In this case, the Full Court determined an application for leave to appeal from orders of a primary judge following the primary judge finding that the Optus parties (Optus) had not established their claim for legal professional privilege (LPP) over a forensic investigation report prepared for Optus by Deloitte (Deloitte Report).
The Deloitte Report concerned a data breach involving the release of approximately 9.5 million customers’ private and confidential information held by Optus, apparently as a result of a cyber attack in September 2022. The Deloitte Report was commissioned at a time when Optus faced potential legal threats and challenges, including prospective class actions, regulatory investigations, customer claims and the need for advice concerning remedial steps required by legislation and regulations applying to Optus (at [2]).
The primary judge accepted that Optus’s general counsel and company secretary (General Counsel) formed the view that the cyber attack would likely lead to one or more regulatory investigations, and subsequent litigation, and that the litigation and legal risks arising from the cyber attack were at the forefront of his mind when he first became aware of the cyber-attack. The primary judge accepted that one of Optus’s purposes in procuring the investigation and report by Deloitte was the purpose of obtaining the report to assist the General Counsel, his legal team, Ashurst, and counsel retained by Ashurst to provide legal advice to Optus in relation to the litigation and regulatory risks Optus faced as a result of the cyber attack (legal purpose). However, the primary judge concluded that Optus had multiple purposes in procuring the review and report by Deloitte, and rejected Optus’s claim for LPP on the basis that Optus had failed to discharge its onus to show that the legal purpose for procuring the Deloitte Report was dominant (at [3]).
Optus submitted to the Full Court that the primary judge erred in failing to find that the Deloitte Report had been created for the dominant purpose of enabling Optus to obtain legal advice or the provision of legal services to Optus for the purpose of actual or anticipated legal proceedings (at [4]).
Before the primary judge, Optus sought to discharge its onus to show a privileged purpose was dominant by relying on the affidavit evidence of Optus’ General Counsel and the inferences which it submitted arose from that evidence. That affidavit evidence was unchallenged as the General Counsel was not cross-examined.
The relevant principles applicable to Optus’ claim for LPP were not in dispute (at [23]-[32]). As the dispute related to pre-trial disclosure, it was to be determined by reference to common law principles. At common law, LPP applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings.
The Full Court held that the primary judge’s judgment was not attended with sufficient doubt to warrant a grant of leave to appeal. Murphy, Anderson and Neskovcin JJ stated, “the primary judge was correct to find on the evidence that there were multiple purposes for which the Deloitte Report was commissioned and that the evidence did not establish that the Deloitte Report was procured for the dominant purpose of Optus obtaining legal advice or for use in litigation or regulatory proceedings” (at [46]).
Relevantly, the primary judge found that Optus had multiple purposes, being (i) a legal advice or litigation or regulatory proceeding purpose; (ii) a purpose more generally to identify the circumstances and root causes of the cyber attack for management purposes; and (iii) a purpose of reviewing Optus management’s policies and processes in relation to cyber risk (at [48]). Optus did not dispute that the non-privileged purposes in (ii) and (iii) existed, but argued the legal purpose in (i) was the dominant purpose. However, the affidavit from Optus’ General Counsel did not address or acknowledge the existence of the non-legal purposes shown by the evidence, nor explain or attempt to contextualise the non-legal purposes as opposed to the legal purpose and thereby establish that the legal purpose was Optus’ dominant purpose (at [50]).
The Full Court rejected Optus’ submission that the primary judge was bound to give overwhelming significance to the frame of mind of Optus’s General Counsel for the purpose of establishing that the legal purpose was the dominant purpose, nor bound to accept his unchallenged evidence. The General Counsel’s evidence was only part of the necessary analysis (at [55]). The primary judge’s analysis took into account other contemporaneous documentary evidence and inferences that arose from the evidence as a whole (at [60]) including: (a) Optus’ public statements in relation to Deloitte’s investigation, including specific words attributed to the CEO in a media release; (b) the terms of the draft and final resolutions confirming the engagement of Deloitte and the history of the amendments to a resolution drafted by the General Counsel; (c) communications between the General Counsel and the Board at the relevant time; and (d) the fact that Deloitte had already commenced work before the Deloitte engagement letter of 21 October 2022 was issued in circumstances where it was not clear that that work was being done under the auspices of Ashurst. The Full Court stated that the primary judge correctly took into account that no evidence was given directly by the CEO or the Board members concerning the purpose of the investigation and said that Optus’s failure to adduce evidence from its CEO fortified the conclusion that Optus had not established that the legal purpose for the investigation was the dominant purpose (at [61]).
The Full Court stated that the primary judge was not obliged to treat evidence of Optus’s General Counsel as determinative regarding the purpose of the Deloitte Report simply because he was not cross-examined. Murphy, Anderson and Neskovcin JJ explained (at [66]): “Optus’s repeated submission that his evidence was ‘unchallenged’ and must be accepted is misconceived. It may, depending on the particular circumstances of a case, be ‘wrong, unreasonable or perverse’ to reject unchallenged evidence, and such an error may be a basis for overturning a decision, but there is no rule of law that a court must accept unchallenged evidence: Ashby at [78] citing Ellis v Wallsend District Hospital (1989) 17 NSWLR 553 at 587-588 (Samuels JA). The fact that generalised evidence is not challenged in cross-examination does not mean that such evidence must be accepted, particularly when it is inadequate and the totality of the evidence points to its rejection, as it did in this case”.
A separate proposed appeal ground concerning the time for assessment of dominant purpose also failed (at [84]-[96]).
Share this article