Optus Unveils Cybersecurity Woes: Privilege Claim Over Deloitte Report Crumbles
November 2023, Georgia Marwick, Data Privacy Lead at CSO Group
Optus has lost its battle to shield the Deloitte root-cause cyber breach report under the cloak of legal privilege. The revelation comes as a blow following a class action initiated in April 2023 against Optus and related entities concerning a data breach that rattled the company's foundations in mid-September 2022.
The Legal Tussle Unveiled:
Optus, through an external law firm, enlisted Deloitte to analyse the details of the breach, seeking a comprehensive report on the incident. Fast forward to April 2023, a class action thrust Optus into the legal spotlight, with the applicants seeking access to the Deloitte report as part of the discovery process. Optus asserted legal professional privilege over the document.
Cracks in the Privilege Claim:
However, the protection Optus sought to claim on the Deloitte report crumbled as the court delivered its verdict. Justice Beach, in the judgment of Robertson v Singtel Optus Pty Ltd  FCA 1392, ruled that Optus failed to satisfy the "dominant purpose" test of privilege. This pivotal ruling paves the way for the class action applicants to delve into Deloitte's findings regarding the data breach.
Deloitte's Investigative Aim:
The Deloitte report, crucially, was initiated not only to uncover the facts and circumstances surrounding the breach but also to provide Optus with an understanding of the incident's underlying causes. The emphasis on engaging cyber-related experts underscored the gravity of the situation.
The Legal Landscape:
Optus's defence rested heavily on the assertion that the Deloitte report aimed at advising the company on legal risks and regulatory implications arising from the breach. A privilege claim would have shielded the report from the class action applicants. However, Justice Beach's ruling debunked this claim, stating that the Deloitte report served various purposes, including legal advice, root-cause analysis for management, and a review of Optus' cyber-risk management policies and procedures.
It is noted that the Court has opined that there is scope for the telco to seek redactions of portions of the report, in the event there is some material within the report which contains legal advice. However they will be limited, and subject to redaction only, as opposed to withholding the entirety of the report.
The Dominant Purpose Dilemma:
Asserting legal professional privilege hinges on the "dominant purpose" test of a communication. For a document to be privileged, legal advice or use in litigation must be its predominant purpose. Justice Beach's ruling highlighted that Optus fell short in proving the Deloitte report's dominant purpose was seeking legal advice.
Where did Optus go wrong? The court pointed to public statements and board resolutions, which indicated a variety of purposes behind the Deloitte engagement. Optus' emphasis on rectification, rebuilding trust, and conducting a root-cause analysis shifted the dominant purpose away from a legally privileged strategy, as Justice Beach noted.
Conclusion: A Cybersecurity Reality Check:
Optus's loss of privilege over the Deloitte report serves as a stark reminder of the legal intricacies surrounding cybersecurity investigations. As the industry grapples with evolving threats, companies must tread carefully to ensure legal strategies align with the dominant purpose of their actions. The Optus case leaves a lasting imprint on the intersection of cybersecurity and legal defence, urging companies to reevaluate their approaches in the face of the ever-present cyber risk landscape.
At CSO Group, we provide effective ICT cyber security services and solutions to mitigate business risks and threats. To find out how we can help your business improve its cyber resilience, contact the CSO team and learn more about our integrated cyber security approach.