For Optus, legal professional privilege is a breach too far

Unless you have been living under a rock with no mobile reception, you will probably be aware that in September 2022, Optus suffered a massive data breach.  As the equitable maxim that “there can be no wrong without a remedy” has been updated for modern Australian conditions to “there can be no data breach without a class action”, a group proceeding is currently on foot in the Federal Court of Australia.

The proceedings are at the interlocutory skirmish stage, and the Full Federal Court has this week determined a skirmish about whether the plaintiffs can have access to an investigation report prepared for Optus by Deloitte.  The reasons why the Full Federal Court confirmed that the report was not protected by legal professional privilege provide useful lessons for the protection of investigation reports.

The troublesome press release and board resolution

Shortly after the data breach occurred, Optus issued a media release indicating that is intended to engage Deloitte to carry out an investigation. In due course, Optus’ solicitors did indeed engage Deloitte. So far so good – if the lawyers are engaging the investigators, the investigation report will be privileged and can be kept out of the hands of the plaintiffs, yes? Well, actually, no.

The media release was described by the primary judge as “a real problem for [Optus’] case” which “casts doubt on the picture that [Optus’ general counsel] has sought to portray”.  The source of the problem was that the media release contained what were described as “purportedly reassuring statements” about various ways that the Deloitte report was going to be used to rebuild trust with customers. Those purposes are not unlaudable in themselves, but they are not legal purposes. What Optus had to be able to show in order to obtain the protection of privilege was that the purpose of obtaining legal advice (in relation to potential legal and regulatory investigations) was the dominant purpose of obtaining the Deloitte report.

Another problem for Optus arose from the resolution of its Board which resolved to appoint Deloitte as investigator. That resolution referred to a number of non-legal purposes for Deloitte’s appointment. The fact that investigation may have non-legal purposes is not fatal to a claim for privilege as long as the legal purpose is the dominant purpose. However, the more purposes there are, the more important it will be to disentangle them from one another if the legal purpose is to be established as dominant.

The General Counsel’s Evidence

Optus attempted to establish legal purpose by the evidence of its General Counsel.  However, that evidence did not enable Optus to discharge the onus of showing that the legal purpose was the dominant purpose of obtaining the report. Critically, the Full Federal Court said that:

“in circumstances where the evidence showed that Optus had multiple purposes, his evidence did not address, or even acknowledge, the existence of the non-legal purposes nor explain or attempt to contextualise the non-legal purposes as opposed to the legal purpose, and thereby prove that the legal purpose was Optus’ dominant purpose.”

In particular, although the Full Federal Court accepted that the General Counsel’s purpose was “the legal purpose throughout”, the media release and the board resolution indicated that the Board and the CEO had other purposes which needed to be disentangled from the legal purpose if Optus’ privilege claim was to be accepted.  There was no direct evidence from the Board or the CEO (not even in the form of hearsay evidence given by the General Counsel) and the Full Federal Court described the evidence of the state of mind of the board and CEO as being “critically relevant once it is appreciated that the media release and the [Board] resolution showed the existence of non-legal purposes for procuring the Deloitte Report”.

Lessons from the case

It is often said that a sound principle of crisis management is that if you mess up, you front up and you ‘fess up.  However, that principle isn’t necessarily consistent with maintaining legal professional privilege. Here, it can be well understood that Optus wanted to convince customers as well as regulators that they were getting to the heart of the problem. The difficulty with that was that hearts have a number of chambers, and not all of them are pump blood in a legal direction.

This means that legal professional privilege can’t be used as a cloak to protect investigation legal problems. It also means that when legal and non-legal purposes are intertwined, the non-legal purposes will need to be clearly explained if it is to be shown that the legal purpose is dominant. It is not enough for a lawyer to say, “I am a lawyer, so my purpose for doing things must be a legal purpose, because that is what I do”. That is particularly so where the decision-maker (that is, the person or people whose purpose is attributed to a corporation like Optus) may be the Board, or a non-lawyer like the CEO, rather than the internal or external lawyer who actually commissions the report.

In a previous article on this website, we said that three things were certain – death, taxes, and fights over client professional privilege.  That must have been a reasonably good point, because it was cited with approval in an extra-curial speech given by the then Chief Justice of the Supreme Court of New South Wales.  The decision this week shows that the main certainty with legal professional privilege in a crisis management situation is that lawyers need to be involved from the beginning in establishing in ensuring that communications do not go a breach too far.

For more on our commercial law capabilities, contact Philip Stevens or William Han

For more on our litigation and dispute resolution capabilities, contact Leonard Lozina or Angus Macinnis

If you would like to get “Worth knowing” articles sent to you by email when we publish them, you can now sign up to our mailing list here

May 28
Commercial Law Litigation and dispute resolution