protect disclosure of data breach investigation reports as part of legal proceedings.
Although not great for Optus, it certainly clarifies the position for other organisations and in time may lead to much greater transparency about the quality of the security controls that some of Australia’s largest organisations have implemented. Let’s hope the Deloitte report makes it into the public domain one day …
Background to proceedings
Shortly after the hack in October 2022, and no doubt as part of its strategy to reassure affected Australian as well as interested regulators, Optus announced that well known international consulting firm Deloitte would conduct a forensic assessment of what had led to the cyber-attack.
It is common for specialist third parties to be used to do a forensic assessment of a breach, so this is not unusual.
Given the impact of the breach, it was not surprising that law firm Slater and Gordon commenced a class action case in the federal court, soon after the breach made headlines. As part of that class action case, Slater and Gordon sought access to the Deloitte report that Optus had announced that it had commissioned but which was never made public.
Optus objected to the production of the report claiming it was subject to legal professional privilege.
What is legal professional privilege?
Legal professional privilege is a legal concept that protects the confidentiality of communications between a lawyer and their client. This privilege is designed to encourage open and honest communication between clients and their lawyers. The basis of the concept is that clients should be able to share all relevant information with their lawyers without fear that those communications will be disclosed to others, in particular the opposing side in the case of litigation. This confidentiality is considered crucial for the effective operation of the legal system because it allows clients to receive proper legal advice (based on knowing all of the relevant facts).
In legal proceedings (both criminal and civil), legal professional privilege allows clients to instruct their lawyers to refuse to disclose and prevent others from disclosing confidential communications that they have had with their lawyers. This protection extends to both civil and criminal cases.
Legal professional privilege can vary by jurisdiction, and the specific rules and protections may differ in different legal systems.
Under Australian common law, legal professional privilege can only be relied on to protect confidential communications which are made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings.
It is insufficient to show that a substantial purpose of commissioning the report was to obtain legal advice or that the privileged purpose is one of two or more purposes of equal weighting. Instead, the privilege purpose must predominate and be the paramount or most influential purpose.
Availability of legal professional privilege to protect the Deloitte report
Optus argued in court that the dominant purpose of the Deloitte report was to assess the legal risk to the company. It claimed Deloitte’s report would assist the company’s internal and external lawyers on how to advise the company about the risks associated with the data breach.
Slater and Gordon challenged this assertion, arguing that the relevant dominant purpose test had not been satisfied.
In his decision Justice Jonathan Beach had problems with the Optus characterisation of the basis of the report. In particular, he thought that the fact that Optus referred to the Deloitte report in an October 2022 media release was “a real problem” for Optus’s case that the predominant purpose for the report was legal advice. That media release included comments from Optus’s chief executive, Kelly Bayer Rosmarin, who said she had recommended the review to the board, on the basis that it would “help ensure we understand how it occurred and how we can prevent it from occurring again”. “It will help inform the response to the incident for Optus,” Rosmarin was quoted as saying in the statement. “This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.”
This is problematic as the release did not say the report was recommended by a lawyer or that it was for the purpose of legal advice.
The judge said: “Clearly, they had multiple purposes in procuring the review and report by Deloitte, one of which was a privileged purpose. But I am not satisfied that the latter satisfies the requisite dominant purpose test.”
Role of the general counsel
Optus relied on the state of mind of general counsel and company secretary Nicholes Kusalic, who had considered that there was a high likelihood of a class action and determined there would be a “range of potential regulatory and legal actions” from the outset of the cyber attack. Mr Kusalic formed the view an investigation would be needed to assess legal risk and considered it “highly desirable” that this be done by an external third party “as he was not sure of the capacity within Optus to carry out such a detailed and complex investigation”.
International law firm Ashursts was engaged to provide legal advice and support regarding the breach.
According to evidence from Optus, Mr Kusalic and Optus management wanted an external investigation to assist Ashurts and the legal team on the various and complex legal matters surrounding the cyber-attack, including Otpus’ obligations under the Privacy Act and the Telecommunications Act. From there, Deloitte was engaged.
It seems that Mr Kusalic may not have been a great witness. Justice Beach found that Mr Kusalic had a “vagueness in how [he] expressed himself” and identified “various problematic aspects”. This included it being unclear whether Mr Kusalic was acting “in a general counsel capacity, a company secretary capacity, or some hybrid capacity”, and his involvement in the investigation.
The court noted that Optus would have it that it was Mr Kusalic’s state of mind or intention which was the relevant mind to consider (and thus negating comments by the CEO in the media release). However, the court reject this, stating that Optus’ argument would distort the analysis. While the court considered Mr Kusalic’s intention to be relevant, his state of mind and conduct were only one part of the analysis. In particular, the states of mind of the CEO and the other board members were, on the evidence, highly relevant.
What happens now?
Ultimately, while Optus argued the principal reason for the report was to assist Ashurst in providing it with legal advice, Justice Beach found it was also for the purpose of identifying the root cause of the cyber attack and reviewing Optus’ management of cyber-related risks. And so the claim of protection from non-disclosure based on legal professional privilege failed.
However, although not protected from disclosure by legal professional privilege, the report will not be made public unless it is used as evidence in the case – should it proceed – and Optus does not seek to prevent its public release.
We will continue to watch with interest as the data breach litigation unfolds.
