In the recent decision of Robertson v Singtel Optus Pty Ltd [2023] FCA 1392, the Federal Court rejected Optus’ claim of legal professional privilege over an expert forensic investigation report prepared by Deloitte related to a 2022 cyber-attack suffered by Optus. The telecommunications company sought to withhold the report from being disclosed, arguing that it was subject to legal privilege. However, the Federal Court ruled against Optus finding that the report did not meet the necessary ‘dominant purpose’ criteria for such protection.
This article analyses the key takeaways from the court’s decision, including the implications of engaging third-party experts in internal investigations, the necessary requirements of the dominant purpose test, and the practical steps companies can take in preparing reports and how they can maximise their chances of claiming legal professional privilege.
Background Facts
In September 2022, Optus announced that it had suffered a large-scale data breach that exposed the personal information of approximately 10 million customers. The announcement garnered widespread public, political and regulatory scrutiny, and sparked interest from class action promoters.
In October 2022, Optus issued a statement revealing that it had engaged the services of the multinational professional services organisation, Deloitte, for an “independent external review” following the cyber-attack.
The review sought to:
- Identify the circumstances and root causes of the cyberattack.
- Evaluate Optus’ management of cyber risk within relevant policies.
- Review the appropriateness of the cyberattack incident response, considering existing crisis management procedures.
Shortly after the cyber-attack occurred, class action proceedings were commenced. The class action applicant sought the production of the Deloitte report and all associated documents, contending that the report was not prepared for the ‘dominant purpose’ of Optus seeking legal advice. However, Optus invoked legal-professional privilege to prevent release of the report – this was despite its earlier public indication that the report might be made available.
Federal Court Judgment
Dominant Purpose Test
In setting out his reasons, Beach J confirmed that the common law in respect of legal professional privilege, ie the ‘dominant purpose’ test, was well-established:
“Under the common law, legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings. The protection is confined to confidential communications made for the dominant purpose of giving or obtaining (including preparation for obtaining) legal advice or the provision of legal services, including legal representation in litigation or other proceedings”.
Determining the purpose for which a document was created is an objective matter based on evidence, the nature of the document, and party submissions. Meeting the burden of proof to prove the existence of privilege requires focused and specific evidence, but the nature and extent of the evidence needed is fact and circumstance dependent.
The intent of the person who procured or authorised the document, while significant, is not the definitive factor in determining purpose. The nature of the documents, over which privilege is claimed, provides greater insight into their intended purpose.
Beach J expressed that it is not sufficient to show a substantial purpose or that a privileged purpose is one of two or more purposes of equal weight, rather it must be the most the paramount purpose. The ordinary meaning of dominant purpose indicates the need for a “ruling, prevailing or most influential purpose”.
Decision
Optus relied principally upon the “self-advisedly vague” affidavit provided by Mr Nicholes Kusalic, the general counsel and company secretary of Optus, to support its privilege claim. In assessing this, Beach J looked to the position and state of mind of Mr. Kusalic who was not considered to be acting solely in capacity as general counsel; rather he was acting in a more hybrid capacity in his company secretary role. It was further noted that there was no direct evidence from any other board member of Optus or the CEO, whose states of mind were “highly relevant”.
Justice Beach determined that Optus failed to prove that the dominant purpose of the Deloitte report was for receiving legal advice and or litigation advice. Instead, he found that the report had been prepared for “multiple purposes”, including legal advice, to identify the root causes of the cyberattack identification, and a broader review of Optus’s cyber risk management.
As Optus failed to meet the burden of proving that the Deloitte report was for the dominant purpose of legal advice, it logically followed that Optus had not demonstrated that the documents and brief provided to Deloitte were for the dominant purpose of legal advice.
Crucially, Beach J was of the view that the appropriate timeframe for evaluating the dominant purpose of the report was prior to its procurement, as opposed to considering it at the date of the report or after Optus’ decision to obtain it.
Did Optus waive privilege in the Deloitte report?
The applicants presented an alternative argument, suggesting that, assuming on the face of it the Deloitte Report enjoyed legal professional privilege, Optus’ reliance on the report for various purposes (such as making public statements regarding its actions in response to the data breach) gave rise to an inconsistency such that privilege was waived over the report.
Rejecting this argument, Beach J found that an implied waiver can only occur where there is some inconsistency between the conduct of the privilege holder and the maintenance of the confidentiality that the privilege is intended to protect.
Justice Beach determined that Optus’ use of the report for other purposes did not constitute a meaningful disclosure of the report in public statements, thus not waiving the hypothetical legal professional privilege. Additionally, the judge concluded that Optus’ website statement that Optus was “committed to learning, doing better in the future, and sharing lessons” did not signify a commitment to share the contents or findings of the report. However, the judge pointed out that the published “letter to our customers” regarding the report was “hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation purpose.”
Outcome
The legal battle surrounding the Deloitte report is part of a broader context in which Optus finds itself entangled. In addition to the class action seeking access to the report, the company is facing an investigation by the Office of the Australian Information Commissioner (OAIC) and a separate class action lawsuit.
This decision aligns with prior cases, such as Singapore Airlines v Sydney Airports, AusNet Electricity v Liesfield, and Powercor v Perry, where the courts found that the legal purpose was not dominant. In contrast, certain cases, such as TerraCom v ASIC and Diawara v NAB, saw narrower inquiries resulting in privileged reports where the dominant legal purpose had been established.
This decision marks a significant step toward transparency in addressing the aftermath of the cyber-attack and ensures that relevant information will be available for scrutiny in the legal processes.
Concurrently, the scrutiny of Optus has heightened due to its more recent 14-hour outage during which phone and internet services were disrupted for 10 million customers. The company is facing increased pressure, and Optus is now subject to government investigations and a Senate inquiry. The Deloitte report, if brought into the public domain as evidence, could play a crucial role in shedding light on the circumstances surrounding the cyber-attack and informing the ongoing legal actions against Optus.
This decision highlights the significant risk associated with investigation reports seeking privilege, particularly when they serve both legal and non-legal purposes. The recommendation is to consider separate reports for operational purposes, yet creating a non-privileged report may be challenging where sensitive information may need to be included. Therefore, irrespective of the chosen privilege claim optimisation measures, organisations should always consider the possible repercussions of disclosure during the entire investigation and report preparation process.
Practical Takeaways
If the consensus is that the dominant purpose of an investigation or report is to receive legal or litigation advice, steps should be taken to enhance the chances of sustaining a privilege claim:
- When initiating an investigation, it is crucial to ensure that key decision-makers actively discuss and agree on the investigation’s purpose. The determination of the dominant legal purpose is made when the investigation commences.
- Promptly formulate and implement terms of reference and engagement that explicitly state the sole or dominant purpose of the investigation is to assist with legal advice or litigation. Privilege applies to investigation reports and root cause analyses if their primary purpose is to provide legal advice.
- Appoint in-house or external lawyers to oversee the review or investigation, ensuring they have the necessary information for providing legal advice or litigation support. It is worth noting that involving legal counsel in the investigation process may not automatically confer privilege on reports and related documents.
- Ensure that any public statements or press releases undergo legal scrutiny to minimise the risk of inadvertent waiver of legal professional privilege.
- Establish clear confidentiality protocols and guidelines for escalating and internally reporting issues, including careful consideration of any public statements about the investigation. Clear, detailed evidence – preferably supported by contemporaneous records – from key decision-makers is crucial to support privilege claims in court.
- Where in-house counsel wears multiple hats, ensure that if they are involved in the investigation or procuring any reports, it is clear that they are wearing their legal hat at the relevant time.
Further Information
For more information about litigation and investigations in Australia, please contact Trevor Withane: