Federal Court rejects Optus' legal privilege claim over cyber-attack report: Observations & Lessons

In Optus Pty Ltd v Robertson [2024] FCAFC 58 (Optus v Robertson), the Full Court of the Federal Court of Australia reminds corporate bodies that a claim of legal professional privilege over multi-purpose reports is not simply a guaranteed right.

The recent decision of Optus v Robertson highlights the challenge for multi-purpose reports commissioned by corporate bodies to successfully claim legal professional privilege (LPP). The Full Court upheld the primary judge's decision, requiring Optus to produce a report, despite a claim of LPP , relating to the cyber attack suffered by Optus in September 2022.

This decision reaffirmed that the 'dominant purpose' test for producing a report as the requisite standard for claiming LPP.

This decision serves as an important reminder for companies to not assume that a multi-purpose report, including a legal purpose, is guaranteed as attracting LPP, particularly during a time when there is concern being expressed over the alleged misuse of LPP by corporate bodies to avoid disclosure obligations during court and regulatory proceedings.¹

We summarise below the key takeaways, the background to the matter, the relevant findings and implications of the decision.

Key-Takeaways

When an investigation is considered that requires the commission of a report that may have intended legal, amongst other, purposes, the following key pointers are useful to bear in mind:

• Reports that are commissioned for multiple purposes may not be viewed as subject to LPP if it is not otherwise clear that the "dominant purpose" of the report is for obtaining legal advice or for use in litigation.
• When considering a company's purpose, a court will consider all of the relevant circumstances extending to public announcements, Board materials, internal record keeping and the state of mind of the Board and executives.
• The dominant purpose of the report remains the test to establish LPP. It needs to be capable of being demonstrated objectively and how the purpose is to be established should be considered early and carefully prior to commissioning a report.
• To assist in sustaining a claim for LPP, internal and/or external legal counsel ought to be engaged at the outset of any investigations.
• At the outset of an investigation, the dominant purpose of a report should be carefully considered, identified and documented, particularly if there are other purposes the report is being prepared for. This applies to public statements about the report, the terms of reference for procuring the report and any relevant Board meeting discussions.

Background

The application for leave to appeal by Optus concerned a forensic investigation report prepared by Deloitte Touche Tohmatsu relating to the cyber attack suffered by Optus between 17 and 20 September 2022 involving the release of up to 9.5 million customers' private and confidential data (the Report).

At the time the Report was commissioned, Optus was said to be facing several potential legal threats including class actions, customer complaints and regulatory investigations.² The completed report was provided by an external consultant to Optus' General Counsel and external solicitors, who were retained by Optus to provide legal advice following the attack.

The primary decision concerned an application for the Report to be disclosed during the course of class action proceedings arising from the cyber attack.³ Optus denied discovering the Report and claimed it was subject to LPP on the basis that the Report was commissioned for the purpose of obtaining legal advice for Optus in relation to litigation and regulatory risks faced by Optus as a result of the cyber attack (the legal purpose).

The primary judge concluded Optus had multiple purposes for procuring the Report, including the legal purpose.⁴ However, his Honour rejected Optus' claim of privilege on the basis that Optus failed to discharge its onus that the legal purpose was the dominant purpose for the Report.⁵

The Appeal

Optus appealed the primary judge's decision on five separate grounds that can be summarised as:⁶

1. The primary judge failed to find the dominant purpose of the Report was for the legal purpose.
2. The primary judge wrongly assessed and gave insufficient weight to Optus' unchallenged evidence of Mr Kusalic (Optus' General Counsel).
3. The primary judge assessed Optus' purpose for procuring the Report at the wrong point in time. Optus claimed the correct time was either the date the Report was provided to Mr Kusalic and Ashurst or the date Ashurst formally engaged Deloitte.

Full Court Decision

The Court of Appeal unanimously refused Optus leave to appeal and in doing so, the Court substantively considered the grounds of appeal.

The decision upheld the findings of the primary judge and agreed Optus' evidence did not establish that the dominant purpose for Optus procuring the Report was for the legal purpose.⁷ The Court agreed the evidence showed the Report was also commissioned for non-legal purposes including:⁸

1. to identify the circumstances and root cause of the cyber-attack for management purposes; and
2. to review Optus management's policies, procedures and incident responses in relation to cyber risk.

Collectively the "non-legal purposes".

To determine the purpose of the Report, the Full Court recognised the primary judge was required to consider the "totality of the evidence" including other contemporaneous documentary evidence and objective considerations to the evidence as a whole.⁹ In this case, relevant documents included; (1) media release by Optus about the Report's commission; and (2) the terms of draft and final resolutions presented to the Optus Board for the engagement of the external consultant.¹⁰ Importantly, it was these documents that presented evidence of the Report's commission for non-legal purposes. For this reason, the Court viewed the state of mind of Optus' CEO and the Board to be highly relevant to ascertaining the state of mind of Optus for commissioning the Report.¹¹

In light of the above, the Full Court agreed Optus failed to adduce sufficient evidence as to the predominance of the legal purpose amongst the non-legal purposes. The evidence of Mr Kuslaic failed to explain or contextualise the non legal purposes arising from the media release or resolutions, and was otherwise vague on these topics.¹²

Separately, in respect of the correct date to assess the purpose of the Report's commission, the Full Court agreed with the primary judge's decision and considered that the proper date to assess Optus' purpose had little significance in the circumstances.¹³ Further, there was insufficient evidence to show that a different date ought to have been used or that Optus' purpose changed overtime.¹⁴

Implications

Optus v Robertson demonstrates that courts appear to be unwilling to uphold privilege claims for multi-purpose reports without the dominant legal purpose of a report being objectively apparent. This results in the 'dominant purpose' test being critical for success but similarly creating the key barrier for determining whether or not a report will attract LPP.

For this reason, where there is evidence of multiple purposes (which is likely for most forensic investigation reports) larger companies ought to be cognisant of how the purpose and intention of any future report is documented in Board materials, resolutions, executive briefing papers, internal communications and record keeping at a managerial level. The context for the commissioning of a report is particularly important given the Full Court's comments that such context ought be given preference to the views of a company's general counsel, who are more likely to be viewed by the court to personally, and legitimately, consider the report for legal purposes.

Footnotes
¹ We draw your attention to decision of Commissioner of Taxation v Pricewaterhouse Coopers [2022] FCA 278 wherein Moshinksy J denied some of the claims of LPP by Pricewaterhouse Coppers Australia. See also: Nick Wilson, 'ATO 'disappointed' by use of legal privilege, warns big 4 sins will reoccur' dated 30 April 2024 located at https://www.accountingtimes.com.au/profession/ato-disappointed-by-use-of-legal-privilege-warns-big-four-sins-will-reoccur.
² Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 at [2] (Optus v Robertson).
³ Robertson v Singtel Optus Pty Ltd [2023] FCA 1392 (Robertson v Optus).
⁴ Robertson v Optus at [120]–[121].
⁵ Ibid at [119], [167].
⁶ Optus v Roberston at [4].
⁷ Ibid at [46], [83].
⁸ Ibid at [51]–[52], [64].
⁹ Ibid at [54], [60].
¹⁰ Ibid at [60].
¹¹ Ibid at [63].
¹² Ibid at [51], [67]-[68], [76].
¹³ Ibid [89], [94].
¹⁴ Ibid [91].

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.