Are cyber breach investigation reports produced by external consultants protected by legal professional privilege? What do courts consider when deciding whether investigation reports are privileged?

In the recent decision of Robertson v Singtel Optus Pty Ltd [2023] FCA 1392, the Federal Court of Australia found that a forensic investigation report produced by Deloitte (Deloitte Report) following the cyberattack on Singtel Optus and its related entities (Optus) was not protected by legal professional privilege.

The Court recognised that factual investigation reports may be protected by legal professional privilege in some instances. However, in this instance, the Court found that the Deloitte Report was not prepared for the dominant purpose of providing legal advice and rejected Optus’s claim for privilege.

Key considerations

1. Whether a cyber breach investigation report is protected by legal professional privilege will depend on whether the report has been prepared for the dominant purpose of legal advice in accordance with long-held principles.
2. Where the report has been prepared for multiple purposes (which is often the case in relation to cyber incidents), such as a review of processes and root cause analysis, it is unlikely to satisfy the dominant purpose test critical to a claim of privilege.
3. The dominant legal purpose must be demonstrated at the time an external consultant is engaged and the investigation process commences. Belatedly setting up privilege protocols and processes will not retrospectively imbue legal privilege upon the investigation report.
4. Courts will consider public statements and media releases made about the investigation report and investigation process to ascertain privilege.
5. Corporations should also consider whether public statements should be made about investigations. If public statements are going to be made, thorough consideration should be given to whether those statements will be consistent with the privileged purpose.
6. Corporations should be astute in their engagement of external consultants and recognise that a claim of privilege may not always be available over a cyber breach report and communications surrounding the report.

Purpose of engagement of Deloitte

In mid-September 2022, Optus was the subject of a well-publicised cyberattack affecting its customer data. Optus representatives gave evidence that they held a concern that the cyberattack would lead to regulatory investigations and class action proceedings.

In late September 2022, Optus engaged external solicitors to provide legal advice and assistance.

In late October 2022, Optus engaged Deloitte to conduct what Optus termed in one media release “an independent, external review of the recent cyberattack, and its security systems, controls and processes”.

Deloitte’s engagement was approved by resolution of Optus’s board of directors. The approved resolutions stated that the independent external forensic investigation was for purposes such as:

• identifying circumstances and root causes of the cyberattack;
• reviewing Optus’s cyber risk management policies and processes; and
• reviewing Optus’s response to the cyberattack.

In its efforts to reassure its customers following the cyberattack, Optus’s CEO also referred to the Deloitte investigation in website announcements and media releases in the following ways:

• The Deloitte review “was recommended by Optus Chief Executive Officer, Kelly Bayer Rosmarin, and was supported unanimously by the Singtel Board” – media release, 3 October 2022.
• “[t]his review will help ensure we understand how it occurred and how we can prevent it from occurring again” – media release, 3 October 2022.
• “…we have commissioned an independent external review - led by Deloitte - into the cyberattack and how criminals got through our defences this time, when we thwart over a million attacks a year and invest significantly in our cyber capabilities” – letter to customers, 25 October 2022.

Several days following Deloitte’s engagement, Optus’s external solicitors sent privilege protocols to Deloitte which stated that the purpose of Deloitte’s engagement was to enable the external solicitors to provide legal advice. The protocols also set out practical guidance on preserving privilege in communications between Deloitte and the external solicitors.

The applicants commenced class action proceedings against Optus alleging breaches of privacy, telecommunications, and consumer laws. As part of the proceedings, the applicants sought access to the Deloitte Report.

Decision – failure to satisfy the dominant purpose test

Beach J held that the Deloitte Report was not protected by legal professional privilege for the following reasons:

• Optus did not establish that the Deloitte Report was prepared for the dominant purpose of obtaining legal advice. The Court found that the Deloitte Report was, in fact, prepared for multiple purposes including formulating Optus’s response to the incident and preventing its reoccurrence as stated in the CEO’s media releases.
• The board resolutions to commission the Deloitte Report did not support the contention that the Deloitte Report was protected by legal professional privilege. This was because:

1. Optus’s general counsel’s communications to the Optus board about Deloitte’s engagement to produce the Deloitte Report, appeared to be communications in both his capacity as general counsel and company secretary.
2. Optus’s general counsel’s email to the board in relation to the draft resolutions appointing Deloitte to prepare the Deloitte Report did not indicate that the dominant purpose of the Deloitte Report was a privileged purpose, that is for the purposes of obtaining legal advice.

• The draft resolutions and covering email provided to the board suggested a broader scope of review across the Singtel Group.

Optus’s position was that Deloitte’s engagement was contemplated and recommended by its general counsel in light of impending regulatory investigations and class action proceedings and was, therefore, privileged. However, the Court found that communications with the Optus board and public statements made by the CEO which included phrases like “The review was recommended by Optus [CEO] and was supported unanimously by the Singtel Board…” indicated that it was unclear who precisely had proposed the Deloitte engagement.

Optus also contended that the privilege protocols sent by its external solicitors to Deloitte after Deloitte’s engagement demonstrated the privileged purpose of the Deloitte Report. The Court rejected this argument on the basis that the privileged purpose did not exist at the time of Deloitte’s appointment and stated that “[c]hanneling material through lawyers…belatedly, cannot cloak material with any privilege that it did not otherwise have”.

Impact of Optus decision

External forensic investigation reports are often commissioned in the wake of cyber incidents given the context of triggering almost immediate regulatory obligations and the potential for regulatory investigations, as well as (as we have seen) litigation. The Optus decision demonstrates the need for corporations to be astute in their engagement of external consultants and recognise that a claim of privilege may not be available over the report and communications surrounding the report.  Further, if the report is being prepared for the dominant purpose of legal advice, ensure that this purpose is clearly documented from the outset and that consideration is given to whether a corporation should refrain from making any public statements about the engagement. If indeed the engagement is for the dominant purpose of advice and if a public statement is to be made, consider whether that is consistent with the privilege purpose and recognise the potential risk of waiver.