Mixed purpose investigation reports at greatest risk of disclosure 7 min read
The Federal Court has found that a report by Deloitte on its external review of Optus's data breach is not privileged, despite Optus's claim that the report's dominant purpose was to assist its lawyers in advising it in relation to the September 2022 cyberattack. It is expected that Optus will now be required to produce the Deloitte report (and, potentially, supporting documents) to the applicants in the Federal Court class action against it.
This is the latest in a line of Australian court decisions that have exposed the significant challenges in making legal professional privilege claims over investigation reports or 'root cause' analyses that can often follow major unexpected events or alleged corporate wrongdoing. Those challenges arise where the investigations and their reports have multiple legal and non-legal purposes. To optimise the prospect of privilege attaching to investigation materials, substantial care must be taken throughout investigations and, again, when responding to calls for the production of those materials in court.
In this Insight, we explain the decision and give practical guidance.
- For privilege to attach to investigation reports or root cause analyses, their dominant purpose must be the provision or receipt of legal advice or use in litigation.
- Whether a legal purpose is the dominant purpose is assessed at the time the investigation commences – sometimes even before the investigation's scope and mechanism have been fully determined and documented.
- When supporting privilege claims over this material in court, clear, detailed and compelling evidence from key decision-makers about their understanding of, and intentions for, the investigation will be critical to the court's decision on whether the privilege claim can be sustained.
- The involvement of inhouse or external counsel in commissioning, monitoring and reporting on an investigation will not, in some cases, be enough to attract privilege to investigation reports and their associated documents.
In September 2022, Optus announced that it had suffered a large-scale data breach involving the data of up to 10 million customers. The announcement attracted major public, political and regulatory attention, and sparked interest from class action promoters.
On 3 October 2022, Optus issued a media release (later to be given significant weight by the court) announcing it was appointing Deloitte to conduct an independent external review of the cyberattack and its security systems, controls and processes. Optus said, among other things, that the review had been recommended by Optus's chief executive officer, and was supported unanimously by the Singtel board. A statement attributed to the CEO suggested Optus would share 'lessons learned' with its customers.
By early to mid-October 2022, Deloitte commenced work in relation to its investigation into the data breach, though the terms of reference and engagement were still being settled.
Between 9 to 11 October 2022, the Optus board discussed and then signed a circular resolution resolving to appoint Deloitte to undertake the review referred to in Optus's 3 October media release, including to:
- identify the circumstances and root causes leading to the cyberattack;
- review Optus’s management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the cyberattack; and
- review the cyberattack incident response, and the appropriateness of actions taken, having regard to the existing crisis management policies and procedures.
The resolution also required Optus management to report back to the board in relation to the review.
Following those resolutions, on instruction from Optus's general counsel (GC) and company secretary, Deloitte was formally engaged by Optus's external counsel, Ashurst, to do that work.
Shortly after a class action was commenced against Optus in connection with the cyber incident, Deloitte provided its report to Optus's GC and external solicitors. The class action applicants sought production of the Deloitte report and all documents provided to Deloitte for the purposes of preparing it, arguing that the report was not prepared for the 'dominant purpose' of Optus obtaining legal advice and that, alternatively, any privilege had been waived by Optus's public statements about Deloitte's work. Optus resisted the application on the basis that the report and the associated materials were privileged.
Justice Beach decided that Optus had not established that the dominant purpose of the Deloitte report was a legal advice or litigation purpose.
His Honour decided, instead, that the investigation had been commissioned for various purposes including:
- a legal advice or litigation/regulatory proceedings purpose;
- a purpose more generally to identify the circumstances and root causes of the cyberattack for management purposes and rectification; and
- a purpose more generally of reviewing Optus’s management of cyber risk in relation to its policies and processes.
Each of the second and third purposes were clearly prominent in the CEO's mind when Optus first announced the investigation, and in the board's mind when it determined the scope of Deloitte's work. His Honour placed great emphasis on the media release and board resolution, in the absence of any other evidence from the CEO or board.
His Honour acknowledged that one of the relevant minds to attribute to Optus was that of its GC, who had provided the only evidence on which Optus relied in resisting the application. The GC's evidence was, essentially, that litigation and legal risks were at the forefront of his mind when he first became aware of the cyberattack, and that he had discussions with senior management as to how Deloitte's expertise could be utilised to assist him and Optus's external solicitors to give legal advice and manage legal risk. However, his Honour considered that this evidence was not sufficiently detailed or clear to satisfy him that the legal purpose was the dominant one, including because it was sometimes unclear when the GC was acting as GC or company secretary or both.
In any case, his Honour concluded that the GC's evidence formed only a part of the requisite analysis. He said that the states of mind of the CEO and the other board members were also highly relevant. On the available evidence, his Honour observed that the dominant purpose in the CEO's mind and the board’s mind, respectively, when the investigation was commissioned was not a defensive legal or litigation purpose.
While the engagement letter from Optus's external solicitors established a framework to support a privilege claim (which included a privilege protocol governing the exchange of documents between Deloitte, Optus and its solicitors), Justice Beach concluded that there was an element of artificiality in it. It was also significant that the engagement occurred after the board and senior management's views on the purpose of the investigation had been formed and the investigation had been commenced. While acknowledging the formal engagement letter was relevant evidence, his Honour concluded that it did not foreclose the argument that the investigation materials were not created for a dominant legal purpose.
In those circumstances, his Honour concluded that Optus had not discharged the onus of establishing that the Deloitte report was privileged.
On the separate question of waiver, his Honour stated that if he had found that the report was privileged, the applicants would not have established that privilege had been waived, including because none of the public statements referred to by the applicants put the contents of the otherwise privileged report in issue, and there had been no meaningful disclosure of the substance of Deloitte’s views or advice. The CEO's statement to the effect that Optus would share 'lessons learned' did not equate to any commitment to share the contents of, or findings in, the Deloitte report.
This decision is similar to some previous cases, such as AusNet Electricity Services Pty Ltd v Liesfield1, Singapore Airlines v Sydney Airports Corporation2 and Powercor Australia Ltd v Perry3, in which the courts pointed to investigation and root-cause reports being prepared for a mixture of legal, compliance, reporting, operational and/or risk-mitigation purposes and, on the available evidence, the legal purpose was not dominant.
The decision contrasts with some other previous cases, usually concerning investigations of a more confined scope, in which the investigation report has attracted privilege. For example, in TerraCom Ltd v ASIC4 and Diawara v National Australia Bank Limited5, the court held there was clear and specific evidence, including in the case of TerraCom, from the bank's executive chairman, that established the dominant purpose of obtaining reports was for a legal purpose.
This decision highlights the very real risk with investigation reports attracting privilege – especially those that are created for multiple legal and non-legal purposes. Where investigation reports are partially required for an operational purpose, organisations should consider commissioning separate reports for that purpose. However, even then, it will often be difficult to prepare a non-privileged report without reference to factual information, such as root-cause observations, that an organisation might prefer not to disclose. Therefore, regardless of what privilege claim optimisation measures are adopted, organisations should always contemplate the potential consequences of disclosure throughout the course of an investigation and report preparation.
When an investigation commences, it will be important to ensure that:
- key decision-makers (which may include the board, management and lawyers) actively turn their minds to, and agree on, the purpose(s) of an investigation or root-cause analysis;
- where those people agree that the work is being done for a dominant legal purpose, take steps to optimise the prospects of a privilege claim being sustained, including by ensuring that:
- terms of reference and engagement are formulated and implemented promptly, and that they clearly identify that the work is for the sole or, at least, dominant purpose of assisting with legal advice or litigation;
- inhouse or external lawyers have responsibility and oversight of the review or investigation, and they ensure that they receive the information they need to provide the legal advice or litigation assistance that the company seeks from them; and
- there are clear directions for maintaining confidentiality, and for how and when issues will be escalated and reported internally (including carefully considering any public statements about the investigation).
Finally, when an organisation is seeking to establish a privilege claim in court, it will need to provide clear, detailed and compelling evidence from key decision-makers involved in commissioning the investigation – preferably supported by contemporaneous records – that the legal purpose of the investigation report or root-cause analysis was the sole or dominant one.
Keep an eye out for our separate guide to privilege considerations following cyber incidents which we'll be publishing shortly.
 VSC 474.
 NSWSC 380.
 VSCA 239; 33 VR 548.
 FCA 208; 401 ALR 143.
 FCA 1048.