In brief - The Federal Court's recent decision in Robertson v Singtel Optus Pty Ltd [2023] FCA 1392 delves into the complex question of legal privilege concerning IT forensic reports in the aftermath of a cyber attack*.
Part of the incident response process for many cyber attacks is the retainer of IT forensics to help investigate and stop the breach and also so legal advice can be provided, particularly where there has been a breach of privacy. Some companies appoint IT forensics themselves and there has long been tension about whether IT forensic reports are covered by legal privilege.
The Federal Court decision of Robertson v Singtel Optus Pty Ltd [2023] FCA 1392, handed down on Friday 10 November by his Honour Judge Beach, considered whether the applicants could obtain orders for the discovery and inspection of:
- the forensics report prepared for Optus by Deloitte Touche Tohmatsu concerning a data breach that occurred in mid-September 2022:
- the documents prepared for providing instructions to Deloitte; and
- all documents provided to Deloitte for preparing such a report.
(collectively, Forensic Material)
Background
Between 17 and 20 September 2022, Optus (and its subsidiaries) were the subject of a cyber attack. On 21 September 2022, Optus' general counsel/company secretary became aware of the cyber attack which could potentially impact the personal information of up to 9.5 million Optus customers.
Optus' general counsel/company secretary was also of the view this would lead to one or more regulatory investigations, subsequent litigation, an investigation by the Office of the Australian Information Commissioner (OAIC), civil penalty prosecutions and class actions.
Optus engaged external solicitors to provide legal advice and assistance about the cyber attack on 22 September 2022, with the cyber attack being made public on the same date. Along with three barristers the same week.
On 3 October 2022, Optus announced: "Deloitte to lead forensic review of cyberattack" in a media release stating that Deloitte was "to conduct an independent external review of the recent cyberattack, and its security systems, controls and processes" (Media Release).
It was not, however, until 21 October 2022, that the first relevant letter of engagement of Deloitte was issued by Optus' external solicitors.
Legal privilege
In this case, Optus held the burden of establishing that legal professional privilege applies to the Forensic Material. To establish legal professional privilege, the Forensic Material would need to be made for the dominant purpose of obtaining legal advice or in the use of litigation or regulatory action.
His Honour formed the view that "the evidence does not establish that the Deloitte report was for the dominant purpose of Optus obtaining legal advice or for use in litigation/regulatory proceedings" - at [119], as the evidence demonstrated the Forensic Material was being prepared for various purposes including:
"First, there was the legal advice or litigation/regulatory proceedings purpose.
Second, there was the purpose more generally to identify the circumstances and root causes of the cyber-attack for management purposes and rectification, being beyond the narrower confines of the first purpose; clearly though there is some overlap with the first purpose.
Third, there was the purpose more generally of reviewing Optus’ management of cyber-risk in relation to its policies and processes" - at [121]-[123].
The matters which factored into his Honour's decision were:
1. The Media Release
The Court considered that "a real problem" for Optus' case was the Media Release - at [29].
The Media Release makes no reference to Deloitte being appointed on the recommendation of solicitors, or for legal purposes. It did not "bespeak or manifest a dominant purpose in the nature of a privileged purpose" - at [32]. His Honour opined that whilst the Media Release "must be viewed in the context of what went before and what took place after in terms of the commissioning of the Deloitte report and the states of mind and purposes of the various individuals involved… none of this context assists Optus to persuade me that the relevant dominant purpose was a privileged purpose." - at [140]-[141].
2. The Board's Resolution
Amongst others, one of the problematic aspects was the lack of evidence from the Optus Board as to Deloitte's purpose and the draft resolution of the Board was not consistent with the case put to the Court. In fact, the draft response submitted to the Board on 9 October 2023 indicated that the true or dominant purpose was not predominantly a legal purpose.
3. The Website Letter
On 25 October 2022, Optus published "A letter to our customers" (Website Letter) confirming an external review by Deloitte to learn how criminals got through Optus' defences when they have successfully defended millions of attacks and so they could commit to learning how to do better and share lessons with other companies. The Court noted that this was "hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation purpose." - at [57].
4. The Privilege Protocol
On 25 October 2022, Ashurst emailed Deloitte a general guidance note on privilege, a privilege protocol and a form of a non-disclosure agreement which each member of the Deloitte team working on the investigation was required to sign. The issuing of this protocol was also criticised by the Court which noted that "Channelling material through lawyers or having lawyers make the retainer, belatedly, cannot cloak material with any privilege that it did not otherwise have." - at [161].
Similar landscape
Ultimately the findings of the Federal Court are not surprising. The case law on the issue all points towards privilege not being maintained in these circumstances. In the US matter of re Rutter's Data Security Breach Litigation, 2021 BL 275161, Kroll's forensic report following indications of compromised credentials on Rutter's computer network was held to not be subject to legal privilege because it was not reasonable to argue that the reports were produced in contemplation of litigation. This decision reinforced earlier determinations in In re: Target Corp. Customer Data Security Breach Litigation and In re: Capital One Consumer Data Security Breach Litigation.
The issue was also discussed in Canada's Ontario Supreme Court in Kaplan v. Casino Rama Services Inc. however the Court focused on waiver in that matter, rather than determining whether the investigation report was privileged.
Key takeaways
Some best practice principles should be adopted when engaging with solicitors and forensic IT for cyber investigations so that privilege is retained.
- The company experiencing the cyber event should set up an incident response team which includes in-house counsel (if you have one)
- External solicitors should be retained as soon as possible to manage the incident response and engage the IT forensics team to provide legal advice
- Consider requesting two reports - one which is privileged for legal advice and one which is operational
- Be aware that how you instruct the forensics team will inform whether their report will have the benefit of privilege (in whole, in part, or not at all)
- Keep the distribution and discussion of the external forensics report limited
- Be mindful of what is said in your public statements about the incident response.
If you are experiencing a cyber event and require assistance please contact our incident response team.
*Optus has now lodged an appeal, and we will keep you informed of new developments in due course.
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2024.