Accessibility Links
Home
Main Menu
Jurisdiction
Judges
Registrars
Courts & TribunalsAdministered by the Federal Court
International Programs
Corporate Information Reports, plans and other publications
Freedom of Information
Employment
National Court Framework
Access to Court Files & Transcript
Check the progress of a caseListing dates, Orders & links to judgments
Research Requests
Registry ServicesWhat Registries can & cannot do
Interpreters
Help for people with disabilities
Technology and the Court
Powers of a Registrar
Assisted Dispute Resolution (ADR)
Subscribe to Judgments & Events by NPA; Practice News, Daily Court Lists and more
National Practice Areas (NPAs)
Court Rules, Acts & Regulations
Practice Documents
Class Actions
Consultation & Liaison User group meetings, Harmonised Rules Committees (Bankruptcy & Corporations)
Appeals
Guides Including Bankruptcy, Corporations, Migration, Administrative & Constitutional Law and Human Rights; Communicating with the Court; Expert witnesses.
Use of Communication Devices
Forms Prescribed Under: Other Forms:
Difference Between Fees & Costs
Court Fees About Court fees including exemptions, deferral & refunds
Filing Filing & lodgement
Legal Costs
Interest Rates Pre-judgment & post-judgment interest rates
Court Sitting Dates
  • 2024
    • 5 February - 20 December
Full Court & Appellate Sitting Dates
  • 2024
    • 19 February - 1 March
    • 6 - 28 May
    • 5 - 30 August
    • 4 - 26 November
  • 2025
    • 3 - 28 March
    • 28 July - 29 August
    • 3 - 28 November
Daily Court Lists
Select state
Select a state registry to view the current court list: Select a state registry to view the current court list.
click map Western Australia Northern Territory South Australia Queensland New South Wales Victoria Tasmania Australian Capital Territory Australia
Register to receive daily court lists by email soon after they are published. Subscribe
Future Listings Find future hearing times and dates. Go to Federal Law Search
Library
Annual Reports
Judges' Speeches Current and former judges, including Welcome and Farewell ceremonies
Videos & Podcasts Videos, podcasts and online streaming
GlossaryGlossary of legal terms
Judgments About the judgments collection, including FAQs
I am a Party -
Information for Litigants
Jury Service
I am a Practitioner I am a witness I have been Subpoenaed
Guides
Online Services
You are here:

Federal Court of Australia

Robertson v Singtel Optus Pty Ltd [2023] FCA 1392

File number:

VID 256 of 2023

Judgment of:

BEACH J

Date of judgment:

10 November 2023

Catchwords:

LEGAL PROFESSIONAL PRIVILEGE – privilege – third party report investigation into cyber-attack whether multiple purposes deficiencies in evidence common law principles – whether document created for dominant purpose of legal advice – waiver of privilege – privilege claim not made out

Cases cited:

Asahi Holdings (Australia) Pty Ltd v Pacific Equity Partners Pty Limited (No 4) [2014] FCA 796

AWB Ltd v Cole (No 5) (2006) 155 FCR 30

Commissioner of Australian Federal Police v Propend Finance Pty Limited (1997) 188 CLR 501

Kirby v Centro Properties Ltd (No 2) (2012) 87 ACSR 229

Mann v Carnell (1999) 201 CLR 1

Osland v Secretary, Department of Justice (2008) 234 CLR 275

Pratt Holdings Pty Ltd v Commissioner of Taxation (2004) 136 FCR 357

Singapore Airlines Ltd v Sydney Airports Corporation [2004] NSWSC 380

TerraCom Ltd v Australian Securities and Investments Commission (2022) 401 ALR 143

Division:

General Division

Registry:

Victoria

National Practice Area:

Commercial and Corporations

Sub-area:

Regulator and Consumer Protection

Number of paragraphs:

202

Date of hearing:

14 September 2023

Counsel for the Applicants:

Mr W Edwards KC and Ms K Dovey

Solicitor for the Applicants:

Slater and Gordon

Counsel for the Respondents:

Mr J Sheahan KC, Ms K Richardson SC and Ms E Bathurst

Solicitor for the Respondents:

Ashurst

ORDERS

VID 256 of 2023

BETWEEN:

PETER JULIAN ROBERTSON

First Applicant

ELIZABETH GEORGINA FORTUNE

Second Applicant

AND:

SINGTEL OPTUS PTY LTD (ACN 052 833 208)

First Respondent

OPTUS MOBILE PTY LTD (ACN 054 365 696)

Second Respondent

OPTUS INTERNET PTY LTD (ACN 083 164 532) (and others named in the Schedule)

Third Respondent

order made by:

BEACH J

DATE OF ORDER:

10 NOVEMBER 2023

THE COURT ORDERS THAT:

1.    Within 7 days of the date hereof the parties file and serve proposed minutes of orders to give effect to these reasons.

2.    Liberty to apply.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

BEACH J

1    The applicants seek orders for the discovery and inspection of the report prepared for one or more of the Optus respondents by Deloitte Touche Tohmatsu concerning a data breach which occurred in mid-September 2022, the documents prepared for the purpose of providing instructions to Deloitte and all documents provided to Deloitte for the purposes of preparing such a report.

2    The Optus respondents have asserted legal professional privilege in such material, which privilege the applicants have challenged. The applicants say that the relevant dominant purpose test has not been satisfied, alternatively they say that there has been a waiver of privilege.

3    In summary, the Optus respondents have not satisfied me that they satisfy the dominant purpose test. Clearly they had multiple purposes in procuring the review and report by Deloitte, one of which was a privileged purpose. But I am not satisfied that the latter satisfies the requisite dominant purpose test. But if they had satisfied the dominant purpose test, I accept that there has been no waiver of privilege. The applicants’ position on that latter aspect is meritless.

4    Let me begin with some of the facts as disclosed by the evidence before me. I should say that the Optus respondents relied solely on an affidavit from their general counsel and company secretary to support their privilege claim. He was not cross-examined. I should also say that it was not necessary for me to inspect any of the documents the subject of the privilege claim.

The relevant facts

5    Between 17 and 20 September 2022, Singtel Optus Pty Ltd (SOPL) and its subsidiaries were apparently the subject of a cyber-attack although of course I am not deciding any question of causation at this stage. From time to time I will refer to these entities collectively as Optus or the Optus respondents depending upon the context.

6    Mr Nicholes Kusalic, general counsel and company secretary of SOPL, became aware of the cyber-attack on 21 September 2022. At that time he formed the view that the number of Optus customers whose personal information was potentially affected by the cyber-attack could have been up to 9.5 million.

7    On and from 21 September 2022, Mr Kusalic formed the view that the cyber-attack would likely lead to one or more regulatory investigations and subsequent litigation.

8    He formed the view that at least the Office of the Australian Information Commissioner (OAIC) would commence an investigation, and that the Australian Communications and Media Authority would possibly also commence an investigation. He considered at the time that these investigations were likely to result in subsequent legal action against Optus, including the seeking of civil penalties.

9    He also considered at the time that the cyber-attack was highly likely to lead to class actions. Indeed, within a week of his becoming aware of the cyber-attack, Mr Kusalic considered a range of potential regulatory and legal actions which might arise out of the cyber-attack, which in addition to regulatory investigations, civil penalty prosecutions and class actions included complaints to the Telecommunications Industry Ombudsman, potential investigations by the ACCC, ASIC and even the threat of a parliamentary inquiry or royal commission.

10    I should say at this point that I accept on the evidence that litigation and legal risks arising out of the cyber-attack were at the forefront of Mr Kusalic’s mind when he first became aware of the cyber-attack. But the question for me is one of analysing various and multiple purposes of the Optus respondents in order to identify the dominant purpose.

11    On 22 September 2022, Optus engaged an external law firm, Ashurst Australia, to provide legal advice and assistance to Optus in relation to the cyber-attack. Ashurst was one of Optus’ panel law firms. They were then engaged to provide legal support and advice on the matter, including any regulatory investigation or class action that arose out of the cyber-attack. Mr Kusalic contacted Mr Nick Mavrakis, a partner of Ashurst, and engaged Ashurst to provide legal advice and assistance to Optus in relation to the cyber-attack.

12    On 23 September 2022, Mr Mavrakis sent an email to Ms Suzie Pasialis, the deputy general counsel, corporate services for SOPL, confirming Ashurst’s engagement that it would provide all necessary legal advice to Optus in its response to the cyber-attack. The email confirming Ashurst’s engagement relevantly provided that Ashurst would provide work within the following scope:

Scope of Work

We will provide all necessary legal advice to Optus in its response to the cyber incident, and as per your instructions from time to time. This will include the following:

1.    Advising on any interactions with law enforcement, regulators and other interested stakeholders in relation to the cyber incident, including any subsequent investigations that arise;

2.    Advising on the conduct of Optus’ internal investigation into the cyber incident, and its response to that incident, so as to fulfill its legal obligations and protect its legal rights;

3.    Advising on any customer remediation measures flowing from the cyber incident; and

4.     Assisting you with managing internal and external governance requirements regarding the progress of the investigation into the cyber incident.

13    I should note here that nothing was expressly said about the Deloitte review. Indeed, the first relevant letter of engagement of Deloitte was on 21 October 2022. And as to the reference to “Optus’ internal investigation” in Ashurst’s email, there were a number of possible internal investigations or reviews being contemplated within Optus at that time. I should also note here that the Deloitte review was later described by Optus as an external review or investigation.

14    Now on 22 September 2022, the cyber-attack had also been made public. Immediately from that time, Optus was the subject of various customer complaints, regulatory and government inquiries, and threats of litigation. Optus call centres and the office of the chief executive officer all received numerous customer complaints.

15    Further, the OAIC had placed a notice on its website at the time stating that customers who held specific concerns could contact Optus. Based on that notice and his experience generally, Mr Kusalic expected that there would be customer complaints lodged with the OAIC about the cyber-attack.

16    On 23 September 2022, Optus Mobile Pty Ltd and Optus Internet Pty Ltd submitted a notifiable data breach form to the OAIC, notifying the OAIC of the cyber­attack. Mr Kusalic finalised such notification and submitted it to the OAIC.

17    On 26 September 2022, Optus Mobile and Optus Internet received a letter containing preliminary inquiries from the OAIC under section 40(2) of the Privacy Act 1988 (Cth). The letter stated that the:

… purpose of these inquiries is to allow the Commissioner to decide whether to commence an investigation under s 40(2) into whether the acts and practices of Optus Mobile and Optus Internet are consistent with the Australian Privacy Principles (APPs) in the Privacy Act. An investigation may consider, amongst other things, whether Optus Mobile and Optus Internet have acted in accordance with APP 3 (collection of personal information), APP 11.1 (security of personal information) and APP 11.2 (retention of personal information).

18    As part of those preliminary inquiries, the OAIC made written requests for the provision of information and documents from Optus relating to the circumstances of the cyber-attack.

19    Mr Kusalic expected that following those preliminary inquiries, the OAIC would move to a formal investigation. At this time, Mr Kusalic expected the formal investigation to be a broad investigation of Optus’ data handling practices and the root cause(s) and response(s) to the cyber-attack, and that such an investigation would ultimately form the basis of regulatory action such as civil penalty proceedings.

20    Further, on 26 September 2022, Slater and Gordon issued a media release in which it was stated that it was “investigating a possible class action against Optus on behalf of current and former customers … affected by the unauthorised access to customer data announced by the Company on 22 September 2022”. Mr Kusalic became aware of this media release on the afternoon of 27 September 2022.

21    On 27 September 2022, Ashurst briefed Mr John Sheahan KC. On 29 September 2022, Ashurst briefed Ms Kate Richardson SC and Ms Emma Bathurst. In late October 2022, Ashurst also briefed Mr Cameron Moore SC. External counsel were engaged to assist Ashurst in providing legal advice in relation to the cyber-attack and to appear in any subsequent litigation.

22    On 28 September 2022, the Ombudsman issued a media release which stated that consumers with complaints about the cyber-attack should contact Optus in the first instance, and if they were unable to do so or unhappy with Optus’ response, to contact the Ombudsman. Within days of this, Mr Kusalic became aware of a growing number of Optus customer complaints that were being made to the Ombudsman.

23    On 28 September 2022, Maurice Blackburn issued a media release in which it stated that it was “investigating a fresh legal claim against Optus” in relation to the cyber-attack. At the time this suggested to Mr Kusalic that more than one law firm saw an opportunity to bring a class action or to lodge a representative complaint with the OAIC. In his view the fact that two plaintiff law firms had issued media releases increased the prospect of either a class action or representative complaint.

24    Now more generally according to Mr Kusalic’s evidence, between 22 September and 3 October 2022, discussions took place within Optus management in relation to the engagement of Deloitte, including between Mr Kusalic, Ms Kelly Bayer Rosmarin, chief executive officer, Ms Poppy Fassos, vice president, risk management, Mr Mark Potter, chief information officer, Mr Tom Wilson, director, group internal audit (finance, operations and fraud risk), and Mr Oli Ralph, the head of Singtel IT Audit and the data, analytics and robotics team.

25    In terms of Mr Kusalic’s state of mind he gave the following evidence:

Soon after the Cyber-attack, I had formed the view that Optus needed to undertake a confidential, forensic investigation into the root cause of the Cyber-attack that would be needed to assess our legal risk. This was a major cyber-attack with considerable customer and regulator interest. Based on my experience, I considered that Optus needed an investigation into the facts surrounding the incident and to obtain a report to understand what had happened and the relevant underlying circumstances, so that Optus could obtain legal advice from me, the Optus Legal team, Ashurst and the counsel it had briefed on these matters.

In addition, within about a week of the Cyber-attack, I formed the view that an investigation was best handled by a party external to Optus, which had specialist expertise in investigating and reporting cyber matters. This was particularly because the subject matter of the investigation required a specialist understanding of IT infrastructure and the way cyber defences operated in the context of an evolving threat landscape, and that it would need to be conducted in such a way to provide detailed context to support legal and litigation risk.

In addition to the above, I considered the use of an external party was highly desirable as I was not sure of the capacity within Optus to carry out such a detailed and complex investigation, and I was concerned about Optus personnel in the cyber teams marking their own work and that an external third party would not have preconceived biases about the incident. I also considered that the use of an external party would provide comfort to the SOPL Board that the matter had been fully investigated independently of Optus.

My concern from the outset was to ensure that the external party was engaged by Ashurst. I was also concerned to ensure that the external investigation could be scoped appropriately by the Optus Legal team working in conjunction with Ashurst, to identify the terms of reference for Deloitte so that its investigation and report would assist my team and Ashurst (and the counsel team) in advising Optus on the legal risks and regulatory implications arising from the Cyber-attack. To me it was clear that Optus would need legal advice on a range of matters, including compliance with relevant legislation, enforcement proceedings, class actions and liabilities of third parties.

An external forensic investigation into the Cyber-attack would assist me, my team, Ashurst and the counsel retained by it in providing advice on a number of legal and litigation risks arising out of the Cyber-attack

In addition, I considered it was important and necessary to understand the rationale that underpinned any external's views or conclusions arising out of the investigation, because this analysis would need to be tested to inform the overall assessment of the various legal risks confronting Optus arising out of the Cyber-attack.

26    Mr Kusalic said that he had discussions with Ms Bayer Rosmarin, Mr Potter, Mr Wilson, Ms Fassos and Mr Ralph about how Optus could best utilise Deloitte’s expertise and they ultimately landed on Deloitte carrying out a forensic investigation into the root cause of the cyber-attack and Optus’ response to it to assist Mr Kusalic and Ashurst to give legal advice and manage legal risk. Ms Fassos had previously worked with Deloitte and she told Mr Kusalic that she considered Deloitte had the technical and forensic expertise to carry out such an investigation.

27    His actual evidence was:

… Optus was considering a range of investigations and in the context of that consideration Deloitte had been proposed to assist Optus in carrying out an investigation into the Cyber-attack and Optus’ response. I had various discussions with members of the senior management team at Optus (the Optus CEO, Kelly Bayer Rosmarin; the Vice President, Risk Management, Ms Poppy Fassos; and the Chief Information Officer, Mr Mark Potter), Director, Group Internal Audit (Finance & Operations & Fraud Risk), Mr Tom Wilson and Head of Singtel IT Audit and DART (Data, Analytics and Robotics Team), Mr Oli Ralph as to how we could best utilise Deloitte’s expertise to assist me and Ashurst to give legal advice and manage the legal risk. We ultimately landed on Deloitte carrying out a forensic investigation into the root cause of the Cyber-attack and Optus’ response to it.

Ms Fassos, who had previously worked with Deloitte, told me she considered that Deloitte had the technical cyber and forensic expertise and capability to carry out the investigation into the Cyber-attack. It was proposed that Ian Blatchford (Partner, Risk Advisory and Asia Pacific Cyber Leader), Mark Pedley (Partner, Risk Advisory) and Stuart Johnston (Partner, Asia Pacific Telecommunications Sector Leader), Partners of Deloitte be engaged.

Based on these discussions, we recommended to the SOPL Board that Deloitte be engaged to carry out a forensic investigation into the Cyber-attack and Optus’ response to it, which would assist me, my team and Ashurst (and counsel briefed by Ashurst) in advising Optus in relation to the multiple legal risks and matters arising from the Cyber­attack as I have explained above.

28    I will discuss later the generality of this evidence and what can be gleaned from it. I was not provided with any contemporaneous documents including notes or minutes recording these communications. Moreover, it was unclear who precisely had proposed Deloitte and when. Moreover, phrases such as “we recommended” were pregnant with imprecision. In my view, the quality of the evidence given by Mr Kusalic as to these conversations was superficial.

29    Let me now turn to Optus’ media release of 3 October 2022 which in my view is a real problem for its case and casts doubt on the picture that Mr Kusalic has sought to portray. It was in the following terms:

30    So, Optus announced that it was appointing Deloitte “to conduct an independent external review of the recent cyberattack, and its security systems, controls and processes”. Optus announced that the Deloitte review “was recommended by Optus Chief Executive Officer, Kelly Bayer Rosmarin, and was supported unanimously by the Singtel Board, which has been closely monitoring the situation with management since the incident came to light”. The announcement did not state that the review was recommended by any lawyer or that it was being done for legal purposes. The announcement stated that in conducting the review Deloitte would “undertake a forensic assessment of the cyberattack and the circumstances surrounding it”. I should say that it is not immediately clear whether the reference to “the Singtel Board” is a reference to SOPL or its ultimate holding company, Singtel Telecommunications Ltd. The draft resolution circulated on 9 October 2022 by Mr Kusalic at recital (b) gives me reason to think possibly the latter, but I will put this to one side for the moment.

31    Optus attributed various purportedly re-assuring statements to Ms Bayer Rosmarin, such as “the forensic review would play a crucial role in the response to the incident for Optus, as it works to support customers”, [w]hile our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong”, [t]his review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists”, and “I am committed to rebuilding trust with our customers and this important process will assist those efforts”. It is not suggested that Ms Bayer Rosmarin did not hold those views or did not intend to make those statements for public consumption.

32    I would note here that none of this bespeaks or manifests a dominant purpose in the nature of a privileged purpose.

33    The announcement also stated that “Deloitte’s global specialists will work with the Singtel and Optus teams and other international cyber experts”. Again, this hardly reflects a dominant legal purpose. And this all goes much broader than any confined legal context whether concerning the legal advice limb or the litigation limb of legal professional privilege.

34    Now it is also apparent that by early to mid October 2022, Deloitte was undertaking work in relation to its investigation into the data breach; this is apparent from Mr Kusalic’s 9 October 2022 email and the draft circular resolution that I will come to in a moment. And there were no terms of engagement at that time by any external lawyer. That arose later on 21 October 2022.

35    From 3 October 2022 to 9 October 2022, work was ongoing to settle Deloitte’s terms of reference and the terms of Deloitte’s engagement. Mr Kusalic’s evidence is that the terms of reference were settled by him with input from Mr Ralph and Ms Fassos.

36    Mr Kusalic said that:

Given the scope and seriousness of this issue, the SOPL Board wanted to ensure a direct oversight of the work. Although the decision had been made to appoint Deloitte, and I was settling the Terms of Reference, for good governance the SOPL Board was asked to approve the carrying out of the investigation.

37    On 7 October 2022, Maurice Blackburn issued a further media release announcing that it had lodged a representative complaint against Optus in relation to the cyber-attack with the OAIC.

38    On 9 October 2022, Mr Kusalic emailed the members of the SOPL Board, being Mr Paul O’Sullivan, Ms Bayer Rosmarin, Ms Lim Cheng Cheng and Mr Yuen Moon, and proposed circular resolutions approving the appointment of Deloitte to carry out a forensic review of the cyber-attack. I note that he did so in both of his capacities as general counsel and as company secretary.

39    The email stated:

Request

Please find attached for your consideration and approval circular resolutions approving the appointment of Deloitte to carry out a forensic review of the recent cyberattack on Optus. I will circulate this for execution by DocuSign.

Context

    Further to the various briefings that have been provided in relation to the recent cyberattack, Optus and Singtel have announced that Deloitte was being appointed to conduct an independent forensic review of this incident and Optus’ cyber security systems, controls and processes relating to it.

    Whilst Deloitte has commenced urgent aspects of its reviews at the request of management, in support of this the Board is being asked to confirm the appointment of Deloitte to carry out the overall review into the incident.

    The proposed engagement letter, and the summary of the terms of reference, have been reviewed by our external legal advisers.

    Given the significance of this issue, I recognise the Board will wish to have ongoing visibility of these reviews. Once completed the reviews will be tabled for your consideration, along with any recommended steps management determine arising from them.

    In addition, Singtel proposes undertaking a broader review of security systems, controls and processes across the Singtel Group.

Please let me know if you would like any further information.

(my emphasis)

40    The draft resolution stated:

SINGTEL OPTUS PTY LTD

ACN 052 833 208

CIRCULATING RESOLUTION OF THE DIRECTORS

UNDER RULE 2 OF CONSTITUTION AND SECTION 248A OF THE CORPORATIONS ACT 2001 (CTH)

We, being all the directors of Singtel Optus Pty Limited (‘Optus’) entitled to receive notice of a board meeting and to vote on the resolution, are in favour of the resolution set out below. The resolution is passed by the directors without a board meeting on the date and at the time when the last director signs.

APPOINTMENT OF DELOITTE TO INVESTIGATE CYBERATTACK

The directors of Optus NOTE the following:

(a)    on or around 22 September 2022 the directors were informed that Optus had been the subject of a cyberattack which involved unauthorised access to, and the exfiltration of, current and former Optus customers’ information (‘Cyberattack’);

(b)    in media releases on 3 October 2022 by Optus and Optus’ ultimate holding company, Singapore Telecommunications Limited (‘Singtel’), Optus and Singtel announced, with the support of Optus’ directors, the appointment of Deloitte to conduct independent external forensic reviews of the Cyberattack and Optus’ cyber security systems, controls and processes;

 (c)    Deloitte has commenced aspects of its reviews;

(d)    Singtel also proposes undertaking a broader review of security systems, controls and processes across the Singtel group; and

(e)    on Friday 7 October 2022 a media release by Maurice Blackburn Lawyers announced it had lodged a formal complaint with the Office of the Australian Information Commissioner (at the time of this resolution, no formal notification of this complaint has been received by Optus).

The directors of Optus RESOLVE:

(a)    that Deloitte be appointed to undertake the reviews referred to in the Optus and Singtel media releases dated 3 October 2022 including:

1.    to identify the circumstances and root causes leading to the Cyberattack;

2.    to review Optus’s management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the Cyberattack; and

3.    a review of incident response, escalation to Optus management, Optus Board, Regulators and relevant bodies to assess if reasonably appropriate, timely and robust actions were taken; and

(b)    to delegate finalising the scope and terms of the Deloitte reviews, provided they are not materially different to those above, to the Optus CEO and the Optus General Counsel and to request they report back to the Board once the reviews are sufficiently progressed.

(my emphasis)

41    On 11 October 2022, following feedback from one of the SOPL directors according to Mr Kusalic, whatever that means, a revised circular resolution was emailed to the SOPL Board by Mr Kusalic.

42    The members of the SOPL Board each signed the circulating resolution on 11 October 2022. The resolution was in the following modified form:

SINGTEL OPTUS PTY LTD

ACN 052 833 208

CIRCULATING RESOLUTION OF THE DIRECTORS

UNDER RULE 2 OF CONSTITUTION AND SECTION 248A OF THE CORPORATIONS ACT 2001 (CTH)

We, being all the directors of Singtel Optus Pty Limited (‘Optus’) entitled to receive notice of a board meeting and to vote on the resolution, are in favour of the resolution set out below. The resolution is passed by the directors without a board meeting on the date and at the time when the last director signs.

APPOINTMENT OF DELOITTE TO INVESTIGATE CYBERATTACK

The directors of Optus NOTE the following:

(a)    on or around 22 September 2022 the directors were informed that Optus had been the subject of a cyberattack which involved unauthorised access to current and former Optus customers’ information (‘Cyberattack’);

(b)    the directors have requested the appointment of Deloitte to conduct independent external forensic reviews of the circumstances surrounding the Cyberattack having regard to the Optus Board’s delegation framework and with the support of the Singtel Board;

 (c)    Deloitte has commenced aspects of its reviews; and

(d)    on Friday 7 October 2022 a media release by Maurice Blackburn Lawyers announced it had lodged a formal complaint with the Office of the Australian Information Commissioner (at the time of this resolution, no formal notification of this complaint has been received by Optus).

The directors of Optus RESOLVE:

(a)    that Deloitte be appointed to undertake independent external forensic reviews of the Cyberattack, including:

1.    to identify the circumstances and root causes leading to the Cyberattack;

2.    to review Optus’s management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the Cyberattack; and

3.    to review the Cyberattack incident response, and the appropriateness of actions taken, having regard to the existing crisis management policies and procedures; and

(b)    that, in relation to the reviews, Optus management be requested to report back to the Board, and in accordance with the Optus delegation framework.

(my emphasis)

43    Mr Kusalic’s evidence is that due to “the scope and seriousness of this issue, the [SOPL] Board wanted to ensure a direct oversight of the work”. I note that there is scant reference in the executed resolution to any legal purpose let alone that the review was for a dominant legal purpose; recital (d) hardly carries the day. I also note that recital (c) says that “Deloitte has commenced aspects of its reviews”. This reference to reviews in the plural is curious. The draft resolution of 9 October 2022 appears to refer to two media releases of 3 October 2022 of SOPL and the ultimate holding company and more than one review. There was nothing in Mr Kusalic’s affidavit which threw any light on this. Moreover, in the final resolution (b), the reference to the general counsel has been removed as compared with the draft.

44    I will discuss the differences between the 9 October 2022 draft resolution and the 11 October 2022 signed resolution later.

45    On 11 October 2022, the OAIC issued a media release announcing that it had commenced an investigation into “the personal information handling practices of Singtel Optus Pty Ltd, Optus Mobile Pty Ltd and Optus Internet Pty Ltd... in regard to the Cyber-attack”. On the same day, Optus received a letter from the OAIC notifying Optus of this investigation.

46    Further, on that day the Australian Communications and Media Authority issued a media release announcing that it had commenced a formal investigation in response to the cyber-attack. On the same day, Optus received a letter from that authority notifying Optus of this investigation.

47    On 17 October 2022, following the SOPL Board’s approval of the engagement of Deloitte, Mr Kusalic instructed Ashurst to engage Deloitte to undertake a review of the cyber-attack in line with that which was approved by the SOPL Board on 11 October 2022. That project was known within Optus, Ashurst and Deloitte as Project Amsterdam.

48    On 21 October 2022, Deloitte was formally engaged by Ashurst to undertake Project Amsterdam. Deloitte’s letter of engagement relevantly provided:

Ashurst is advising Optus generally in relation to its response to the recent cyberattack compromising customer information (Cybersecurity Incident), so as to fulfil its obligations and protect its rights in responding to the Cybersecurity incident.

Pursuant to its engagement advising Optus, Ashurst wish to engage Deloitte Risk Advisory Services Pty Ltd (Deloitte) to perform an external review of the Cybersecurity incident and Optus’ security systems, controls, and processes (the Purpose).

The terms of reference for our review are to undertake an external review of the Cybersecurity incident in order to:

    Identify the circumstances and root causes leading to the Cyberattack

    Review Optus’s management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the Cyberattack

    Review the Cyberattack incident response, and the appropriateness of actions taken, having regard to the existing crisis management policies and procedures.

49    The letter of engagement had a number of features.

50    First, it defined the “Purpose” of the Deloitte report as “to perform an external review of the [data breach] and Optus’ security systems, controls, and processes”.

51    Second, it set out terms of reference for the Deloitte report, which reflected the scope set out in the SOPL Board resolution.

52    Third, it noted under the heading “Legal Professional Privilege”:

We understand that the nature of the Services we provide to you may be subject to legal proceedings now or in the future. If you want the work we do for you to be protected by legal professional privilege, you need to tell us in writing what particular rules and procedures we need to follow in handling information in order for legal professional privilege to apply.

Should we identify any material deficiency in the Optus control environment which in our professional judgement presents an imminent risk to Optus we reserve the right to notify Optus management directly.

53    Fourth, it contained an express statement that the engagement, at that time, was not intended to be an appointment of any expert witness. Further, it stated that the work undertaken may not comply with the requirements for an expert witness or be appropriate for the purposes of an expert witness appointment. Further, it stated that Deloitte was not responsible for any legal issues associated with the matter, or for providing evidence or producing any documents in respect of the services, unless such work was the subject of a separate engagement.

54    Fifth, it stated that the Deloitte report could be shared in its entirety not only with the SOPL Board but with the “SingTel Board”, which section 9 identified as Singapore Telecommunications Limited.

55    On 21 October 2022 Optus sent a letter to Deloitte confirming that it had instructed Ashurst to engage Deloitte on its behalf.

56    On 25 October 2022, Optus published what I would describe as a marketing document on their website titled “A letter to our customers”. This sought to convey various positive messages. The concluding section of this open letter contained the statement:

… we have commissioned an independent external review - led by Deloitte - into the cyberattack and how criminals got through our defences this time, when we thwart over a million attacks a year and invest significantly in our cyber capabilities. We are committed to learning, doing better in the future, and sharing lessons so all companies and all Australians can benefit from our terrible experience.

57    This is hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation purpose.

58    On 25 October 2022, Ashurst emailed to Deloitte a general guidance note on privilege, a privilege protocol and form of non-disclosure agreement which each member of the Deloitte team working on the investigation was required to sign. The first paragraph of the privilege protocol provided:

The purpose of the Engagement is to enable Ashurst to provide legal advice to Optus so as to fulfil its obligations and protect its rights in responding to the Cybersecurity Incident.

59    The general guidance note stated “[i]n the course of your work on the [data breach], you may send or receive documents and be involved in communications that are subject to legal advice privilege”.

60    The privilege protocol stated that the purpose of Deloitte’s engagement was to enable Ashurst to provide legal advice to Optus, but further acknowledged that not all communications would be subject to legal professional privilege. It stated that “… this Protocol provides practical guidance that will assist you in preserving any right to legal privilege that Optus may have in relation to communications made and documents created during the course of the investigation”. It stated that “[d]ocuments which are not relevant to obtaining legal input should not be sent to Ashurst”. It stated “[a]void including requests for legal input in communications that are primarily for other purposes”. It stated “[d]o not mark emails (or other communications) “CONFIDENTIAL & PRIVILEGED” where these are not for the dominant purpose of obtaining legal input (including instructions) in relation to the work included as part of the Engagement”. And it stated “[d]ocuments created and communications made during Deloitte’s Engagement for the purpose of obtaining legal input should be stored in a separate location for easy access”.

61    During its investigation, Deloitte conducted interviews, which were generally set up by Optus, as requested by Deloitte, with various individuals they requested access to, either by identifying the individual or by asking to speak with a subject matter expert. A representative from Ashurst and/or the Optus internal legal team would also attend.

62    Throughout the course of conducting those interviews, Deloitte identified the information and documents they required to undertake their investigations for the purpose of preparing their report, and submitted requests for the information and documents to the Optus project management officer responsible for Project Amsterdam, which were copied to Ashurst and the Optus internal legal team, to co-ordinate the provision of the information and documents by Optus.

63    On 10 November 2022, it would seem, and for present purposes I am prepared to assume, that Ms Bayer Rosmarin publicly stated that the Deloitte report was “well underway” and that it would “take some time given the complexity of our systems and environments, but … it is very clear that this was a criminal act perpetrated by a motivated and planned attacker.”

64    On 8 March 2023, it would seem, and for present purposes I am prepared to assume, that Ms Bayer Rosmarin publicly stated that Optus hoped that the Deloitte report would show Optus “ways we can improve”.

65    Deloitte provided its final report to Mr Kusalic and Ashurst on 13 July 2023.

Mr Kusalic’s position and state of mind

66    Now as Optus has relied principally upon Mr Kusalic’s state of mind to support its dominant purpose contention, I should say something more about his position and his concerns.

67    Mr Kusalic’s responsibilities as general counsel included managing all legal and regulatory enforcement matters across the Optus, attending executive risk committee meetings, reporting directly to the CEO, the Chairman of the SOPL Board or senior executives and key governance and board committees on specific matters as required, the handling of sensitive regulatory and internal investigations which presented potential material legal risk to Optus, overseeing a team of personnel that responded to such investigations, the engagement and management of external legal advisers, and the management of the relationship with Optus’ panel law firms.

68    His responsibilities as company secretary included convening, managing and minuting meetings of the SOPL Board, calling for SOPL Board papers and responding to requests from directors, and dealing with a range of secretarial and administrative matters on behalf of Optus.

69    In his role as general counsel and company secretary, he managed a team of approximately 44 lawyers divided into sub-teams.

70    As I have already indicated, Mr Kusalic’s anticipation of regulatory investigations and litigation, as well as the events referred to above, led him to form the view that a confidential forensic investigation into the root cause of the cyber-attack would be needed to assess Optus’ legal risk and compliance with Optus’ legal obligations.

71    He explained that an external investigation and report into the cyber-attack was needed so that he, his team, Ashurst and the counsel retained by it could provide legal advice on matters including Optus’ compliance with legal obligations including those under the Privacy Act, the Telecommunications Act 1997 (Cth), the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)), the Security of Critical Infrastructure Act 2018 (Cth), at general law, as well as in relation to ongoing enquiries of the Australian Federal Police about the cyber-attack.

72    He considered that the investigation was best handled by a party external to Optus which had specialist expertise in investigating and reporting cyber matters. This was particularly because the subject matter of the investigation required a specialist understanding of IT infrastructure and the way cyber defences operated in the context of an evolving threat landscape, and that it would need to be conducted in such a way to provide detailed context to support legal and litigation risk.

73    Mr Kusalic also considered that it was highly desirable that an external third party carry out the investigation as he was not sure of the capacity within Optus to carry out such a detailed and complex investigation.

74    Mr Kusalic was concerned from the outset that the external party was engaged by Ashurst, and that the external investigation could be scoped appropriately by the internal Optus legal team, working in conjunction with Ashurst, to identify the terms of reference for Deloitte so that its investigation and report would assist the internal Optus legal team, Ashurst and counsel in advising Optus on the legal risks and regulatory implications arising from the cyber-attack.

75    Mr Kusalic gave evidence that he considered that an external forensic investigation into the cyber-attack would assist him, his team, Ashurst and the counsel retained by it in providing advice. Such advice concerned Optus’ compliance with the Australian Privacy Principles (Schedule 1 to the Privacy Act), particularly concerning what data Optus kept, how that information was used and stored and the steps Optus took to ensure that the data remained secure. He also considered that the question of whether Optus had complied with these APPs would be complicated given the nature of Optus’ business and its highly technical multi-layered cyber defences. This is particularly so as Optus is a large telecommunications company with a complex range of systems, processes, policies and controls which operates in an environment that is always changing and needs to comply with a range of legislation overseen by multiple regulators.

76    Mr Kusalic was also aware that Optus had various obligations under the Telecommunications Act and, as a critical infrastructure provider, would have additional obligations to meet, in particular concerning the treatment of certain types of customer data.

77    Now I should say here that Mr Kusalic’s evidence was all very well, but there were various problematic aspects.

78    First, none of it sat well with the 3 October 2022 media release.

79    Second, there was no direct evidence from Ms Bayer Rosmarin as to her state of mind and purpose for the Deloitte review. Yet the statements attributed to her manifested a dominant purpose which was other than a legal advice or litigation purpose.

80    Third, there was no direct evidence from any other board member of SOPL as to their purpose.

81    Fourth, the draft board resolution of 9 October 2022 and the signed board resolution of 11 October 2022 are not fully consistent with Optus’ case thesis that it endeavoured to sell to me.

82    Fifth, it was unclear to me from time to time as to whether in relation to some of Mr Kusalic’s conduct he was acting in a general counsel capacity, a company secretary capacity or some hybrid capacity.

83    Sixth, on critical aspects of his evidence he was decidedly and no doubt self-advisedly vague.

84    I will return to some of these points later, but at this point I should identify some legal principles.

Relevant principles

85    As this dispute relates to pre-trial disclosure and not the adducing of evidence, it is to be determined by reference to common law principles.

86    Optus bears the onus of establishing that legal professional privilege applies to the documents. But the applicants bear the onus of establishing any waiver in respect of that privilege.

87    Under the common law, legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings. The protection is confined to confidential communications made for the dominant purpose of giving or obtaining (including preparation for obtaining) legal advice or the provision of legal services, including legal representation in litigation or other proceedings.

88    In determining whether a communication was made for the dominant purpose of obtaining legal advice, it is convenient to apply the principles discussed by Young J in AWB Ltd v Cole (No 5) (2006) 155 FCR 30 at [44] and which I restated and elaborated on in Asahi Holdings (Australia) Pty Ltd v Pacific Equity Partners Pty Ltd (No 4) [2014] FCA 796 at [28] to [44] in the following terms:

First, the claims for privilege are to be assessed under common law principles rather than under s 118 of the Evidence Act 1995 (Cth); the present case is not a context where there is an evidentiary dispute as to whether privileged communications should be adduced in evidence, whether at an interlocutory or final hearing. The relevant issue is whether the communications were created or made for the dominant purpose of the applicants or Asahi obtaining or being provided with legal advice or recorded such advice.

Second, the applicants bear the onus of establishing the claims, including each factual element necessary to establish the requisite dominant purpose. In that respect, focused and specific evidence is required in respect of each communication, rather than mere generalised assertion let alone opaque and repetitious verbal formulae. There should be sufficient evidence which proves directly or by inference that the dominant purpose for the communication was for the relevant client to be given or to obtain legal advice. The communication also has to be confidential. The fact of each communication being relevantly confidential is not in dispute in this case; the documents in dispute only circulated between or within Asahi, the lawyers and the third party advisers for the purposes of advising upon the Transaction, and where the latter were subject to specific contractual confidentiality constraints.

Third, the relevant time for ascertaining purpose is when the communication was made. If the communication was a written communication, the relevant time is when the document came into existence. If the communication was constituted by the forwarding of a copy document, the purpose for the creation of the copy document at the time that the copy was created is what is relevant.

Fourth, the relevant purpose may be either that of the author or initiator of the communication, or the person at whose request or under whose authority the communication was created or made. The circumstances will dictate the focus.

Fifth, the purpose is to be objectively ascertained. Evidence of the subjective intention of the author or person requesting the creation of the communication (document) is significant but not conclusive. Purpose can also be determined from the content of the document understood in its full context. Indeed, the latter analysis can carry greater weight, particularly over generalised hearsay or even compounded hearsay evidence from a person other than the author or person requesting the creation of the communication (document).

Sixth, it is not sufficient to show a substantial purpose or that the privileged purpose is only one of two or more purposes of equal weighting. The requisite purpose must predominate. It must be the paramount or most influential purpose. One practical test is to ask whether the communication would have been made (whether the document would have been brought into existence) irrespective of the obtaining of legal advice. If so, the communication (document) may not satisfy the dominant purpose test. Such a test will entail addressing the question of the intended use(s) of the document which accounted for it being brought into existence.

Seventh, it may be that that the entirety of a document may be privileged. Alternatively, it may be that only part of a document meets the dominant purpose test. A particular document may contain or consist of many communications, such as an email chain, only some of which were made for the requisite dominant purpose.

Eighth, a document may be privileged to the extent to which it records a privileged communication, even if the document itself would not satisfy the dominant purpose test.

Ninth, I have the power to examine the documents in question and should not be reticent in exercising that power. I have examined the Documents for the purpose of ascertaining the validity of the privilege claims.

So far these are well known principles of general application. But in this case many of the documents in question do not involve direct lawyer-client communications, but are rather third party adviser internal documents or communications between a third party adviser and Asahi. Accordingly, something more needs to be said. I have synthesised the following propositions from Pratt at [41]-[47] per Finn J and [105]-[107] per Stone J.

First, a communication made by a third party adviser to a client’s lawyer if made for the requisite dominant purpose of the client obtaining legal advice from the lawyer will be privileged. Direct evidence of purpose can come from the third party adviser, the lawyer or the client. The purpose may also be readily inferred given the directness of the communication from the third party adviser to the client’s lawyer. Further, it is not necessary to ask whether the third party adviser was acting as the agent of the client, including in making the communication to the client’s lawyer. The absence of such an agency does not deny the existence of the privilege attaching to the communication, although its presence may fortify it. In terms of the third party adviser’s status, the important characterisation is “not the nature of the third party’s legal relationship with the party that engaged it but, rather, the nature of the function it performed for that party” (Pratt at [41]).

Second, a communication made by a third party adviser to a client if made for the requisite dominant purpose of the client then obtaining legal advice will be privileged. Again, direct evidence of purpose can come from the third party adviser or from the client; it can also come from the lawyer, but that usually may not be as probative if the lawyer was not a party to the communication. The purpose is not as readily established as in the previous scenario.

Third, where a third party such as an accountant, broker, merchant banker, financial adviser, due diligence specialist and others of a non-legal genus perform work for a client in a non-litigation setting, care needs to be taken with analysing the precise purpose for each communication. Take a substantial acquisition or merger. A client may engage and seek advice from a number of non-legal advisers as well as consulting lawyers. Legal and non-legal advice might be sought on the structure, bid vehicle, terms and conditions of any offer or agreement, finance of the bid vehicle, due diligence of the assets and liabilities of the target, assessment of the financial metrics of the target pre and post-acquisition such as EBITDA including any underlying projections, and so forth. In short, legal and non-legal advice might be sought on the same topic so that the topic in all its dimensions is fully analysed by and for the client. The various advices given by the non-legal advisers “will rarely be capable of attracting privilege for the reason that they will almost invariably have the character of discrete advices to the principal as such, with each advice, along with the lawyer’s advice, having a distinctive function and purpose in the principal’s decision making…” (Pratt at [46]).

Even where all such advices are interrelated, that is, they provide a collective basis for an informed decision by the client, this does not deny the force of the previous point that non-legal advices will rarely attract privilege.

Fourth, if non-legal advices are provided to a client who then chooses to provide them to its lawyers, that does not clothe the original non-legal advices with privilege. They ordinarily will have been prepared for a non-legal purpose. But copies that might subsequently be created by a client and given to its lawyers may attract privilege (Propend). Generally, privilege does not extend to non-legal advices to the client simply because they are at the same time or later “routed” to a legal adviser.

Fifth, even if a client, in procuring a non-legal advice from a third party adviser has it in mind at the time that it requests that advice that it will also submit the non-legal advice to its lawyer, that may just demonstrate a multiplicity of purposes for the creation of the non-legal advice. But in such a scenario, the privileged purpose is unlikely to be the dominant purpose. Each communication and the reason for its creation needs to be carefully reviewed.

And in elaboration of this last point, a client may have conducted itself so as to demonstrate that the procurement and use of the non-legal advice was not for its communication to its lawyer, but rather to principally advise the client on the very subject matter of that non-legal advice. Further, the less the client performs the role of a conduit of that non-legal advice through to its lawyer and the more it “filters, adapts or exercises independent judgment” in relation to that advice, the less likely the dominant purpose test is likely to have been satisfied (Pratt at [47]). From such behaviour of the client, it can more readily be inferred that the dominant purpose for the creation of the non-legal advice was for a non-privileged purpose.

89    In summary, the purpose for which a document was created is a matter of fact to be determined objectively, having regard to the evidence, the nature of the document and the parties’ submissions. Dominant purpose may be established by evidence and other material and circumstances showing such a description is justified. Proof of dominant purpose can be achieved in a variety of ways, depending on the case at hand. In discharging the onus, focused and specific evidence is needed. But the nature and extent of the evidence needed to prove the existence of privilege is fact and circumstance dependent.

90    The evidence of the intention of the person who made the document, or the person who authorised or procured it, is not conclusive of purpose. In many instances, it is the character of the documents over which privilege is asserted that will illuminate the purpose for which they were created.

91    It is not sufficient to show a substantial purpose or that the privileged purpose is one of two or more purposes of equal weighting; rather it must predominate, and be the paramount or most influential purpose. The ordinary meaning of dominant purpose indicates the need for a ruling, prevailing or most influential purpose.

92    Let me make some other points.

93    First, the more a client “filters, adapts or exercises independent judgment” in relation to a non-lawyer’s advice, the less likely privilege can be maintained, as such behaviour will more readily give rise to an inference that the dominant purpose for the creation of the non-legal advice was a non-privileged purpose (Pratt Holdings Pty Ltd v Commissioner of Taxation (2004) 136 FCR 357 at [47] per Finn J).

94    Second, in the context of advice provided for the purpose of a substantial transaction or investigation, the advice by non-legal advisors “will rarely be capable of attracting privilege for the reason that they will almost invariably have the character of discrete advices to the principal as such, with each advice, along with the lawyer’s advice, having a distinctive function and purpose in the principal’s decision making (Asahi at [40], citing Pratt Holdings at [46] per Finn J), and this remains true even where the non-legal and legal advice are interrelated, in that they “provide a collective basis for an informed decision by the client” (Asahi at [41]).

95    Third, it is uncontroversial that if a copy of a non-privileged document is communicated for the dominant purpose of obtaining legal advice, that copy of the document will attract the protection of legal professional privilege (Commissioner of Australian Federal Police v Propend Finance Pty Limited (1997) 188 CLR 501 at 571 and 572 per Gummow J).

96    Fourth, given the context before me, it is also relevant to have regard to the authorities concerning privilege over factual investigations. In that regard, privilege may attach to factual investigations carried out by lawyers as well as reports prepared by non-lawyers so that advice may be given by lawyers. The focus remains on the dominant purpose for which the report was obtained.

97    So, in AWB Ltd v Cole (No 5), the Australian Wheat Board engaged the law firm Blake Dawson Waldron to conduct an independent internal investigation into whether the AWB had breached federal or state laws by exporting wheat to Iraq. AWB also engaged two other firms, and BDW, to advise and act in relation to investigations being conducted by external bodies in relation to the same underlying conduct. In response to a notice to produce seeking production of the reports of the law firms’ investigations, AWB claimed the documents were privileged.

98    Young J rejected a contention that the reports were not privileged because they were purely factual investigations. His Honour noted that a key purpose of the factual investigations was to enable the three law firms to determine whether there was any evidence that AWB, or any of its employees, had made payments to Iraq in breach of the sanctions, or engaged in any other wrongdoing. As his Honour put it, the law firms placed themselves in a position to advise AWB as to the risks it confronted and the course of action it should take in relation to the investigations.

99    His Honour said (at [57]):

I do not see any reason why professional communications between AWB and its lawyers concerning the investigations … should be incapable of attracting legal advice privilege. In these contexts, the concept of legal advice includes advice as to what AWB should prudently and sensibly do in connection with the relevant investigation. Advice of this kind is capable of attracting … privilege, notwithstanding that a particular communication is part of a continuum and does not itself contain any specific advice on matters of law or any specific request for such advice.

100    I should also note Kirby v Centro Properties Ltd (No 2) (2012) 87 ACSR 229 at [75], [76], [79] and [81] to [88] and TerraCom Ltd v Australian Securities and Investments Commission (2022) 401 ALR 143 at [38] and [41]. But these three cases turned on their own facts and the particular evidence adduced and accordingly are of limited significance.

The Deloitte reportapplication of principles

101    Let me begin with the Optus respondents’ arguments. They say that privilege attaches to the Deloitte report for the following reasons.

102    First, they say that almost immediately from when Mr Kusalic became aware of the cyber-attack, he was conscious of the multiplicity of legal risks and actions that would likely confront Optus. He acted to engage Ashurst and a counsel team almost immediately. His anticipation of legal action, including regulatory investigations and class actions, was realised when the OAIC and the Australian Communications and Media Authority commenced investigations, complaints were made to Optus itself as well as the OAIC (including Maurice Blackburn’s representative complaint) and the Ombudsman, and these proceedings were commenced. It is said that by the end of September 2022, Mr Kusalic and Optus management wanted an external investigation to assist him, his legal team, Ashurst and the counsel team engaged in advising Optus on the various and complex legal matters surrounding the cyber-attack, including but not limited to Optus’ obligations under the Privacy Act and the Telecommunications Act.

103    It is said that an understanding of the circumstances and root causes leading to the cyber-attack was essential to the provision of accurate and useful legal advice to Optus on these matters. Mr Kusalic held this view almost immediately following his becoming aware of the cyber-attack. It is said that essential also to the provision of such legal advice was a detailed understanding of Optus’ management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the cyber-attack. These were matters on which Ashurst, by the broad terms of its engagement, were expressly engaged to advise upon. It is said that they were part of Deloitte’s terms of reference.

104    They say that an understanding of Optus’ management of cyber risk in the context of applicable policies and processes in place was critical to the provision of legal advice on Optus’ obligations under the APPs invoked in these proceedings, invoked by the Maurice Blackburn representative complaint, and also invoked in the OAIC’s investigation which has commenced and is ongoing.

105    Second, they point out that Mr Kusalic discussed the need for an external, forensic investigation into the root cause of the cyber-attack and Optus’ response to it with the other senior Optus personnel referred to above and they ultimately landed on appointing Deloitte to carry out a forensic investigation into the root cause of the cyber-attack and Optus’ response to it. They say that the intention to appoint Deloitte to undertake a “forensic assessment of the cyberattack and the circumstances surrounding it” was announced to the public on 3 October 2022. Thereafter, the terms of reference for Deloitte’s investigation and report were settled by Mr Kusalic and provided to the Board of SOPL on 9 October 2022. Those terms of reference were approved in materially the same form by the SOPL Board on 11 October 2022. Again, the resolution referred to Deloitte undertaking an “independent external forensic review of the Cyberattack”. They say that this is evidence of the SOPL Board’s purpose reflecting Mr Kusalic’s purpose, namely, that an external, forensic review of the cyber-attack was necessary for Optus to obtain legal advice about the various legal risks and actions that arose out of the cyber-attack.

106    Third, they say that the terms of Deloitte’s engagement letter make it clear that the purpose of the investigation and ultimate report was to assist Ashurst in providing legal advice to Optus in connection with the cyber-attack. They say that the defined “Purpose” of Deloitte’s engagement was directly linked in that engagement letter to Ashurst “advising Optus generally in relation to its response to the recent cyberattack… so as to fulfil its obligations and protect its rights in responding to the Cybersecurity incident”. Deloitte was engaged “pursuant to” Ashurst’s “engagement advising Optus”.

107    Fourth, they say that the purpose of the investigation was made clear in the privilege protocol provided by Ashurst to Deloitte within days of Deloitte’s formal engagement. That protocol described the purpose of the engagement as “to enable Ashurst to provide legal advice to Optus so as to fulfil its obligations and protect its rights in responding to the Cybersecurity Incident”.

108    Fifth, they say that the manner in which Deloitte conducted its investigation and produced its report is consistent with the report’s dominant purpose being to enable Ashurst to provide legal advice to Optus in relation to the cyber-attack. Work was conducted pursuant to a formal protocol set in place by Ashurst. Further, all interviews Deloitte conducted were held with a representative of Ashurst and/or the internal Optus legal team in attendance.

109    More generally, they say that the combination of Mr Kusalic’s evidence as to the background to the engagement of Deloitte, the scope of Ashurst’s engagement to provide legal advice generally to Optus in relation to the cyber-attack, the terms of Deloitte’s engagement letter, as well as the processes by which Deloitte conducted its investigation, make it clear that the dominant purpose of the investigation and the report which was communicated to Optus and Ashurst on 13 July 2023, was so the report could assist the internal Optus legal team, Ashurst and the counsel briefed by Ashurst to give legal advice to Optus about the cyber-attack.

110    Moreover, they say that the appropriate starting point is not to ask whether the cyber-attack may be characterised as a legal matter. It is to ask what was the intended use or uses of the document which accounted for it being brought into existence. And attention should be focused on the purpose (or purposes) of the person who created the document, or who, if not its author, had the authority to, and did, procure its creation.

111    Further, they say that the fact that the participants in the discussions as to the engagement of Deloitte included Optus’ CEO, vice president of risk management, CIO as well as the head of Singtel IT Audit and the data, analytics and robotics team did not deprive the Deloitte report of having the dominant purpose of assisting Ashurst in advising Optus in relation to the cyber-attack. It is said that Mr Kusalic’s evidence is that those personnel together recommended that Deloitte be engaged to “carry out a forensic investigation into the Cyber-attack and Optus’ response to it, which would assist me, my team and Ashurst (and counsel briefed by Ashurst) in advising Optus in relation to the multiple legal risks and matters arising from the Cyber-attack”.

112    It is said that the collective purpose of these senior Optus personnel, endorsed by the SOPL Board, was to obtain the report to assist in the provision of legal advice to Optus.

113    Further, as to the role of the SOPL Board, they say that Mr Kusalic’s evidence is that given the scope and seriousness of the cyber-attack, the Board wanted to ensure a direct oversight of the work for good governance purposes. It remained Mr Kusalic who was settling the terms of reference. It was also Mr Kusalic who provided the proposed terms of reference to the Board.

114    Further, they say that whilst the Board resolution does not expressly spell out the purpose for which Deloitte was being engaged the words of the resolution itself are that Deloitte be appointed “to undertake independent forensic reviews of the Cyberattack”. Further subparagraph (b) of the notes state that the directors had requested “the appointment of Deloitte to conduct independent external forensic reviews of the circumstances surrounding the Cyberattack”.

115    Further, they say that there is no basis for the assertion that there was an informal retainer of Deloitte prior to their formal retainer on 21 October 2022. The public announcement says that Optus “is appointing” Deloitte, not that they have been appointed. That language implies an appointment process which is continuing, but is incomplete. They say that the terms of reference were still being formulated (as is evident from the draft and final circular resolutions) and the letter of engagement was yet to be finalised.

116    Further, as to the various matters raised about the 3 October 2022 press release, they say that the fact that it was recommended by Ms Bayer Rosmarin does not deprive the report’s dominant purpose as being for Optus to obtain legal advice. And they say that the fact that Ms Bayer Rosmarin identified in a press release that the Deloitte report might have particular effects, that is, it would “help” Optus understand how the data breach occurred and would “assist” Optus rebuild its trust with their customers and may “help others”, does not mean that the dominant purpose for which the report was obtained was not for the obtaining of legal advice. Indeed, the press release itself stated that Deloitte would undertake “a forensic assessment of the cyberattack and the circumstances surrounding it”. The press release does not state that Optus would make available any of Deloitte’s findings or conclusions.

117    Similarly, they say that Optus’ public statement on 25 October 2022, that it was committed to “sharing lessons” from the experience of the cyber-attack does not deprive the Deloitte report of its dominant purpose. The 25 October 2022 statement does not state that Optus was committed to “sharing lessons” from the Deloitte report.

118    Further, they say that the fact that Deloitte engaged directly with Optus to obtain information and documents to prepare its report, does not detract from the dominant purpose for which the report was commissioned. The fact that Deloitte engaged directly with Optus about the information they required is consistent with Deloitte undertaking an “external review” in accordance with the terms of its engagement.

Analysis

119    In my view the evidence does not establish that the Deloitte report was for the dominant purpose of Optus obtaining legal advice or for use in litigation/regulatory proceedings.

120    On the evidence there were various purposes of the Optus respondents.

121    First, there was the legal advice or litigation/regulatory proceedings purpose.

122    Second, there was the purpose more generally to identify the circumstances and root causes of the cyber-attack for management purposes and rectification, being beyond the narrower confines of the first purpose; clearly though there is some overlap with the first purpose.

123    Third, there was the purpose more generally of reviewing Optus’ management of cyber-risk in relation to its policies and processes.

124    Each of the second and third purposes clearly were to the fore in Ms Bayer Rosmarin’s mind on 3 October 2022 (see the media release) and in the mind of the other directors on 11 October 2022 in signing the circular resolution.

125    More generally, the media message being massaged by the CEO and the SOPL Board was all about the Deloitte review being carried out to identify the cause of what occurred so that rectification steps could be carried out to prevent a recurrence.

126    To use Ms Bayer Rosmarin’s own words on 3 October 2022:

I am committed to rebuilding trust with our customers and this important process will assist these efforts.

127    The dominant purpose in her mind and the SOPL Board’s mind justifying the Deloitte review was not a defensive legal or litigation strategy. Her own words are the best evidence that I have to illuminate her purpose. At the least the evidence concerning her conduct and that of the SOPL Board justifies me giving reduced weight to some of Mr Kusalic’s vague statements on matters of significance.

128    Now it is a difficult question in determining purpose to determine the relevant state(s) of mind to attribute to Optus.

129    Optus would have it that its general counsel’s state of mind is the relevant mind. But that would be to distort the analysis. Clearly, the states of mind of the CEO and the other Board members are, on the evidence, highly relevant, although of course they were communicating with Mr Kusalic. Moreover Mr Kusalic in his affidavit at [50] to [52] identifies other relevant states of mind of non-lawyers.

130    Whilst of course I have considered Mr Kusalic as being one of the relevant minds, nevertheless on the totality of the evidence his state of mind and conduct is only part of the analysis.

131    Further, I am fortified in my analysis by the vagueness in how Mr Kusalic expressed himself in his evidence.

132    In his affidavit at [50], he said “Deloitte had been proposed” without any detail as to by whom and when. Further, the latter part of [50] refers to “… how we could best utilise Deloitte’s expertise to assist me and Ashurst …”. But as is clear from the evidence, to assist Mr Kusalic and Ashurst was only one of the purposes and functions. And I am here assessing from multiple purposes which one was the dominant purpose.

133    Further, at [52] he said that “we recommended to the SOPL Board …”. But the “we” is clearly a reference back to [50] where various officers and management personnel who are non-lawyers (apart from Mr Kusalic) are identified. Again this is consistent with Deloitte being also used for non-privileged purposes.

134    Now an interesting question arises as to when I should assess purpose. Should it be on or prior to 3 October 2022 when Ms Bayer Rosmarin referred to Deloitte being retained and her recommendation? Should it be 11 October 2022 at the time of the SOPL Board resolution? Should it be 21 October 2022 at the time of the Deloitte retainer letter? Should it be 13 July 2023 when Deloitte provided its report to Mr Kusalic and Ashurst? I should say as to this last date that although there is a communication, it is unrealistic to only look at purpose at the last date. That is a mechanical output of the true purpose formed in October 2022.

135    In my view the relevant time frame to assess purpose should be either on 3 October 2022 or on or prior to 11 October 2022 when the SOPL Board procured the Deloitte review. But of course, later events including up to the time when the report was brought into existence and communicated can and should be looked at in assessing purpose (Singapore Airlines Ltd v Sydney Airports Corporation [2004] NSWSC 380 at [17] to [22] per McDougall J, affirmed on appeal [2005] NSWCA 47).

136    Let me now discuss some of the salient aspects in more detail.

137    The 3 October 2022 media release, which was no doubt carefully drafted to reflect Optus’ media message, said that the Deloitte review was “recommended” by Ms Bayer Rosmarin. Further, she said, apparently, that “the forensic review would play a crucial role in the response to the incident for Optus, as it works to support customers” and that “we are determined to find out what went wrong”. If she had a privileged purpose, none of this suggests that it was her dominant purpose. And this absence of a dominant purpose is fortified by her further statement:

This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus …

138    This all suggests that the dominant purpose was not a legally privileged purpose.

139    Generally, the failure to adduce direct evidence from Ms Bayer Rosmarin fortifies that conclusion. Indeed I note that no evidence has been given by Ms Bayer Rosmarin or indeed any member of the Board concerning the purpose for which the Deloitte report was procured. In essence, this is a Jones v Dunkel point that is not without merit.

140    Now I accept that the 3 October 2022 media release must be viewed in the context of what went before and what took place after in terms of the commissioning of the Deloitte report and the states of mind and purposes of the various individuals involved.

141    But none of this context assists Optus to persuade me that the relevant dominant purpose was a privileged purpose.

142    In relation to the activities after 3 October 2022, Mr Kusalic’s email to Board members on 9 October 2022, the content of the draft Board resolution circulated at that time and the terms of the final resolution signed on 11 October 2022 do not support the conclusion that the relevant dominant purpose for the review was a privileged purpose.

143    Further, Ashurst did not retain Deloitte until 21 October 2022.

144    Of course, none of this is to deny that parts of the contents of the Deloitte report may be privileged. But that is not the issue that I am presently addressing.

145    And as for the activities of Optus prior to 3 October 2022, they hardly establish that Optus’ dominant purpose was a privileged purpose.

146    Further, it would seem that whatever Ms Bayer Rosmarin’s purpose(s), that purpose(s) was held by the Board. First, the 3 October 2022 media release stated that the Deloitte review was recommended by Ms Bayer Rosmarin and was supported unanimously by the Board. Second, the context of Mr Kusalic’s email to Board members of 9 October 2022 and the draft resolution do not indicate that the dominant purpose was a privileged purpose, and the signed Board resolution of 11 October 2022 also fortifies that conclusion.

147    Let me say something further about the resolutions and Mr Kusalic’s email of 9 October 2022 to Board members.

148    First, it would seem that Mr Kusalic was communicating with the Board as much in his capacity as company secretary as in his capacity as general counsel.

149    Second, the email with reference to the Deloitte review does not suggest that its dominant purpose was a privileged purpose.

150    Third, the draft resolution in terms submitted to the Board indicates that the true or dominant purpose for the review was not predominantly a legal purpose. So, the resolution was expressed:

The directors of Optus RESOLVE:

(a)    that Deloitte be appointed to undertake the reviews referred to in the Optus and Singtel media releases dated 3 October 2022 including:

1.    to identify the circumstances and root causes leading to the Cyberattack;

2.    to review Optus’s management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the Cyberattack; and

3.    a review of incident response, escalation to Optus management, Optus Board, Regulators and relevant bodies to assess if reasonably appropriate, timely and robust actions were taken; and

(b)    to delegate finalising the scope and terms of the Deloitte reviews, provided they are not materially different to those above, to the Optus CEO and the Optus General Counsel and to request they report back to the Board once the reviews are sufficiently progressed.

151    Now I note that resolution (a) refers to “the reviews referred to in the Optus and Singtel media releases. Further, recital (b) to the resolution stated:

in media releases on 3 October 2022 by Optus and Optus’ ultimate holding company, Singapore Telecommunications Limited (‘Singtel’), Optus and Singtel announced, with the support of Optus’ directors, the appointment of Deloitte to conduct independent external forensic reviews of the Cyberattack and Optus’ cyber security systems, controls and processes;

152    This is not inconsistent with the last sentence of Mr Kusalic’s email which states:

    In addition, Singtel proposes undertaking a broader review of security systems, controls and processes across the Singtel Group.

153    This is all not consistent with the dominant purpose being a privileged purpose concerning the Optus respondents only. The reference to Singtel in the email and the draft resolution suggests a broader scope than procuring the Deloitte report to deal with legal concerns focused on the Optus respondents. Moreover, this email and the draft resolution were drafted by Mr Kusalic which casts doubt in my view on how he now portrays the matter in terms of the question of dominant purpose.

154    Moreover, the 11 October 2022 signed resolution differs from the 9 October 2022 draft.

155    The signed resolution stated:

The directors of Optus RESOLVE:

(a)    that Deloitte be appointed to undertake independent external forensic reviews of the Cyberattack, including:

1.    to identify the circumstances and root causes leading to the Cyberattack;

2.    to review Optus’s management of cyber risk in the context of the applicable cyber risk management policies and processes in connection to the Cyberattack; and

3.    to review the Cyberattack incident response, and the appropriateness of actions taken, having regard to the existing crisis management policies and procedures; and

(b)    that, in relation to the reviews, Optus management be requested to report back to the Board, and in accordance with the Optus delegation framework.

156    Now the prefatory words to resolution (a) are different. Further, the recitals are also different. They drop out any reference to Optus’ holding company.

157    As I have indicated, recital (b) in the draft resolution of 9 October 2022 stated:

in media releases on 3 October 2022 by Optus and Optus’ ultimate holding company, Singapore Telecommunications Limited (‘Singtel’), Optus and Singtel announced, with the support of Optus’ directors, the appointment of Deloitte to conduct independent external forensic reviews of the Cyberattack and Optus’ cyber security systems, controls and processes;

158    This was dropped in the 11 October 2022 resolution. I have no explanation for this change except for a vague statement from Mr Kusalic that he made changes “following feedback from one of the directors”, whatever that means. Further, it would seem from the draft resolution that there were two media releases on 3 October 2022 and possibly more than one Deloitte review. Mr Kusalic’s affidavit is less than transparent on all of this.

159    Let me deal with another matter.

160    The Optus respondents have made much play of the Deloitte letter of retainer of 21 October 2022, privilege protocols and the like. There was also of course the separate letter from Optus to Deloitte of 21 October 2022.

161    But if the relevant dominant legal purpose did not exist or has not been demonstrated at or prior to the time of the board resolution on 11 October 2022, the form of the later main retainer letter cannot change the substance of the analysis on dominant purpose. Channelling material through lawyers or having lawyers make the retainer, belatedly, cannot cloak material with any privilege that it did not otherwise have. And the fact that the SOPL Board’s objectives as set out in the circular resolution of 11 October 2022 are replicated in the main retainer letter does not change the reality of the Board’s or the CEO’s purpose(s) for engaging Deloitte to undertake an external review, which I am not satisfied was a dominant legal purpose.

162    Further, many of the references in the main retainer letter of 21 October 2022 and in later material to privilege protection being invoked are consistent with specific communications (oral or in writing) being protected from time to time. But I am dealing with the report as a whole.

163    Two other points should also be made.

164    First, the signed circular resolution on 11 October 2022 in recital (c) says that “Deloitte has commenced aspects of its reviews.. So, well before the letter of retainer on 21 October 2022, Deloitte was doing work. And there is no direct evidence that it was being done under the auspice of Ashurst; the earlier Ashurst email of 23 September 2022 referred to [a]dvising on the conduct of Optus’ internal investigation” (my emphasis). It is apparent that there was no reference to the external review to be carried out by Deloitte. Ashurst’s direct significant involvement in the external review does not appear to have surfaced until 21 October 2022, although it may have reviewed a letter of engagement at an earlier time. Clearly, endeavours to cloak the Deloitte review with legal professional privilege were more to the fore in late October 2022 than they were at the start of the month. This shows the artificiality in how Optus has sought to deploy the main retainer letter of 21 October 2022. Of course it is relevant evidence, but in my view it is underwhelming in terms of foreclosing any argument on dominant purpose, as Optus has sought to deploy it.

165    Second, I cannot help thinking that if the dominant purpose of Optus was as Mr Kusalic now says it is, he would not have drafted his 9 October 2022 email or the draft or final resolutions on 9 and 11 October 2022 respectively as they were expressed. Indeed, it is difficult to see how the CEO could have made the statements she did on 3 October 2022 if everyone then was singing from the same hymn book as to the dominant legal purpose. To some degree this is speculation, but I have an uncomfortable sense that important aspects of Mr Kusalic’s affidavit concerning the time-frame prior to mid-October 2022 has involved an element of reconstruction.

166    Now there has been no cross-examination so I cannot make hard findings. But I do conclude that Optus has not satisfied me that the requisite dominant legal purpose can be distilled from the multiplicity of purposes in play.

167    In summary, Optus has not discharged the onus of establishing its claim of privilege concerning the Deloitte report.

Documents provided to Deloitte – application of principles

168    As Optus has not satisfied the onus of demonstrating that the Deloitte report was for the dominant purpose of legal advice, it follows that Optus has not demonstrated that the Deloitte instructions and the Deloitte brief were for the dominant purpose of legal advice.

169    But let me assume for the moment and for the sake of argument that I am wrong on my principal conclusion.

170    Now as I have indicated, as to whether privilege attaches to documents provided to a lawyer or a non-lawyer for the purposes of undertaking an investigation and preparing a report, it is well established that copies of non-privileged documents may be privileged if the copies have been created for a privileged purpose.

171    If non-privileged documents are communicated to a lawyer or a non-lawyer (such as an expert engaged by the lawyer) for the dominant purpose of a lawyer providing legal advice or legal services, privilege will attach to those non-privileged documents.

172    Now the Optus respondents say that to the extent that copies of non-privileged documents have been created for and provided to Deloitte for the purposes of conducting its investigation and preparing the Deloitte report, those non-privileged documents are also privileged to the extent that I am satisfied, which I am not, that the Deloitte report is privileged.

173    They say that the fact that non-privileged documents may have been provided to Deloitte for the purpose of its investigation does not mean that the applicants are entitled to production of that collation of non-privileged documents. If I am satisfied that the dominant purpose of the Deloitte report was so that Optus could obtain legal advice from Ashurst in relation to the cyber-attack, then it follows that privilege will attach to the non-privileged documents provided to Deloitte for the purposes of its investigation and report.

174    And it is said that the request by the applicants for documents prepared by Optus for the purpose of providing instructions to Deloitte for the purposes of the Deloitte report, and documents provided to Deloitte by or on behalf of Optus for the purposes of the Deloitte report, is at first blush analogous to the issue of whether privilege attaches to documents provided to an expert witness for the purposes of preparing an expert report.

175    It is said that in that situation, the client on whose behalf the expert has been instructed is entitled to maintain confidentiality in such documents prior to the service of an expert report, but the act of filing and serving the expert report may waive any privilege the client has in the documents relied upon by the expert witness in preparing his report, the rationale being that once an expert report is deployed for forensic advantage, that deployment is inconsistent with the maintenance of privilege in the documents relied upon by the expert witness in his report.

176    But it is said that in the present case, Optus has indicated no intention that it intends to file and serve the Deloitte report or rely upon it in these proceedings. So, it is said that if I am satisfied that the Deloitte report itself is privileged, then Optus is entitled to retain confidentiality and privilege over any documents created for or provided to Deloitte for the purposes of its investigation and report.

177    Now on this aspect I am largely in agreement with Optus, subject to the fact of course that its position is built on a flawed foundation.

178    Now the applicants say that regardless of whether the Deloitte report was prepared for the dominant purpose of legal advice, the non-privileged copies of documents in the Deloitte brief do not attract the protection of privilege, and will need to be discovered and provided for inspection in due course. It is said that they should be provided now, given that the purpose of the applicants’ application is to enable discovery on the central issues relevant to liability to be expedited.

179    Further, they say that the fact that such documents have been provided to Deloitte for the purpose of its investigations provides, in effect, a short-cut to identifying documents of key relevance to the matters the subject of the proceeding. They say that that in itself cannot be seen to disclose the content of privileged communications, especially given that Deloitte’s engagement required such communications to be kept in a separate repository.

180    And they say that regardless of whether the Deloitte report is held to be subject to privilege, there should be early discovery and inspection of the Deloitte instructions, insofar as they are internal working documents not constituting communications, and non-privileged copies of the documents in the Deloitte brief.

181    Now if I had found that the Deloitte report was privileged, I would not have ordered discovery let alone inspection of this other material at this stage. In other words, I would have rejected the applicants’ position.

182    Much of this material would have been covered by the Propend point or in any event I would have declined to make such orders at this stage as an exercise of discretion.

183    But as I have found the Deloitte report not to be privileged, I will hear further from the parties as to discovery or inspection orders concerning this category.

184    I should also note that in any event and notwithstanding my principal conclusion concerning the Deloitte report, that does not entail that there may not be valid privilege claims concerning specific communications or their content (partial or otherwise) to and from Deloitte involving Optus and/or Ashurst.

Did Optus waive privilege in the Deloitte report?

185    The applicants have put an alternative argument that if I had found that the Deloitte report was for the dominant purpose of Optus obtaining legal advice, Optus’ conduct in relying on the report for other purposes gave rise to an inconsistency such that privilege was waived over the Deloitte report.

186    The applicants say that following the data breach, Optus faced a significant crisis, including in particular a high risk of damage to its relationships with its customer base, its brand and its reputation.

187    They say that Optus sought to mitigate these risks by making various public statements which included significant reliance on the fact of, and the use to which, the Deloitte report would be put.

188    The applicants say that the importance of the Deloitte report to these statements is obvious. If Optus had remained silent as to whether it was undertaking any investigation into the causes of the data breach, it would have been unable to provide customers or the public with any basis upon which Optus would be able to retain or recover trust.

189    Similarly, they say that if Optus had announced that it had commissioned a confidential and privileged report which would never see the light of day, that would have done nothing to repair its brand and reputation.

190    Instead, they say that Optus chose to rely heavily on the fact of the Deloitte report. They say that Optus made a representation directly to its customers that it would share the lessons learned, including those in the Deloitte report. Further, they say that in a statement by Ms Bayer Rosmarin, she relied on work undertaken to progress the Deloitte report in stating that the data breach was a criminal act perpetrated by a motivated and planned attacker. They say that there is an inherent inconsistency in Optus relying upon the Deloitte report in these ways whilst it was in the midst of a public relations crisis, and in now seeking to rely upon privilege in trying to resist any inspection of the report itself and its underlying material.

191    They say that this inconsistency should be held to give rise to a waiver of any privilege which existed over the Deloitte report, and all underlying documents required to understand that report.

192    I would reject the applicants’ waiver argument. Let me elaborate.

193    An implied waiver occurs where there is some inconsistency between the conduct of the privilege holder and the maintenance of the confidentiality which the privilege is intended to protect.

194    In Mann v Carnell (1999) 201 CLR 1, Gleeson CJ et al said at [29]:

Waiver may be express or implied. Disputes as to implied waiver usually arise from the need to decide whether particular conduct is inconsistent with the maintenance of the confidentiality which the privilege is intended to protect. When an affirmative answer is given to such a question, it is sometimes said that waiver is “imputed by operation of law”. This means that the law recognises the inconsistency and determines its consequences, even though such consequences may not reflect the subjective intention of the party who has lost the privilege. … What brings about the waiver is the inconsistency, which the courts, where necessary informed by considerations of fairness, perceive, between the conduct of the client and maintenance of the confidentiality; not some overriding principle of fairness operating at large.

(footnotes omitted)

195    In Osland v Secretary, Department of Justice (2008) 234 CLR 275, Gleeson CJ et al said at [45], [46] and [49]:

Waiver of the kind presently in question is sometimes described as implied waiver, and sometimes as waiver “imputed by operation of law”. It reflects a judgment that the conduct of the party entitled to the privilege is inconsistent with the maintenance of the confidentiality which the privilege is intended to protect. Such a judgment is to be made in the context and circumstances of the case, and in the light of any considerations of fairness arising from that context or those circumstances. In the present case counsel for the appellant acknowledged that, if the press release had not included the sentence earlier identified as critical, privilege probably would not have been waived. This is undoubtedly correct, even though, upon that hypothesis, the press release would have made some disclosure concerning legal advice taken by the Department.

The conduct of the Attorney-General in issuing the press release and including in it certain information about the joint legal advice is to be considered in context, which includes the nature of the matter in respect of which the advice was received, the evident purpose of the Attorney-General in making the disclosure that was made, and the legal and practical consequences of limited rather than complete disclosure.

Whether, in a given context, a limited disclosure of the existence, and the effect, of legal advice is inconsistent with maintaining confidentiality in the terms of advice will depend upon the circumstances of the case. As Tamberlin J said in Nine Films and Television Pty Ltd v Ninox Television Ltd, questions of waiver are matters of fact and degree.

(footnotes omitted)

196    Implied waiver is a fact-based inquiry as to whether by conduct the privilege holder has directly or indirectly put the contents of an otherwise privileged document in issue. This entails an evaluative decision based on a consideration of the whole of the circumstances of the particular case. The context and circumstances in which disclosure or use is made is relevant to determining whether the requisite inconsistency arises. The circumstances may include the nature of the matter in respect of which the privileged document was used, the evident purpose of such disclosure or use that is made and the legal and practical consequences of limited rather than complete disclosure.

197    Now in my view none of the public statements referred to by the applicants put the contents of the otherwise privileged report in issue. And clearly, there has been no meaningful disclosure of the substance of Deloitte’s views or advice or any public deployment of the gist thereof.

198    As to the statement published on Optus’ website on 25 October 2022, the general statement that Optus is “committed to learning, doing better in the future, and sharing lessons” does not equate to a commitment to share the contents of or findings in the Deloitte report. And I agree with Optus that the same may be said in respect of Ms Bayer Rosmarin’s statement that Optus hoped that the Deloitte review would show it “ways we can improve” as recorded in the 8 March 2023 article.

199    Further, as to the statement from Ms Bayer Rosmarin on 10 November 2022, it is not necessarily clear that there is a link between the statement that the Deloitte Report was “well underway” and her later statement that “… it is very clear that this was a criminal act perpetrated by a motivated and planned attacker”. It is not clear that Ms Bayer Rosmarin was referring to the contents of or findings of Deloitte in the latter statement. In any event, at that time Deloitte’s report was far from finalised. It cannot be concluded that by Ms Bayer Rosmarin’s statement at that time she put the contents of a subsequent communication being the later report in issue.

200    The applicants’ waiver argument must be rejected.

Conclusion

201    For the foregoing reasons, in my view the Optus respondents have not made good their claim of privilege concerning the Deloitte report.

202    I will hear further from counsel as to the consequential orders that should be made concerning the relief sought in the applicants’ interlocutory application.

I certify that the preceding two hundred and two (202) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Beach.

Associate:

Dated:    10 November 2023

SCHEDULE OF PARTIES

VID 256 of 2023

Respondents

Fourth Respondent:

OPTUS NETWORKS PTY LTD (ACN 008 570 330)

Fifth Respondent:

OPTUS ADSL PTY LTD (ACN 138 676 356)

Sixth Respondent:

OPTUS SATELLITE PTY LTD (ACN 091 790 313)

Top