The challenges of maintaining privilege claims are particularly relevant when those reports serve multiple purposes, such as for regulatory, operational, or stakeholder communication purposes. The ruling underscores the importance for cyber crisis management teams to adopt a clear and considered approach to privileged material to ensure privilege is maintained over investigation reports commissioned for a legal purpose.
The decision arises from a class action brought against Medibank Private Limited (Medibank) relating to its October 2022 data breach. Although Medibank successfully defended privilege claims over reports commissioned by certain third-party forensics vendors (e.g., reports relating to negotiations with the threat actor), Medibank failed to maintain its privilege claim over three reports prepared by Deloitte. The reason given by the Federal Court was due to the Deloitte reports having multiple purposes, with the purpose of obtaining legal advice not being the ‘dominant purpose’. Medibank has sought leave to appeal the court’s decision in relation to the Deloitte reports.
Background
Medibank, one of Australia’s largest private health insurers, experienced a major cyber breach in October 2022 whereby threat actors gained unauthorized access to Medibank’s IT systems and exfiltrated vast quantities of customer data, including sensitive health information. In response to the breach, a class action lawsuit was filed against Medibank. The lawsuit alleges that Medibank failed to adequately protect customer data and did not take sufficient measures to prevent the cyberattack. The applicants sought production of several reports prepared by various third-party forensic vendors, including Deloitte. Medibank claimed legal privilege over these reports, claiming that they were created for the dominant purpose of obtaining legal advice, for the purposes of briefing counsel and preparing Medibank’s defense in the proceedings, and as such were privileged and not discoverable in the proceedings.
Privilege claims over reports
Legal professional privilege is a fundamental principle that protects the confidentiality of communications between legal advisors and their clients. Legal professional privilege applies to confidential communications created for the ‘dominant purpose’ of obtaining legal advice or for use in litigation or regulatory proceedings. The primary purpose of legal professional privilege is to ensure that clients can communicate openly and honestly with their advisors without fear that these communications will be disclosed to third parties, including courts and opposing parties.
In McClure v Medibank, the court found that each of the investigation and forensics reports prepared by CrowdStrike and Threat Intelligence were protected by privilege because the evidence established that those firms were engaged by Medibank’s lawyers for the dominant purpose of providing technical assistance and to enable Medibank’s lawyers to provide legal advice, including in relation to legal proceedings. Conversely, the court decided that the reports prepared by Deloitte were not protected by privilege, because the dominant purpose of the reports was not for obtaining legal advice. Rather, the reports were prepared for both legal and non-legal purposes, with the following purposes being found to be ‘at least equally dominant, if not more dominant’ [at 325]:
- According to a number of Medibank’s public announcements, including in ASX announcements and internal communications, Medibank referred to Deloitte’s engagement as being for operational and governance purposes and ‘to protect and safeguard customers’ [at 327]. In these statements, Medibank confirmed that Medibank, and not its lawyers, were responsible for commissioning the report by Deloitte, which further indicated that a dominant purpose of the report was for public relations management and to alleviate customer and market concerns.
- Medibank stated in its communications with the Australian Prudential Regulation Authority (APRA) that it engaged Deloitte for the key purpose of avoiding the need for APRA to conduct its own investigations of the cyberattack. Again, the court considered these communications to be evidence that one of the dominant purposes of the report was to avoid APRA investigations [at 364].
- The fact that Deloitte frequently reported to Medibank’s board directly without the involvement of external lawyers was considered by the court as evidence that the reports were commissioned for governance purposes, which weighed against the dominant legal purpose argument [at 372].
In addition, Justice Rofe decided that Medibank’s public announcements, in particular the ASX announcement, which referred to the implementation of one of Deloitte’s report’s recommendations, would have been waived because Medibank could not ‘at the same time maintain privilege in that part of the report setting out the recommendations to enhance Medibank’s IT processes and systems’.
Key takeaways from McClure v Medibank
- Technical reports prepared for legal advice can be privileged: The decision clearly demonstrates that legal professional privilege can apply to technical reports prepared in response to a cyber incident, provided the ‘dominant purpose’ test is met. The role of internal or external legal counsel in directing the preparation of these reports to provide legal advice cannot be understated. Organizations should ensure that internal or external lawyers (rather than the board) have responsibility for oversight of the investigation.
- Subsequent use of documents outside of the lawyer-client relationship can affect privilege claims: Organizations should ensure that the terms of engagement with third-party vendors confine the scope of the report to legal advice. The McClure v Medibank decision aligns with a recent decision handed down by the Full Federal Court in the Optus data breach class action (Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58). In that case, Optus’s use of Deloitte reports for board advisory and public relation purposes demonstrated that those reports were not prepared for the dominant purpose of obtaining legal advice. Both cases highlight the importance for organizations to establish at the outset and at an organizational level the purpose of investigation reports. Where an investigation is taken for legal purposes, but the report is subsequently used for other non-legal purposes, this may result in privilege being lost over the report. To the extent an investigation report is intended to have both legal and non-legal purposes, organizations may consider commissioning separate legal and non-legal reports.
- Avoid or limit public statements or statements to regulators that could compromise privilege: The McClure v Medibank decision highlights the importance of a considered and coordinated communications strategy and ensuring any public statements or communications with regulators in a cyber incident scenario are carefully formulated and managed. It is clear that these statements or communications could undermine dominant purpose arguments, thereby waiving any privilege over reports.
Establishing and maintaining privilege over investigation reports and certain communications is critical in a cyber incident scenario. Organizations should ensure that their incident response teams, executive management, and boards fully understand the risks associated with failing to establish, or waiving, privilege. Organizations can protect themselves against privilege risks by implementing and maintaining robust incident response procedures and communication protocols, and by ensuring that internal or external legal counsel have appropriate oversight and management over cyber incident management and response.
