Legal Privilege in Cyber Breaches: Insights from Robertson v Singtel Optus Pty Ltd [2023] FCA 1392

In the ever-evolving landscape of cybersecurity, legal professionals grapple with complex issues related to data breaches, privacy, and legal privilege. The recent case of Robertson v Singtel Optus Pty Ltd [2023] FCA 1392 sheds light on these critical matters. Let’s explore the nuances of this case and its implications for Australian entities.

Background

Between 17 and 20 September 2022, Singtel Optus Pty Ltd (Optus) faced a significant cyber attack. The breach potentially compromised the personal information of up to 9.5 million Optus customers. In response, Optus engaged external solicitors to provide legal advice and assistance.

The Role of IT Forensic Reports

As part of the incident response process, companies often retain IT forensics experts to investigate and mitigate breaches. These experts play a crucial role in stopping the breach and providing legal advice, especially when privacy has been compromised.

The Deloitte Report

Deloitte was appointed by Optus to conduct an independent review of the cyberattack. The Deloitte Report contained findings related to the breach, security controls, and processes. However, the pivotal question arose: Could Optus claim legal professional privilege (LPP) over this report?

Legal Professional Privilege (LPP)

LPP is a fundamental legal principle that protects confidential communications between a client and their legal advisor. To claim LPP, the material must be created for the dominant purpose of obtaining legal advice or in anticipation of litigation or regulatory action.

The Court’s Ruling

The Federal Court, in a judgment handed down by Judge Beach, rejected Optus’s privilege claim over the Deloitte Report. The court emphasized that privilege applies only when the dominant purpose is for legal advice. Since the Deloitte Report primarily served an investigative function, it did not meet this criterion.

Implications and Takeaways

1. Clear Purpose: Companies must carefully delineate the purpose of IT forensic reports. Privilege won’t automatically cover such reports; they must be genuinely tied to legal advice or litigation.

2. Balancing Act: Balancing cybersecurity needs with legal obligations is crucial. Entities should involve legal advisors early in breach response to maximize privilege protection.

3. Precedent: This decision sets an important precedent for Australian organizations navigating the intersection of cybersecurity and legal responsibilities.

In summary, the Robertson case underscores the importance of understanding the boundaries of legal privilege in the context of cyber incidents. Australian entities should take note and proactively address legal considerations during and after data breaches.

Disclaimer: This article provides general information and does not constitute legal advice. Consult legal professionals for specific guidance related to your circumstances.