“There can be only one… dominant purpose” (The recent decision in Robertson v Singtel Optus Pty Ltd (2023) FCA 1392)

The importance of clearly establishing legal professional privilege, and how it can be lost, has again been highlighted by a recent decision of the Federal Court, this time involving a cyber forensic report prepared following the Optus cyber-attack in 2022.

Key take-aways

1. If an expert report is not produced for the dominant purpose of obtaining legal advice, then privilege will not attach to it.
2. Optus’s CEO had made public statements about engaging Deloitte to conduct an ‘independent investigation’ which indicated to the court that obtaining legal advice was not the dominant purpose.
3. Proper engagement with lawyers early is key and if a party wishes to keep confidential certain documents, then public statements will need to be carefully vetted before they are made.

Legal Professional Privilege

On 10 November 2023 the Federal Court handed down its decision in the matter of Robertson v Singtel Optus Pty Ltd [2023] FCA 1392, a class action against Optus in connection with the Optus cyber-attack in 2022, which impacted millions of Australians and reportedly cost the telco $1 billion dollars.  The claimants sought a copy of a report, prepared by Deloitte, into the root cause of the cyber-attack. Optus’ attempt to prevent the disclosure of the report, on the basis of legal professional privilege, failed.

The decision of the court highlights the principles of legal professional privilege and their application in the event of not only a cyber-attack but any corporate crisis. Increasingly corporations and their advisers are thrust into the spotlight of a crisis: a regulatory investigation, cyber-attack or other data breach or workplace incident, and need to immediately respond to a number of stakeholders. Tension can arise between the desire to inform customers and regulators, ensuring the issue can be rectified and prevented in future, but also ensuring that confidential information is not released.

The Facts: Cyber-attack Fallout and Legal Pursuit

1. Between 17 September 2022 and 20 September 2022, Singtel Optus Pty Ltd (Optus) and its subsidiaries were the subject of a cyber-attack.
2. On 22 September 2022, the General Counsel/Company Secretary of Optus engaged the services of Ashurst Australia to provide Optus with legal advice and assistance in relation to the cyber-attack.
3. On 23 September 2022, Optus Mobile Pty Ltd and Optus Internet Pty Ltd submitted a notifiable data breach form to the Office of the Information Commissioner (OAIC) informing the OAIC of the cyber-attack.
4. On 3 October 2022, Optus published a media release titled “Optus commissions independent external review of cyberattack”, which included the following statement:

“Optus is appointing international professional services firm Deloitte to conduct an independent external review of the recent cyberattacks, and its security systems, controls and processes.

…

As part of the review, Deloitte will undertake a forensic assessment of the cyberattack and the circumstances around it”. (Media Release).

5. On 9 October 2023, Optus’ General Counsel/Company Secretary emailed members of the Optus board a draft resolution (Draft Board Resolution) seeking approval for the appointment of Deloitte Touche Tohmatsu (Deloitte) to undertake a review of the cyber-attack and prepare a report for Optus on its findings (Deloitte Report).
6. On 17 October 2022, Optus formally engaged Deloitte to prepare the Deloitte Report.
7. On 25 October 2022, Optus published a marketing document on its website titled “A letter to our customers” that included the following:

“…we [Optus] have commissioned an independent external review – led by Deloitte – into the cyberattack and how criminals got through our defences this time, when we thwart over a million attacks a year and invest significantly in our cyber capabilities. We are committed to learning, doing better in our future, and sharing lessons so all companies and all Australian can benefit from our terrible experience.” (Optus Customer Letter);

8. On 21 April 2023, Slater and Gordon Lawyers filed a group proceeding against Optus with Mr Robertson as the representative plaintiff of those proceedings (Class Action).
9. Mr Robertson, as the representative of the Class Action, sought an order for discovery to inspect the Deloitte Report;
10. Optus claimed that the report was subject to a valid claim of legal professional privilege and therefore was not required to be disclosed to Mr Robertson.

Key Requirements for Establishing Legal Professional Privilege: Insights from the Decision

In order for legal professional privilege to attach to a document it must be:

1. created for the dominant purpose of obtaining legal advice or in anticipation of litigation; and
2. a confidential communication.

Key Findings: What was the dominant purpose of the Deloitte Report?

The court was tasked with identifying whether the dominant purpose for the engagement of Deloitte was for the purpose of providing Optus with legal advice about the cyber-attack.

Other potential purposes for engaging Deloitte were contained in various media statements made by Optus or its CEO at the time, including:

1. appointing Deloitte to “conduct an independent external review of the recent cyberattack, and its security systems, controls and processes.”
2. the Deloitte review “was recommended by Optus Chief Executive Officer, Kelly Bayer Rosmarin, and was supported unanimously by the Singtel Board, which has been closely monitoring the situation with management since the incident came to light.”
3. “the forensic review would play a crucial role in the response to the incident for Optus, as it works to support customers.”
4. “[w]hile our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong.”
5. “[t]his review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.”
6. “I am committed to rebuilding trust with our customers and this important process will assist those efforts.”

These announcements did not state that the review was recommended by any lawyer or that it was being done for legal purposes and it was not suggested in the court hearing that the CEO did not actually hold the views she had made public statements about.

Further, on 25 October, Optus published a “letter to our customers” on its website which stated:

“… we have commissioned an independent external review — led by Deloitte — into the cyberattack and how criminals got through our defences this time, when we thwart over a million attacks a year and invest significantly in our cyber capabilities. We are committed to learning, doing better in the future, and sharing lessons so all companies and all Australians can benefit from our terrible experience.”

Despite Optus providing evidence from its General Counsel/Company Secretary which explained everything he did to properly engage external lawyers and then to work with Deloitte, the court determined the evidence did not establish that the Deloitte report was for the dominant purpose of Optus obtaining legal advice or for use in litigation/regulatory proceedings.

The evidence instead revealed that the dominant purpose in the mind of the CEO and of the Optus board was to “rebuild trust with our customers” and not a defensive legal or litigation strategy.

Optus tried to argue that the relevant state of mind was that of its General Counsel/Company Secretary. The court did not agree. Clearly the states of mind of the CEO, the Board and the General Counsel/Company Secretary were all relevant.

Confidentiality

The Court found that if privilege existed in the Deloitte Report, then it had not been waived and had been kept confidential (one of the key requirements for privilege to be maintained). Because none of the public statements made by Optus disclosed the contents of the Deloitte Report, or the ‘gist’ of it, there had been no waiver.

Recommendations

It is common practice for companies, in the face of a crisis, to obtain legal advice and to simultaneously engage third-party non-legal advisers to provide expert advice on what may have caused the crisis in question.

If you intend to obtain the benefit of legal professional privilege over any advice prepared by third-party non-legal advisers, we recommend the following:

1. Proactive Legal Engagement for Role Clarity: Early and proactive engagement with external lawyers is crucial. Engagement of third-party advisers by external lawyers is usually clearly in a legal capacity and for the purpose of obtaining legal advice.
2. Inhouse Lawyer Capacities: For inhouse counsel particularly if they have a dual (legal and non-legal) role, they must take care to clearly specify the capacity in and purpose for which they are engaging the third-party adviser. Early consultation and collaboration between inhouse and external lawyers can assist to clarify the roles and purpose for which third-party advice is being obtained.
3. Strategic Document Management: Companies must adopt a strategic approach to document management, ensuring that adequate processes and privilege protocols are in place to facilitate the maintenance of any claim of legal professional privilege. This is particularly important in the case of an active board and management across different departments, for example, technical, regulatory response and public relations. Confidentiality is key.
4. Clarity in Communication: To establish legal professional privilege, there must be clarity in communication regarding the legal purpose behind document creation. Ambiguity and evidence of multiple purposes may jeopardize the privilege claim. This includes ensuring all public statements, board resolutions, scope of work and engagement letters with third-parties evidence they have been created for the dominant purpose of obtaining legal advice or in anticipation of litigation. This includes ensuring that all public statements, board resolutions, scope of works and engagement letters with third parties are created for the dominant purpose of obtaining legal advice or in anticipation of litigation. This can be achieved by companies undergoing media training and seeking advice from external lawyers as to whether any proposed public communications or statements will be considered an express or implied waiver of privilege.
5. Ongoing Compliance and Review: Regular compliance checks and reviews of internal processes are essential to ensure ongoing adherence to any legal professional privilege protocols and maintaining confidentiality over privileged material.

What to do?

It is essential that companies consider the following questions in a crisis, particularly if maintaining privilege over communications with advisers is an important consideration:

1. When to engage external lawyers? How should this be done and by whom?
2. Who should engage third-party non-legal advisers? How should this be done and by whom?
3. What privilege protocols, communication and document management strategies are in place?
4. Is the board, management and public relations aware of the protocols and strategy?
5. What compliance controls are in place to ensure privilege is maintained once established?
6. How to ensure that privilege is not waived, impliedly or inadvertently?

If this is something that your organisation has not considered or would like to revise, please contact us as we regularly assist and advise our clients on how to create and implement legal professional privilege protocols.