Optus had multiple purposes in procuring the report aside from obtaining legal advice
The Federal Court has rejected Optus’ claim of privilege over a Deloitte report concerning a cyber-attack incident.
In September 2022, Singtel Optus Pty Ltd. and its subsidiaries were allegedly the subject of a cyber-attack. General counsel and company secretary Nicholes Kusalic believed that the number of Optus customers whose personal information was potentially affected by the cyber-attack could have been up to 9.5 million. Kusalic anticipated that the cyber-attack would likely lead to class actions and investigations.
Before the Federal Court, the applicants, represented by Slater and Gordon, sought orders to discover and inspect the report prepared for Optus by Deloitte Touche Tohmatsu concerning the data breach.
Optus asserted legal professional privilege in such material. The applicants challenged this assertion, arguing that the relevant dominant purpose test had not been satisfied. In the alternative, they argued that there had been a waiver of privilege.
The Federal Court explained that under common law, legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings. Further, the court said it is insufficient to show a substantial purpose or that the privileged purpose is one of two or more purposes of equal weighting. Instead, the privilege purpose must predominate and be the paramount or most influential purpose.
Optus argued that the privilege attached to the Deloitte report because almost immediately from when its general counsel and company secretary became aware of the cyber-attack, he was conscious of the multiplicity of legal risks and actions that would likely confront Optus. He also engaged Ashurst and a counsel team almost immediately. Kusalic and Optus management wanted an external investigation to assist the legal team and Ashurst on the various and complex legal matters surrounding the cyber-attack, including Otpus’ obligations under the Privacy Act and the Telecommunications Act.
Optus also pointed out that Kusalic discussed the need for an external forensic investigation into the root cause of the cyber-attack, leading to the appointment of Deloitte to carry out the investigation. Optus further claimed that the terms of Deloitte’s engagement letter made it clear that the purpose of the investigation and the ultimate report was to assist Ashurst in providing legal advice to Optus in connection with the cyber-attack.
However, the Federal Court ultimately found that Optus failed to satisfy the dominant purpose test as they had multiple purposes in procuring the Deloitte report. Further, the court said that even if they had satisfied the dominant purpose test, it found no waiver of privilege.
The court said that the evidence failed to establish that the Deloitte report was for the dominant purpose of Optus obtaining legal advice or for use in litigation or regulatory proceedings. The court found various purposes of the Deloitte report, including identifying the circumstances and root causes of the cyber-attack for management purposes and rectification and the review of Optus’ management of cyber-risk concerning its policies and processes. While the court also found that the purpose includes legal advice or, litigation or regulatory proceedings, the other non-privileged purposes were also clearly in the mind of the Optus’ directors. The court pointed out that the media release issued by the CEO and Optus Board was about the Deloitte review being carried out to identify the cause of what occurred so that rectification steps could be carried out to prevent a recurrence.
The court noted that Optus would have it that its general counsel’s state of mind is the relevant mind. However, the court said that Optus’ argument would distort the analysis. The states of mind of the CEO and the other board members were, on the evidence, highly relevant. While the court considered Kusalic as one of the relevant minds, his state of mind and conduct were only part of the analysis.
Ultimately, the court concluded that Optus had not made good its claim of privilege concerning the Deloitte report.