Last month, the Full Court of the Federal Court of Australia released a decision relating to legal professional privilege and a commissioned report relating to a data breach of the subsidiaries (Optus) of Sintel Optus Pty Ltd.
The Federal Court of Australia had rejected Optus’ argument that the report was subject to privilege. In the latest decision, the Full Court affirmed that ruling.
Most Australians will recall that between 17 and 20 September 2022, an Optus database was accessed without authorisation resulting in one of the most significant data breaches in Australian history, affecting a substantial portion of its 9.5 million customers. The fallout from that incident is still being felt today, and likely long into the future.
In response to the theft, Optus (or one of its affiliates) commissioned Deloitte Touche Tohmatsu to prepare a forensic investigation report on the cyberattack (Report). The Report was ultimately provided on 13 July 2023 to the General Counsel of Optus (Mr Nicholes Kusalic) and to the law firm retained by Optus in relation to the attack (Ashurst).
Trial Decision
The Robertsons are part of a class action of Optus customers, that was brought against Optus in relation to the cyberattack. They applied to the Federal Court of Australia seeking discovery and inspection of the Report. The primary judgment by Beach J was lengthy and set out a detailed summary of principles (see [85] to [100], approved and adopted by the FCFCA at [23] of the appeal decision).
After going through detailed principles, the primary judge found that Optus had commissioned the report for three purposes: (1) legal advice or litigation / regulatory proceedings, (2) identification of the circumstances and root causes of the cyberattack for management purposes and rectification, and (3) reviewing Optus’ management of cyber-risk.
Beach J ultimately decided that purposes (2) and (3) were the dominant purposes for the preparation of the Report. In deciding that, his Honour had reference to a number of public statements by Optus, including public statements by the CEO and a media release by the companies. These publications as well as internal company communications including board resolutions led to him giving reduced weight to the purpose of the company’s general counsel, and he resisted the urges of Optus to consider the general counsel’s state of mind as primary to determining Optus’s purpose.
Also damaging for Optus’ claim was that the general counsel had been vague in the detail supporting his assertions relating to the purpose for commissioning the Report. Optus’s legal representatives Ashurst only engaged Deloitte some weeks after the company board decided to commission the report.
An interesting subplot to the rulings was the relevant moment at which the purpose is to be discerned. This was not resolved in detail, but the primary judge was persuaded to consider the early public statements made by Optus relating to the independent review as the relevant time frame, although later events will also be relevant.
The Appeal
Optus appealed the decision, arguing that the primary judge erred in failing to find the Report was prepared for the dominant purpose of obtaining legal advising or the provision of legal services. There were a number of justifications for this argument, including that the primary judge referred to the wrong moment at which the purpose was to be discerned, or placed insufficient weight on the general counsel’s evidence about the purpose that went unchallenged, or drew adverse inferences from the lack of evidence by the Optus CEO, or wrongly assessed Optus’ purpose with reference to the CEO’s public statements.
The key issue remained whether or not the Report had been created for the dominant purpose of Optus “giving or obtaining (including preparation for obtaining) legal advice or the provision of legal services, including legal representation in litigation or other proceedings” (FCFCA at [24]).
As the case concerned pre-trial disclosure rather than adducing of evidence, the relevant principles were those of common law rather than the Evidence Act.
The FCFCA ruled that the purpose for which a document is created is “to be determined objectively, having regard to the evidence, the nature of the document and the parties’ submissions” (FCFCA at [25]). The actual (subjective) purpose of the person preparing the document is not conclusive of the issue, and often the character of the document will be important in determining its purpose (FCFCA at [26]). Where there are two or more purposes for preparing a document, the privileged purpose must be the predominant, paramount or most influential purpose (FCFCA at [27]).
The FCFCA also made it clear through a number of authorities that it was not bound to accept the say-so of witnesses relating to the purpose for which a document was created, even where that evidence is unchallenged.
Having set out those principles, the FCFCA was not moved by Optus to dislodge the primary judge’s decision. The Court agreed that, especially given the multiple purposes of the Report, the states of mind of the CEO and other board members were highly relevant to understanding Optus’s state of mind. What is more, Optus did not call those officers as witnesses. The Court considered evidence of internal and external communications and concluded there could be no doubt that other purposes were behind the commissioning of the Report. What is more, Optus could not show that the purpose of obtaining legal advice was forefront in the minds of key company personnel, including the board and the CEO.
The evidence of the general counsel that the Report was for legal affairs was criticised as being insufficiently “focused and specific” about key discussions with senior company staff (FCFCA at [49]), and a notable omission in his evidence was an explanation or contextualization of the non-legal purposes that clearly pervaded Optus at that time. For the lawyer readers, the Court hinted that his affidavit could have been better drafted by engaging in (what counsel for Optus called) “the New South Wales fetish of direct speech”.
Implications
The primary and appeal decisions illuminate the eggshells on which organisations must navigate when responding to a crisis, and the importance of managing the totality of communications by various personnel in a large organisation. Ultimately, Optus came unstuck because the Court was swayed that its efforts at managing public relations illuminated a purpose behind the Report that was not predominantly related to legal affairs of the company. Its failure to duly explain and diminish those purposes (for example, by calling the senior company officers as witnesses) compared to the legal purpose was its undoing.
The company’s media release and its CEO’s public comments made numerous references to commissioning a report for understanding how the problem arose and how it could be prevented in the future. Although the general counsel was concerned about legal affairs, other very important company staff had other purposes – in that sense, the general counsel “was a recommender to the recommender in relation to the proposed investigation, with a particular legal focus, and the evidence showed the existence of other purposes” (at [53]).
It is unclear how Optus could have done things differently. In a moment of unprecedented public demand for accountability and action, public comments by the company about preparing a Report for defending possible legal claims would have gone down like a lead balloon. But especially for large organisations, the lesson is clear, ensuring communications by various staff are (in the words of Beach J) “singing from the same hymnbook” is important to ensuring privilege is not later undermined.
The outcome is that the Robertsons likely have their Report, pending redactions for reasons of other privilege. And the fallout from the Optus data breaches will undoubtedly continue in the form of further proceedings.
