The Full Court of the Federal Court today (27 May) handed down a decision rejecting Optus’ application for leave to appeal against an earlier decision regarding the breach it suffered in September 2022.
The applicants in a class action brought against Optus on behalf of its customers were seeking an order to have Optus produce a report into the breach which they had commissioned from Deloitte Touche Tohmatsu, along with all associated documents. The Federal Court rejected Optus’ claim of legal privilege over the report and documents, and today that was confirmed by the Full Court.
The decision is of particular interest for its implications for cyber incident reports commissioned by or through lawyers. Although the specific circumstances of each case will determine the outcome of claims for privilege, this case provides some important guidance on the potential pitfalls for cyber security related reports in particular. Many of the arguments rejected by the Full Court were technical in nature and specific to the facts of the case, however there are some clear lessons we can all take from it.
In order for the report and associated documents to be privileged, the “dominant purpose” for producing the report had to be to obtain legal advice (or prepare for possible litigation). The party claiming privilege has the onus of proving this. Unfortunately for Optus, the Full Court agreed with the earlier judge, finding that the evidence of the sole witness for Optus (who was General Counsel and Company Secretary) effectively only addressed his own purpose, whereas the decision had been made by several board members and senior management.
The failure to provide evidence regarding the others involved in the decision meant the primary judge was able, for example, to draw conclusions about the principle purpose from evidence such as a media release from Optus’ CEO, which referred to several non-legal purposes.
In circumstances where there are other purposes for producing a report (such as identifying the causes of the breach for mitigation and remedy, for reviewing policies and procedures, and other management action) it will be much more difficult to convince a court that the dominant purpose was legal.
Of course, these considerations are inevitable in any significant cyber incident. It is therefore crucial for preserving legal professional privilege that an organisation is able to produce evidence strong enough to meet their onus to prove that the dominant purpose in creating the document was to obtain legal advice (or for litigation).
The evidence presented by Optus didn’t address those non-legal purposes or try to contextualise them or explain their relationship to the legal purpose. The evidence also related to reasons for only one of the several decision makers and therefore couldn’t meet that onus as it applied to the (collective) decision making.
To benefit from privilege, an organisation should have clear lines of reponsibility regarding who is commissioning the report and why. This should happen even before there is an incident, but certainly before commissioning a report. Optus had some good arguments regarding the nature of legal advice on cyber incidents.
They argued that because the legal advice in such cases will concern remediation and necessary management action, those reasons will be “essential to the provision of accurate and useful legal advice”. The case didn’t address this claim head on, as the Full Court found that, while the evidence from Optus showed that their General Counsel’s purpose for commissioning the report was legal, the evidence (including the media release and internal documents) didn’t establish the same for the other decision makers.
This is a warning against “silos” and treating legal issues as an “add-on”. Legal and governance concerns should be fundamentally integrated with other security issues at every level and at all times. Even when planning for a potential catastrophe or dealing with complex and fraught communications in a time of crisis: even more so in fact. If this requires a cultural shift in an organisation, then being better positioned to argue for privilege might help persuade an organisation to adopt that culture.