The Federal Court has delivered a judgment regarding a claim for legal professional privilege by Optus over a forensic report prepared by an external consultant.

The claim for privilege was made in class action proceedings brought against Optus in the context of seeking discovery of records relevant to the cyber-attack on Optus in September 2022.

Key takeaways for businesses

• If there is an incident that requires investigation or root cause analysis, promptly retain external solicitors to engage the external consultant for the purpose of providing legal advice. The connection between the report and the ultimate legal advice should be express.
• Consider whether it is worthwhile obtaining two reports:
  • One which is privileged, broad-ranging and obtained by external solicitors for the purpose of providing legal advice, and
  • One which is operational and more limited in scope and allows the business to move forward in its response to the incident.
• Be aware that simply involving external legal counsel may not be sufficient to maintain a claim for privilege – in all cases the Court will look to the dominant purpose of the external engagement.

Background to the case

On 22 September 2022, the day after Optus became aware of the cyber-attack, it engaged external solicitors to provide legal advice. On 3 October 2022 Optus announced it would appoint Deloitte to conduct an independent review of the circumstances of the attack, including conducting a review of the relevant Optus controls. No mention of any legal advice was included in Optus’ announcement.

Between 9–11 October 2022 the Optus Board signed a circulating resolution to appoint Deloitte, and the resolution provided the various purposes for which Deloitte would be engaged.

Following the announcement, Optus’ solicitors issued a letter of engagement to Deloitte, but not until 21 October 2022.

Relevantly, the applicants in the class action sought discovery from Optus of:

• The forensic report prepared by Deloitte for Optus relating to the relevant data breach
• The documents prepared for the purpose of providing instructions to Deloitte, and
• All documents provided to Deloitte for the purposes of preparing such a report.

Decision

As a general principle, to make a claim for legal professional privilege the relevant document or communication needs to have been made for the dominant purpose of obtaining legal advice or in the use of litigation or regulatory action.

His Honour Justice Beach found that the evidence before him did not establish that the relevant report was for the dominant purpose of Optus obtaining legal advice or for use in litigation/regulatory proceedings. Instead, his Honour found that there were three purposes for obtaining the report:

• To obtain legal advice
• To identify the root cause of the cyber-attack, so as to inform management and consider any necessary rectification as a result of the attack, and
• To review Optus’ management of cyber-risk in relation to its policies and processes.

Of these purposes, his Honour found that the dominant purpose of obtaining the forensic report was to identify the root cause of the cyber-attack. Relevant to this finding was the state of mind of the directors at the time the report was commissioned to establish the purpose of the report.

Further information / assistance regarding the issues raised in this article is available from the author, Natalie Oliver, Special Counsel and James Davis, Paralegal or your usual contact at Moray & Agnew.