Where’s my privilege? Federal Court denies Optus’ claim of privilege over Deloitte report in data breach class action
Written By
Over the last 12 months, the discourse around the cyber threat landscape in Australia has accelerated in the wake of high-profile cyber incidents.
The risk profile for organisations has also evolved, with the commencement of class action proceedings against organisations subject to these cyber attacks, such as Singtel Optus Pty Ltd (Optus) following a data breach in September 2022 (Optus Data Breach).
The response to any cyber incident will necessarily involve a multidisciplinary approach to determine the best course of action, including input from information security, legal, risk, and corporate governance teams. It follows that organisational decision-making in the immediate incident response to a cyber threat can easily impact downstream risks to the target business and can in many cases increase it.
Businesses who may wish to seek legal advice about their risks or how best to mitigate those risks in the aftermath of cyber incident may also involve various stakeholders inputting into the communications and instructions given to lawyers. It is also possible, that lawyers and other advisers will be engaged to work cooperatively together including to brief the board, assist with risk mitigation and regulatory responses.
In this environment, the purpose, let alone the dominant purpose, for the creation of documents and communications in an organisation’s incident response can become murky. Where documents are created for mixed purposes, there is a real risk that these documents and communications cannot be protected by legal professional privilege (LPP).
At its core, LPP claims in this or any context are determined by first principles. We have published a comprehensive guide on laws of privilege in Australia, which can be accessed here where the relevant common law test is summarised.
In this article, we take a look at the outcome on Optus’ claim of privilege over an external report in Robertson v Singtel Optus Pty Ltd (Optus class action). In the Optus class action, Justice Beach of the Federal Court found that a report into the external review prepared by Deloitte following the Optus Data Breach (Deloitte Report) did not attract LPP.
The Optus decision
On 10 November 2023, Optus lost its claim for LPP over the Deloitte Report in the Optus class action ([2023] FCA 1392). Justice Beach found…
