Privilege challenges remain for multi-purpose investigation reports 7 min read
The Full Federal Court has denied Optus’ request to overturn a previous Federal Court ruling. The initial ruling dismissed Optus’ claim of legal privilege over a factual investigation report commissioned in response to a data breach, on the basis that Optus had not established that the report was prepared for the dominant purpose of legal advice. Our earlier update on that decision is available here.
In refusing the appeal, the Full Court emphasised it will not be enough simply to establish that the report had a legal purpose. Rather, where there is evidence to suggest the report had other, non-legal purposes, it must also be established that the legal purpose is the dominant one.
The decision reinforces the challenges with claiming privilege over factual investigation reports where they have multiple legal and non-legal purposes, including regulatory compliance, audit and financial reporting, operational and/or risk-mitigation purposes. Those challenges are most significant where different parts of an organisation are not aligned on the report's purpose or purposes and, in particular, which of them is dominant. In supporting a privilege claim, it may not be enough for the inhouse legal team, for example, to maintain that the legal purpose is dominant when there is other evidence of other meaningful, non-legal purposes for the report.
In this Insight, we examine the Full Court's reasoning, assess its implications and offer practical guidance on how to maximise the prospects of a privilege claim being sustained.
Key takeaways
- The Full Federal Court has refused Optus' appeal of Justice Beach's decision that a factual investigation report prepared by Deloitte concerning a major data breach was not privileged.
- This decision highlights the challenges associated with claiming privilege over investigation reports that are necessarily prepared for multiple purposes, such as legal, regulatory compliance, audit and financial reporting, operational and/or risk-mitigation purposes.
- It is not sufficient to establish that a report has a legal purpose—it must be established that the legal purpose was the dominant
- Whether privilege applies is highly factually dependent. To assess purpose, courts will examine all of the circumstances in which an investigation report was prepared. For such a report to be privileged, consistent business-wide alignment is required.
- The decision also shows that detailed evidence about the dominance of the legal purpose over all other purposes will be required to support a privilege claim over an investigation report, particularly where there is also evidence of other purposes (which will often be the case).
- Practical steps include ensuring key decision-makers turn their minds to, and agree on, the purpose(s) of the investigation, and taking steps to optimise the prospects of a privilege claim being sustained (see further details below).
Background: the data breach and the independent review
In September 2022, Optus publicly disclosed a large data breach impacting up to 10 million customers, sparking significant public and regulatory attention. The company appointed Deloitte to conduct an independent review of the incident, as recommended by Optus' CEO and supported by the Singtel board.
Deloitte's review began in early October 2022 to investigate the circumstances of the cyberattack, evaluate Optus’ management of cyber risk, and assess the incident response. Upon completion, Deloitte provided its report to Optus' general counsel.
A class action was commenced against Optus over the data breach. The applicants sought access to Deloitte's report, arguing it was not prepared for the dominant purpose of legal advice or litigation and, in any event, any privilege had been waived through public statements. Optus contested these claims, asserting the report was privileged. In November 2023, Justice Beach found Optus had not established that the dominant purpose of the report was a legal one.
Grounds of appeal and the decision
Optus appealed the rejection of their privilege claims on numerous grounds. They can be grouped as follows:1
- that the court had given insufficient weight to the evidence of its general counsel and company secretary, in circumstances where that evidence was uncontradicted and not subject to cross-examination; and
- that the court had assessed the purpose of the report at the wrong point in time. Optus contended that the court should have assessed the relevant purpose at the date the report was provided to Optus by Deloitte, rather than around the time Deloitte had been engaged.
The Full Court rejected both contentions.
The Full Court decided that Justice Beach had clearly accepted that Optus' legal team's purpose for the report was a legal one, but as Optus' internal documents also disclosed the existence of non-legal purposes for the report, the general counsel's evidence was insufficient to support the privilege claim. The evidence should have also 'attempt[ed] to contextualise the non-legal purposes as opposed to the legal purpose'.2 Evidence from the CEO would have helped to establish which of these purposes, if any, was dominant.3 Optus had, therefore, not satisfied its burden of establishing that the legal purpose was the dominant one.4As to when the dominant purpose will be assessed, the Full Court held that 'the proper date upon which to assess purpose will depend upon the particular circumstances of the case.'5 On the facts of this case, the Full Court decided that the time between public statements announcing the appointment of Deloitte to conduct a review of the cyberattack and the board resolution approving that appointment was the appropriate time within which to assess the report's purpose.6 In that context, proper regard was had to evidence of the report's commissioning and evidence of subsequent events, such as the formal letter of engagement of Deloitte; Optus' public statements about the report; and the board resolution to procure it.7
Implications
While this decision does not create new law, it does highlight the significant challenges in supporting privilege claims over investigation reports and root cause analyses that follow material events that adversely affect organisations, like cyber incidents. Those challenges arise from the multiple purposes, including legal, regulatory compliance, audit and financial reporting, operational and/or risk-mitigation purposes, for these processes.
It further underscores the importance of whole-of-business alignment on the purpose or purposes of a factual investigation report. If its dominant purpose (effectively, that which justifies its creation) is for legal advice, this must be consistently understood and embraced across the business. Evidence from both the time of commissioning and later events may be relevant.
Where there is evidence of multiple purposes (which will often be the case for these types of reports), the burden will rest with the party claiming privilege to establish a dominant legal purpose. This will likely require evidence, not only from the inhouse legal team, but also from senior decision-makers, particularly where there is contemporaneous evidence (whether public statements or internal records) that focus on non-legal purposes.
Practical steps to take
We reiterate that when an investigation commences, it will be important to ensure that:
- key decision-makers (which may include the board, management and lawyers) actively turn their minds to, and agree on, the purpose(s) of an investigation or root-cause analysis;
- where those people agree that the work is being done for a dominant legal purpose, take steps to optimise the prospects of a privilege claim being sustained, including by ensuring that:
- terms of reference and engagement are formulated and implemented promptly, and that they clearly identify that the work is for the sole or, at least, dominant purpose of assisting with legal advice or litigation;
- inhouse or external lawyers have responsibility and oversight of the review or investigation, and that they ensure they receive the information they need to provide the legal advice or litigation assistance the company seeks from them; and
- there are clear directions for maintaining confidentiality, and for how and when issues will be escalated and reported internally (including carefully considering any public statements about the investigation).
Footnotes
-
Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 at [4].
-
Ibid at [78].
-
Ibid [64]–[65].
-
Ibid at [64].
-
Ibid at [88].
-
Ibid at [94].
-
Ibid at [94].