Managing the fallout from cyberattacks and major business incidents
The Australian Federal Court has released a decision of considerable interest to businesses investigating incidents and potential wrongdoing.
Optus has lost its bid to keep secret the cause of a cyberattack in 2022, which resulted in exposure of personal information for almost 10 million customers (Robertston v Singtel Optus Pty Ltd [2023] FCA 1392).
Optus cyberattack - what happened?
Optus, a large telecommunications provider in Australia, was the victim of a large scale cyberattack in 2022. Data relating to almost 10 million Optus customers and former customers was stolen in the cyberattack and personal information including names, contact details and passports was posted on the dark web.
Class action proceedings are underway in relation to the Optus data breach. Slater and Gordon, acting for the claimants, sought disclosure of the Investigation Report. Optus tried to withhold that report on the basis that it was protected by legal professional privilege. The matter went to court.
Optus ordered to disclose the Deloitte investigation report
Optus was ordered to disclose a forensic investigation report (Investigation Report) commissioned from Deloitte in the aftermath of the 2022 cyberattack.
In typically direct fashion, the Australian Federal Court gave short shrift to the argument that the Investigation Report was subject to legal professional privilege. Rather, the Court found that the report had multiple purposes, one of which was to respond to class action proceedings (but this was not the dominant purpose). Given the efforts made to withhold the report, it presumably contained information that did not assist Optus' defence to claims that it breached consumer and telecommunications law and failed in its duty of care to protect users from harm.
The dilemma for businesses – should you disclose findings from investigations?
After a serious incident, such as a cyberattack, businesses (especially customer-facing ones) want to take all steps necessary to investigate the root cause of the incident and implement improvements to ensure it doesn’t happen again. Understandably, businesses also want to reassure customers and the public that they are taking ownership of the problem and learning from mistakes.
On the other side of the coin, businesses do not want a report that details failures in their systems and processes to fall into the hands of claimant lawyers and aggrieved customers. This could expose the business to claims for damages for negligence/breach of statutory duty, which can be very significant.
A balance can be struck by ensuring that any initial incident report is obtained on instructions from a lawyer (in house or external counsel) for the purpose of giving legal advice. A public version of the investigation report can be distilled from the comprehensive privileged report.
Key lessons for businesses following the Optus cyberattack
Our recommendations to minimise the fallout for your business following a major incident are:
- Engage your lawyer (in house or external counsel) immediately after an incident occurs to marshal the response.
- Take care when instructing a third party (or an internal project team) to prepare an investigation report.
- The instructions should be given by a lawyer and explicitly record that the report is being prepared for the purpose of giving legal advice and (where relevant) in preparation for legal proceedings.
- Develop clear communications protocols to ensure that communications relating to the report (such as requests for information) are protected by privilege.
- Ensure that any media releases do not undermine a privilege claim and involve legal counsel in public relations strategy.
- If legal proceedings are reasonably apprehended, it is important to record that view in Board/meeting minutes.
At Anthony Harper we have considerable experience assisting clients in response to incidents and investigations.
For a confidential discussion, get in touch with Lucy Scott.
What is legal privilege and why did the claim fail in this case?
Legal professional privilege applies at common law in Australia to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings.[1] There is a similar privilege in New Zealand that attaches to all communications created for the dominant purpose of preparing for legal proceedings that are in existence or reasonably apprehended (litigation privilege). The principles in the Optus judgment are relevant to any claim to litigation privilege in New Zealand, given the common dominant purpose test.
While Optus' claim to litigation privilege failed on a number of fronts, the "own goal" by Optus was a media release informing the public that Deloitte was carrying out a forensic review, which "would play a crucial role in the response to the incident for Optus, as it works to support customers".[2] The Chief Executive Officer of Optus, Ms Bayer Rosmarin was also quoted as saying "This review will help ensure we recognise the significant concern it has caused many people. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and the risk of cyberattacks exist".[3]
Evaluating this evidence, Justice Beach said "none of this bespeaks or manifests a dominant purpose in the nature of a privileged purpose".[4] The judgment is also critical of the evidence called by Optus, noting that it relied solely on an affidavit from its General Counsel and Company Secretary (who was not cross examined), and it did not produce contemporaneous documents including notes and minutes recording the decision to instruct Deloitte and for what purpose. This made Optus vulnerable to the challenge that Deloitte was instructed to prepare the Investigation Report for multiple purposes, not predominantly for the purpose of obtaining legal advice.
[1]Robertston v Singtel Optus Pty Ltd [2023] FCA 1392 at [87]. The protection is confined to confidential communications made for the dominant purpose of giving or obtaining (including preparing for obtaining) legal advice or the provision or legal services, including legal representation in litigation or other proceedings.
[2]Robertston v Singtel Optus Pty Ltd [2023] FCA 1392 at [29].
[3] Ibid.
[4]Robertston v Singtel Optus Pty Ltd [2023] FCA 1392 at [32].