Legal protections in the age of data breaches: Lessons from the Optus Class Action

In 2022, Optus experienced a high-profile data breach. The forensic report into that incident is now pivotal in a class action being brought against Optus. The report, expected to contain detailed insights into the data breach, is crucial for potential claims of negligence or wrongdoing in Optus’ actions before and during the incident.

As part of the class action case, an interim application was made to the Court to access the report. This was due to Optus resisting the report’s disclosure, asserting that it was subject to legal professional privilege (LPP). However, the Court rejected this assertion as Optus failed to demonstrate that the report was produced primarily to obtain legal advice during the data breach response process. 

This article considers the incident, the Court’s decision, and key takeaways from the case.

What happened?

Optus is facing a class action following a data breach in 2022 that impacted around 9.5 million customers. This data breach resulted in personal information relating to those customers – such as passports, driver licenses, and Medicare numbers – being published on the dark web. 

Deloitte was engaged to conduct an independent forensic investigation into this data breach. This investigation assessed what vulnerabilities were exploited by cybercriminals, examining the circumstances surrounding the incident and Optus’ response.

Following the data breach, it has been alleged that Optus breached its contracts with customers, duty of care, and consumer, privacy, and telecommunications laws by failing to protect customers’ information.

To substantiate these allegations, the applicants sought access to Deloitte’s forensic report. However, Optus resisted its disclosure, instead asserting that LPP applied to the report. 

Why is a forensic report relevant?

A forensic report is significant for those seeking to bring a claim after a data breach. This is because a report serves as a comprehensive document that focuses on the technical intricacies of the incident (for example, it provides details of what happened, what was impacted, and whether or not the breach is now contained). This level of detail is essential to inform a data breach response strategy. 

It can, therefore, play a central role in constructing a legal claim by providing detailed information and expert insights that support arguments of negligence or wrongdoing on the part of the breached organisation. Further, by offering an analysis of how the breach occurred and what tools were in place to prevent or minimise the breach, the report can shed light on claims for non-compliance with legal or regulatory standards. 

How can you protect a forensic report from being disclosed?

To prevent the disclosure of forensic reports, breached organisations, such as Optus, often claim a forensic report is protected by LPP.

Where LPP applies, it can prevent the disclosure of sensitive information within the forensic report being disclosed to third parties, such as individuals bringing a claim against the breached organisation. 

LPP is a central legal principle designed to promote efficiency in the legal process. Its primary function is to empower clients by creating a safe space to exchange information with their lawyers. This, in turn, enables clients to confidently seek informed advice on navigating legal requirements (for example, regulatory obligations following a data breach).

When does LPP apply to a forensic report?

When establishing whether LPP covers a forensic report, the Court will apply a common law test known as the ‘dominant purpose test.’

The dominant purpose test provides that a document or communication will attract LPP if it was brought into existence for the dominant purpose of giving or obtaining legal advice or for use in litigation.

The onus of proving the dominant purpose of a document or communication lies with the party claiming LPP. If a document had been brought into existence regardless of an intention to seek legal advice, it would not generally be privileged.

A document may have multiple purposes, but if legal advice is not the dominant (meaning paramount) purpose, LPP will not apply to the document as a whole.

A key consideration is that the dominant purpose is determined at the time in which a document is created, so LPP cannot be retrospectively applied by referencing how a document was used.

Did Optus claim LPP over the Deloitte report?

Yes – Optus argued the dominant purpose for the Deloitte forensic report was for Optus to obtain legal advice regarding the various legal risks arising from the data breach.

What did the Court decide? 

It was held that, in this case, the evidence provided by Optus did not establish the forensic report was for the dominant purpose of Optus obtaining legal advice. The reasons for this include:

• Purpose – there was evidence the report had a general scope not limited to the data breach. For example, the investigation included a review of Optus’ management of cyber-risk in relation to its policies and processes.
   
• Media – Optus, via media statements, publicly represented the report served multiple purposes beyond the provision of legal advice, including how Optus could prevent a similar incident from happening again and to rebuild customer trust.
   
• State of mind – there was evidence to suggest the report was commissioned with broader cyber posterity and remediation purposes in mind. While the view of Optus’ general counsel was relevant, evidence suggested that the report also had a purpose and a function for various Optus management personnel who were non-lawyers.
   
• Retainer with investigator – Optus’ engagement of Deloitte via its lawyers after commencing its investigation was insufficient to retrospectively ‘cloak’ the forensic report with privilege that it did not otherwise have.

What is next?

It is technically open for Optus to appeal the decision. However, this could be challenging. 

To appeal the decision, Optus would need to seek leave from the Court first. This would require Optus to successfully demonstrate that the decision was wrong or doubtful and that it would suffer a substantial injustice if the decision was allowed to remain in force. 

What are the key takeaways from the case?

This case reiterates that LPP is an intricate and nuanced topic, and an important safeguard for organisations in dealing with a cyber incident. How it is established and maintained needs to be carefully planned, executed, and applied. The key takeaways include:

• Legal engagement – it is essential that external lawyers are engaged from the outset when a data breach occurs, and in particular, before the forensic investigation. Data breaches can have a long tail, and experienced cyber security and privacy lawyers can advise as best to preserve LPP over aspects of the incident response process. However, to do so effectively, legal advice must be sought immediately upon discovering an incident to ensure all relevant third parties act consistently with (and do not waive) LPP. 
   
• Scope and purpose – care needs to be taken to ensure that the scope of any forensic investigation report is confined to identifying the facts that will assist in assessing an entity’s legal obligations arising from an incident. Accordingly, it is essential to consult with cyber specialists and lawyers about what is required from a forensic report to inform the data breach response process.
   
• Communications – communications regarding a breach (both internal and external) need to be carefully considered. A balance must be struck between reassuring regulators, affected individuals, and the public that an incident is being appropriately managed while preserving LPP. Accordingly, it is essential to consult with cyber communications specialists and lawyers about the content of communications with stakeholders to protect LPP.
   
• Reporting – internal reports following a data breach (e.g., Board reports) must reflect an organisation’s state of mind and intentions following a data breach, as well as what has been decided and why. Preparing and testing data breach response processes before a cyber incident is critical in ensuring that the correct communication channels are established before a data breach.  

For a more detailed briefing on the case, please contact us.

Clyde & Co’s Technology & Media Team houses the largest dedicated and market-leading privacy and cyber incident response practice across Australia and New Zealand. Having managed over 5,000 incidents globally, we know how to manage cyber risks.

We are focused on providing an end-to-end solution that covers all aspects of cyber, data protection and technology-related risk. Our service offering in Australia and around the world covers pre-incident, incident response and regulatory and litigation services.

For more information, please contact our team – John Moran, Reece Corbett-Wilkins, Richard Berkahn, Alec Christie, Stefanie Luhrs or Chris McLaughlin