Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58
KEY TAKEAWAYS:
A forensic investigation report commissioned by national telecommunications company Optus into a cyber attack in 2022 became the centre of a dispute over legal professional privilege (LPP).
The Full Court of the Federal Court of Australia upheld a primary Judge’s determination that the report was not protected, affirming that:
- a claim of LPP over a report will not be successful unless it satisfies the “dominant purpose” test which requires that the primary purpose of the report is to provide legal advice or legal services in relation to existing or anticipated legal proceedings
- “focused and specific” evidence is needed to prove that the provision of legal advice or services is the dominant purpose of a commissioned report, particularly one with multiple potential purposes
- Courts will examine media releases, public statements by CEOs and Board papers to assess whether the language used supports or conflicts with a claim for LPP.
Improving corporate cybersecurity and privacy controls are not the only learnings from the cyber attack which compromised the private data of more than 9 million Optus customers in September 2022.
A forensic investigation report commissioned by Optus to review the incident and the company’s systems and controls became the subject of a LPP dispute and later appeal to the Full Court of the Federal Court of Australia.
The judgment handed down includes important insights into the role corporate public statements can play in supporting or undermining claims for LPP, particularly in the absence of direct witness evidence.
Legal professional privilege (LPP)
LPP is the principle that confidential communications between a lawyer and their client (and a third party in some circumstances) are protected from compulsory disclosure. The purpose of this protection is to encourage frank and fulsome communication between clients and their legal advisors.
In the Optus case, the Full Court of the Federal Court of Australia affirmed a primary judge’s finding that LPP did not apply to a forensic investigation report prepared for Optus into the release of private data of up to 9.5 million Optus customers as a result of a cyber attack between 17 and 20 September 2022.
Optus had sought to claim LPP over the report by asserting that:
- the report had a privileged purpose, which was to enable Optus’ lawyers to provide legal advice to Optus to fulfil the company’s obligations and protect its rights in responding to the cybersecurity incident
- the privileged purpose was the dominant purpose of the report.
Dominant purpose
Optus relied on the affidavit evidence of Optus’ General Counsel as to his state of mind when retaining external solicitors and engaging Deloitte to conduct an independent forensic review of the cyber attack to help Optus’ legal team provide advice.
While the state of mind of Optus’ General Counsel was a relevant consideration, the Full Court also considered Optus’ “corporate state of mind” and “the existence of non-legal purposes for procuring the Deloitte Report” as expressed in:
- an Optus media release announcing the appointment of Deloitte to conduct an independent external review of the cyber attack and its security systems, controls and processes. The media release stated: “This review will help ensure we understand how [the cyber attack] occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus.”
- a Board resolution, which addressed the nature of the review to be undertaken but did not expressly state Optus’ purpose in appointing Deloitte.
Specific and focused evidence
In considering all of the evidence, the Full Court found Optus failed to establish that legal advice was the dominant purpose of the report.
According to the Justices: “There was evidence before [the primary Judge] as to a multiplicity of purposes for commissioning the Deloitte Report.”
The media release showed that [the CEO] had recommended its commissioning and had expressed non-legal purposes for doing so, and the Board had unanimously agreed with that recommendation. Optus had the burden of establishing that the legal purpose was the dominant purpose for which the Deloitte Report was commissioned...
The Court went on to affirm the findings of the primary judge that there were multiple purposes for which the Deloitte Report was commissioned and that the evidence did not establish that the report was procured for the dominant purpose of Optus obtaining legal advice or for use in litigation or regulatory proceedings.
This decision underscores the quality and precision of evidence needed to support a claim for LPP.
Applying Optus LPP learnings to a workplace investigation
There are a number of reasons why an employer may seek LPP over communications, such as the final report created during a workplace investigation. These include protecting the identities of participants, maintaining ongoing employee relationships, and protecting personal or commercial information that emerges during the investigation.
Q Workplace Solutions Principal Paula Hoctor explores LPP in detail in Chapter 12 of the leading industry handbook, Workplace Investigations Principles and Practices, 2nd Edition (Lexis Nexis 2023).
Key considerations for workplace investigators and employers in LPP cases include:
- confirming as early as possible if an investigation and associated documents will be subject to a claim of LPP
- ensuring all documentation related to the investigation and appointment, such as the engagement letter, terms of reference and Board circulars, reflect that the purpose is to enable the provision of legal advice and/or legal services in relation to litigation
- developing an interview protocol, signed by participants, that explains how documents generated will be handled, including that they will not receive a copy of investigation documents
- ensuring investigation documents are marked “Confidential and Subject to Legal Professional Privilege” with the final report only provided to the lawyer who commissioned the investigation
- refraining from making any public statements on a workplace investigation, or if required, ensuring they clearly state the purpose of the investigation is to provide legal advice and/ or legal services
- maintaining clear separation between the investigation process and any potential disciplinary processes that follow.
More information
Seasoned workplace investigators from Q Workplace Solutions – one of Australia’s largest independent specialist workplace investigations firms – will step through the fundamentals of an effective workplace investigation at an upcoming Q Workplace Training workshop in Brisbane on 11 September. Places are limited. This is Q Workplace Training’s second last scheduled workshop for 2024. Book now to secure one of the final remaining places.
