FEDERAL COURT OF AUSTRALIA

McClure v Medibank Private Limited [2025] FCA 167

ORDERS

THE COURT ORDERS THAT:

1.    Within seven days of the date hereof, the parties file and serve proposed minutes of orders to give effect to these reasons.

2.    Until further order, the Court’s reasons for judgment not be disclosed to or published by any person, save to the parties, their legal representatives, and Court staff.

3.    Within fourteen days, the parties confer, prepare, and provide to the Chambers of Justice Rofe, proposed redactions to the reasons for judgment. The Court will then prepare a redacted version of the reasons for judgment, which will be made available to the public.

4.    In the event the parties are unable to agree to the terms of the proposed minutes of order referred to in order 1 or the proposed redactions referred to in order 3, the areas of disagreement should be set out in mark-up.

5.    Liberty to apply.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

ROFE J:

1.    Introduction

1 By an interlocutory application dated 20 December 2023, the applicants, Zoe Lee McClure and Cihan Solbudak, seek orders for the production of various final technical reports provided to the respondent (Medibank), prepared by non-lawyer consultants and certain sample communications between Medibank, its legal advisors and several cybersecurity advisory firms. This privilege dispute has arisen in the context of class action proceedings brought by the applicants against Medibank alleging, amongst other things, breaches of various contractual, equitable and regulatory obligations.

2 Medibank has asserted legal professional privilege in respect of these documents and the material therein, or otherwise claimed that certain documents are attached to another document to which privilege applies.

3 Medibank claims legal professional privilege in the documents on the basis that the production of the documents would reveal communications between Medibank and its lawyers made for the dominant purpose of giving or obtaining legal advice (the advice privilege) or the provision of legal services, including representation in legal proceedings (the litigation privilege).

4 The applicants contest that legal professional privilege applies to these documents and otherwise claim that Medibank waived privilege in respect of three final reports produced by Deloitte Risk Advisory (Deloitte).

5 It is therefore necessary to consider, on a document-by-document basis, whether each document is subject to legal professional privilege.

6 Parts of my reasons are confidential and include redactions because they disclose the contents of documents which Medibank claims are confidential. I will make an order that, subject to further order, the Court’s reasons for judgment of the date of this order be published only to the applicants and Medibank, and be kept confidential (save to the parties, their legal representatives, and Court staff). This is to enable the applicants and Medibank to prepare, within a period of fourteen days, proposed redactions to the Court’s reasons for judgment. The Court will then prepare and publish redacted reasons for judgment, which will then be made available to the public.

1.1    The cyber incident

7 From about August to October 2022, Medibank experienced a cyber incident in which one or more cyber criminals accessed Medibank’s IT systems using stolen credentials and subsequently exfiltrated customer data (Cyber Incident). I refer to the person or persons responsible for the Cyber Incident as the Threat Actor.

2.    Documents

8 The applicants seek production of the following documents listed below.

(a)    Three reports from Deloitte:

(i)    report dated 4 April 2023 titled ‘Post Incident Review’ (PIR Report);

(ii)    report dated 10 May 2023 titled ‘Root Cause Analysis’ (RCA Report); and

(iii)    report dated 23 June 2023 titled ‘External Review - APRA Prudential Standard CPS 234’ (CPS 234 Report),

(together, the Deloitte Reports).

(b)    Two reports from CrowdStrike:

(i)    report dated 12 December 2022 titled ‘Privileged Investigation Report’ (CrowdStrike Investigation Report); and

(ii)    report dated 11 May 2023 titled ‘Privileged Investigation Report – Atlassian Crowd Analysis’ (Atlassian Report),

(together, the CrowdStrike Reports).

(c)    Two reports from Threat Intelligence:

(i)    report dated 4 January 2023 titled ‘Medibank Digital Forensics and Incident Response Report’; and

(ii)    report dated 23 February 2023 titled ‘Draft Investigation Report – Medibank Sharepoint Investigation’,

(together, the Threat Intelligence Reports).

9 I refer to the Deloitte Reports, CrowdStrike Reports and Threat Intelligence Reports as the Contested Reports. I refer to the various cybersecurity advisory firms collectively as the Cyber Experts.

10 The applicants seek production of the following communications listed below.

(a)    Various communications from CyberCX and Coveware:

(i)    email from Nick Klein (CyberCX) to Cheng Lim (KWM) ‘re: [EXTERNAL] Re: Medibank | Key ransom issues and action plan’ dated 26 October 2022;

(ii)    email from Nick Klein (CyberCX) to Cheng Lim (KWM) ‘re: [EXTERNAL] Re: Project Opera (privileged and confidential)’ dated 27 October 2022;

(A)    attachment to email from Nick Klein to Cheng Lim titled ‘Case 06064 - Coveware.pdf’ dated 27 October 2022;

(iii)    email from Nick Klein (CyberCX) to Cheng Lim (KWM) ‘re: [EXTERNAL] Fwd: Update on TA comms (privileged and confidential)’ dated 29 October 2022;

(A)    attachment to email from Nick Klein to Cheng Lim titled ‘image001.png’ dated 29 October 2022;

(B)    attachment to email from Nick Klein to Cheng Lim titled ‘Screen Shot 2022-10-28 at 10.17.13 AM.png’ dated 29 October 2022;

(C)    attachment to email from Nick Klein to Cheng Lim titled ‘Screen Shot 2022-10-28 at 10.19.42 AM.png’ dated 29 October 2022;

(D)    attachment to email from Nick Klein to Cheng Lim titled ‘Screen Shot 2022-10-28 at 10.20.03 AM.png’ dated 29 October 2022; and

(E)    attachment to email from Nick Klein to Cheng Lim titled ‘Case 06064 -Coveware.pdf’ dated 29 October 2022,

(together, the CyberCX and Coveware Communications).

11 I refer to the Contested Reports and CyberCX and Coveware Communications collectively as the Cyber Expert Documents. The respective engagements relating to the production of the Contested Reports are discussed below in section 4.

12 For clarity, Annexure A to these reasons includes the list of documents of which the applicants seek production.

13 I note that I have not inspected the documents. I chose not to inspect the documents on the basis that the documents are technical reports relating to cyber security. Each of the relevant engagement documents pursuant to which the reports were produced instructed the authors to make reference to the report being prepared for the dominant purposes of legal advice. As such I expect each of the Contested Reports to be peppered with references to privilege incantations, which of themselves, divorced from the circumstances of the creation of the document are largely meaningless and not determinative of whether the particular report is the subject of legal professional privilege. As the applicants contend, “labelling communications with epithets denoting privilege does not make it so”.

3.    Witnesses

14 The applicants read one affidavit from Mr Paul George Forbes dated 21 December 2023. Mr Forbes is a partner at Baker McKenzie, the legal representative of the applicants.

15 The respondent read affidavits from the following witnesses:

(a)    Mr Michael John Wilkins, who made one affidavit on 26 March 2024. Mr Wilkins is a director and the chair of the board of directors of Medibank.

(b)    Mr David Illar Koczkar, who made one affidavit on 26 March 2024. Mr Koczkar is the Chief Executive Officer of Medibank.

(c)    Ms Carolyn Mei Ramsay, who made one affidavit on 26 March 2024. Ms Ramsay is the general counsel and company secretary for Medibank.

(d)    Mr Domenic Mathew Gatto, who made one affidavit on 27 March 2024. Mr Gatto is a partner at King & Wood Mallesons (KWM), the legal representative of Medibank.

16 I granted leave for Mr Wilkins and Mr Koczkar to be cross-examined. The applicants did not seek leave to cross-examine Ms Ramsay or Mr Gatto.

17 The affidavit of Mr Gatto contained little first-hand evidence. Much of the evidence of Mr Gatto was given on the basis of information and belief of other persons.

18 The evidence in this application was extremely document heavy. In addition to the documents annexed to the respondent’s affidavits, the applicants tendered extensive documents. The applicants provided a useful chronology which helped make sense of the documents by providing a road map as to where they might be found in the various tender bundles and annexures.

3.1    Evidence

19 Medibank has relied upon the purported intentions and respective states of mind of Mr Koczkar, Mr Wilkins and Ms Ramsay to support its contention with respect to dominant purpose.

20 Whilst accepting that there were other purposes for which the Deloitte Reports might be apt, neither Mr Wilkins nor Mr Koczkar strayed from the position that the dominant purpose for which the Deloitte Reports were commissioned was to enable KWM to provide legal advice to Medibank and to assist Medibank in any litigation relating to the Cyber Incident.

21 The evidence of Mr Koczkar and Mr Wilkins at times involved matters of legal characterisation. For example, both witnesses utilised the same legal terms to answer questions in cross-examination and describe the purpose behind several engagements. Portions of the cross-examination which illustrate this are included below.

MS HARRIS: You referred to committing to share the outcomes of the review, because those – that the primary of the review was as expressed in this document?

MR WILKINS: No. The primary purpose was to get legal advice …

MS HARRIS: Now, you have accepted that the legal purpose was not the only purpose of the review; correct?

MR WILKINS: No, I don’t accept that, but you asked whether there were other areas that were associated with it or could be associated with it. The answer to that is yes, but the primary purpose was for legal advice. …

MS HARRIS: You weren’t simply concerned to make sure that Mr Gatto and his colleagues had adequate information to allow them to provide Medibank with advice?

MR WILKINS: That was the primary purpose of the Deloitte commissioning, and understanding what those reports said was important from the board’s perspective to be able to then determine the advice that KWM were providing us.’

22 Mr Koczkar at times also appeared to minimise any non-legal purpose as ancillary, even at one stage describing “[the] other things that would come out of the review [as] secondary … in my submission”.

23 While I accept that Mr Koczkar and Mr Wilkins hold the views that they expressed, ultimately, the correct legal characterisation is a matter for the Court to determine objectively having regard to the totality of the evidence and cross-examination. As the CEO and Chair of Medibank, their respective states of mind will be highly relevant, but not solely determinative, in the inquiry as to whether legal professional privilege subsists. I elaborate on this further below.

24 Mr Gatto and Ms Ramsay were not cross-examined. The applicants submit that, to the extent that Mr Gatto and Ms Ramsay depose to the relevant documents having some legal purpose —that was a significant, and perhaps predominant, purpose to them as lawyers. The applicants submitted that, in that sense, Mr Gatto and Ms Ramsay may have used the Cyber Expert Documents for legal purposes — however, this evidence alone does not establish that any legal purposes predominated overall for Medibank. I accept this submission — the singular perspective of lawyers for whom legal purposes are obviously likely to be significant, does not establish, on its own, that any legal purposes predominated overall for Medibank.

11    I refer to the Contested Reports and CyberCX and Coveware Communications collectively as the Cyber Expert Documents. The respective engagements relating to the production of the Contested Reports are discussed below in section 4.

4.1    Standing engagements

25 I note from the outset that Medibank had pre-existing standing engagements with several Cyber Experts and KWM prior to the Cyber Incident. The nature of each standing engagement is outlined below.

4.1.1    Threat Intelligence

26 Medibank had a standing engagement with Threat Intelligence to act as Medibank’s Digital Forensics and Incident Response (DFIR) partner. As part of its standing DFIR engagement, Threat Intelligence conducted an investigation into the circumstances of the Cyber Incident and conducted dark web monitoring activities to look for evidence of customer data being published on the dark web as well as any other information on the dark web about the Cyber Incident.

27 Threat Intelligence provided a “Digital Forensics and Incident Response Report” to Medibank on 2 December 2022. No claim of legal professional privilege has been made by Medibank in respect of this report or relevant material the subject of Threat Intelligence’s standing DFIR engagement, including the work performed pursuant to these two activities described above.

4.1.2    Datacom

28 At the time of the Cyber Incident, Medibank had a standing engagement with Datacom to act as Medibank’s primary third-party technology service provider. Following the Cyber Incident, Datacom continued to assist Medibank with IT services, including liaising with other third parties.

4.1.3    KWM

29 KWM and Medibank’s relationship is a longstanding one, in place since 1981. The relationship is governed by a “master services agreement” which governs the provision of legal services on all matters subject to any specific, bespoke arrangements agreed for a particular matter.

30 As a matter of practice, KWM does not generally enter into separate retainer agreements with long-standing and key clients like Medibank when it commences to act for them in a new matter. With such clients, the firm’s general practice is to have a “master services agreement” which governs the provision of legal services on all matters subject to any specific, bespoke arrangements agreed for a particular matter.

4.2    Cyber Incident chronology of key events

31 The purpose for which a document was created or commissioned is a matter of law to be determined objectively having regard to the evidence and the nature of the document amongst other things. The Cyber Expert Documents were commissioned, created and delivered at different times. In the case of the Deloitte Reports, some months passed between the initial engagement and delivery of the final reports. I set out below a detailed chronology of key events to provide the context and circumstances surrounding the commissioning and creation of the Cyber Expert Documents which informs my later consideration of whether legal professional privilege subsists in those documents.

4.2.1    11 to 13 October 2022

32 On the afternoon of 11 October 2022, Medibank received a security alert. A technical investigation by Medibank’s internal cyber response team regarding this alert commenced. In the early hours of 12 October 2022, the technical team identified evidence of external access to network administrator accounts and suspicious activity.

33 Mr Koczkar deposed that on the morning of 12 October 2022 he was informed of “unusual activity” in Medibank’s IT system. Following this, Mr Koczkar spoke with a number of Medibank’s staff and arranged a meeting with a crisis management team (CMT), consisting of members of the Executive Leadership Team of Medibank and other staff. The Australian Cyber Security Centre advised Medibank that there had been “chatter” on the dark web that Medibank’s IT systems had been breached and that it was likely to be the victim of a ransomware incident.

34 Medibank’s CMT team convened on three occasions on 12 October 2022. Mr Koczkar gave evidence that, on that day, he liaised with numerous personnel at Medibank, including its External Affairs team and separately, the Commonwealth Department of Home Affairs.

35 In one of the CMT meetings on 12 October 2022, Mr Koczkar directed Ms Ramsay to advise on and manage all formal communications to the various regulators, such as the Australian Prudential Regulation Authority and the Office of the Australian Information Commissioner, in relation to the Cyber Incident including making or facilitating any legally required notifications. Ms Ramsay engaged her internal legal team at Medibank to assist her in the immediate actions required to respond to the Cyber Incident. On that same day, Ms Ramsay also engaged Medibank’s external lawyers, KWM, to provide legal advice to Medibank in respect of the Cyber Incident.

36 Also on 12 October 2022, Medibank’s primary IT service-provider, Datacom, inquired with CrowdStrike about what assistance CrowdStrike could offer Medibank in response to the Cyber Incident. By 4pm that same day, CrowdStrike had been engaged by Medibank to assist with identification, counter response and to provide incident response, investigation and containment services. These services were provided pursuant to a statement of work dated 12 October 2022 and subsequently modified and extended on 21 October 2022 and 7 November 2022. The statement of work (CrowdStrike SOW) stated:

The Services (defined below) are performed for Customer, at the direction of Customer’s [Medibank’s] In-House Counsel (“Counsel”). Crowdstrike will perform the Services in connection with Counsel’s provision of legal advice to Customer. All communications and documents exchanged between Crowdstrike and Counsel or Customer pursuant to this SOW are intended to support Counsel’s rendering of informed legal advice to Customer. Crowdstrike understands and acknowledges that its work and communications pursuant to this SOW are intended to support Counsel’s legal strategies concerning Customer. Crowdstrike acknowledges that the Services and the engagement artifacts or reports described below, or portions thereof, are or may be protected from disclosure by the attorney-client privilege, attorney work product doctrine, or both. Accordingly, Crowdstrike shall treat the communications and reports exchanged between Crowdstrike and Counsel or Customer pursuant to this SOW in a manner consistent with the maintenance of any such privilege or protection, including without limitation labeling any written communications and documents as “Confidential: Attorney Work Product and Attorney-Client Privileged Communication.”

37 On the same day, Medibank’s External Affairs team engaged CyberCX to assist with its crisis communications strategy (Cyber Crisis Comms). CyberCX were recommended by Mr Alex Loizou (Medibank’s Senior Executive Chief Information Security Officer) in an email of 12 October 2022 to Ms Emily Ritchie (formerly Medibank’s Senior Executive, External Affairs Policy, Advocacy & Reputation). Ms Ritchie then contacted Mr Alastair MacGibbon (Chief Strategy Officer of CyberCX). Medibank does not claim privilege in relation to this portion of CyberCX’s engagement.

38 At approximately 6pm on 12 October 2022, members of Medibank’s internal legal team met via Microsoft Teams with external lawyers from KWM to receive advice in relation to the Cyber Incident. KWM’s engagement by Medibank was pursuant to the pre-existing master services agreement, discussed above. The scope of this engagement was for KWM to provide all legal advice required by Medibank in relation to the Cyber Incident.

39 By the end of 12 October 2022, Medibank’s internal IT security team informed Mr Koczkar that there appeared to have been a cyber breach, and at that stage there was no evidence that any sensitive data, including customer data, had been accessed.

40 On either late 12 October 2022 or early 13 October 2022, Mr Wilkins and Mr Koczkar invoked Medibank’s Cyber Response Board Committee (CRC). The CRC was a standing committee of Medibank’s Board that had been established since before the Cyber Incident to oversee Medibank’s response to cyber events and make decisions on behalf of the Board. The members of the CRC included Mr David Fagan (a non-executive director of Medibank), Mr Wilkins and Mr Koczkar. The first meeting of the CRC occurred on the morning of 13 October 2022.

41 During the morning of 13 October 2022, Mr Cheng Lim (partner at KWM) was instructed to open “Project Opera” in respect of the Cyber Incident.

42 On 13 October 2022, Medibank published an ASX announcement informing the public that it had been impacted by the Cyber Incident and its securities were placed in a trading halt on the ASX. Also on that day, Medibank also notified the OAIC and APRA of the Cyber Incident. In the days that followed, Medibank published various media releases and further ASX announcements. These media releases and ASX announcements are detailed further below. This trading halt continued until the commencement of normal trading on 17 October 2022.

43 Mr Koczkar’s evidence was that when Medibank went into a trading halt on 13 October, he was aware of the prospect of a shareholder class action against Medibank. This was because he was aware that significant ASX announcements by publicly listed companies, including trading halts, can generate interest by shareholder class action law firms. That risk remained in his mind each time that new information became known about the Cyber Incident. Mr Kockzar was also concerned about regulatory risk, in particular, in relation to the OAIC and APRA.

44 Mr Wilkins’ evidence was that in the initial days and weeks following the identification of the Cyber Incident, Medibank undertook its own internal investigations in an attempt to stop the attack and understand what had occurred so that it could make appropriate notifications and disclosures to stakeholders including customers, shareholders, regulators, law enforcement and various government agencies.

45 Mr Koczkar’s evidence was that immediately upon becoming aware of the Cyber Incident, Medibank commenced an internal investigation by its IT security team. This was to determine what had occurred (including what were the attack paths used by the Threat Actor, how the Threat Actor had infiltrated Medibank’s IT systems, whether and what data had been accessed, and whether the attack had been stopped) as well as to ensure that the Threat Actor was evicted from Medibank’s IT system and that the IT environment was secured. This investigation was overseen and managed by the ELT. This investigation also involved securing Medibank’s IT environment and determining what had to be changed operationally to ensure that similar cyber-attacks would be prevented in the future.

4.2.2    14 to 31 October 2022

46 On 14 and 15 October 2022, someone purporting to be the Threat Actor communicated via email to Ms Ritchie, and then Mr Loizou advising that they had proof of involvement in the data breach and seeking to commence negotiations with “authorized personnel” within Medibank.

47 On 16 October 2022, CrowdStrike provided an incident response project status update entitled “Bluemarsupial” which identified the earliest evidence of Threat Actor activity as late August 2022, and more recently as 12 October 2022, and gave an update as to the ongoing deployment of the ‘Falcon’ software.

48 On 17 and 18 October 2022, the Threat Actor advised via Medibank’s website chat support interface that they had information about ‘the incident’ and provided an email address for further communication.

49 At around 8.37 am on 19 October 2022, the Threat Actor contacted several executive staff from Medibank, including Mr Koczkar, via WhatsApp to negotiate a ransom payment and provided material indicating that they had exfiltrated data from Medibank’s systems. The data sent to Medibank staff included a list termed “naughty” which included persons who were claimed to be “high profile” and claimed to identify health treatment data, such as for drug abuse and mental health, with the apparent purpose of extorting a ransom from Medibank. Prior to this contact from the Threat Actor, Medibank’s IT security team was of the view that it did not appear that the Threat Actor had deployed ransomware or accessed customer data.

50 Following receipt of the message from the Threat Actor, Mr Koczkar attended a CMT meeting at 9.30 am and informed the attendees of the message that he had received. Mr Wilkins’ evidence was that the realisation that customer data may have been accessed and exfiltrated was a turning point in his mind as to the seriousness of the Cyber Incident and the potential for legal exposure. From this point, Mr Koczkar said he knew that the Cyber Incident had the potential to be an even more significant issue than it already was.

51 On 19 October 2022, Medibank entered a further ASX trading halt and released another ASX announcement informing the public of the ransom request, noting (among other matters) that its investigations were ongoing and that it would continue to provide regular updates. This trading halt lasted until 21 October 2022, at which time Medibank’s securities were suspended from quotation. This suspension from quotation lasted until immediately following an ASX announcement on 26 October 2022.

52 Also on 19 October 2022, Medibank staff met with staff from CrowdStrike, Datacom and Threat Intelligence to discuss the Cyber Incident, provide updates on key action items and create further action items if necessary. Ms Ramsay and Mr Lim met with representatives of CyberCX, Mr John Macpherson (director at Ashurst Risk Advisory) and other Medibank representatives in relation to the scope of the KWM CyberCX engagement. CyberCX provided a proposed scope of work to KWM on 20 October 2022.

53 By late morning on 19 October 2022, Medibank was corresponding with the Threat Actor via Coveware. Communications with the Threat Actor via Coveware continued until 1 December 2022.

54 Also on 19 October 2022, Mr Gatto was advised by Ms Nicola Charlston (partner at KWM) partner, that Medibank required legal advice in his areas of expertise: risks of possible class actions from customers and shareholders, and Medibank’s engagement with the OAIC, APRA and the Australian Federal Police.

55 During the evening of 19 October 2022, Ms Charlston, and Mr Lim had a telephone call with Ms Ramsay and Mr Ashley Spencer (at that time Medibank’s Senior Executive – Legal (Strategy & Enabling Functions)).

56 Another ASX release was published by Medibank on 20 October 2022, noting that the trading halt continued until further notice. Mr Gatto, Mr Lim and Ms Charlston provided legal advice to Ms Ramsay in relation to the ASX release. As with the earlier releases, the release noted Medibank’s commitment to “transparency about what we know, and how that could impact our customers, our people, and the broader community”. Mr Koczkar was quoted as saying:

We will learn from this incident and will share our learnings with others.

Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.

57 A draft board paper entitled “Medibank Private Limited – Board Committee – Risk Assessment: Cyber Incident Containment Options – 16th October 2022 – for Noting” (16 October 2022 Draft Paper) was circulated on 21 October 2022 which provided an outline of an expected “path forward” contemplated by the Medibank Executive Leadership Team. This included three separate phases, a “sprint phase”, “marathon phase”, “the new normal phase”. The anticipated steps under each phase are reproduced below:

[REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

[REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

[REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

[REDACTED]

[REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

[REDACTED]

58 The draft Board paper also noted the various measures which were taken by Medibank in response to the Cyber Incident at that time. These relevantly included the following:

[REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

[REDACTED]

*    [REDACTED]

*    [REDACTED]

[REDACTED]

*    [REDACTED]

*    [REDACTED]

*    [REDACTED]

59 On 20 October 2022, Medibank received a letter from the OAIC making preliminary inquiries about the Cyber Incident under s 42(2) of the Privacy Act 1988 (Cth). On that same day, KWM retained senior counsel to advise Medibank in relation to the Cyber Incident and ransom request.

60 Ms Ramsay’s evidence was that, between 21 and 25 October 2022, she began to shift her focus from the actions taken in the immediate response to the Cyber Incident, to focussing on managing legal risks and potential legal exposures associated with the Cyber Incident in the medium to long term. Ms Ramsay began to consider potential options for an external post incident review of the Cyber Incident, to enable both internal and external lawyers for Medibank to understand precisely what had occurred, in order to provide legal advice to Medibank and prepare for the investigations and legal proceedings that appeared to her at that time very likely to eventuate. Ms Ramsay considered that any post incident review would have to be undertaken by an external party because of the limited capacity of the internal IT security team (as they were fully occupied with efforts to contain the Cyber Incident), and the potential bias (perceived or actual) if the internal IT security team were to conduct a review themselves.

61 On 24 October 2022, Mr Gatto had a video call with Mr Guy Smith (at the time, Medibank’s Head of Disputes) and Mr Spencer to discuss risks associated with anticipated legal proceedings and steps to be undertaken to prepare for that litigation.

62 On 25 October 2022, Medibank released a further ASX announcement confirming that Medibank customer data (in addition to that of ahm Health Insurance and international student customers’ personal data) had been exfiltrated, and that the Cyber Incident was the subject of criminal investigation by the AFP. In addition to supporting the AFP criminal investigation, the release noted that Medibank “continues to work with specialised cyber security firms, the Australian Cyber Security Centre and government stakeholders” and stating that “Medibank will continue to provide regular, transparent updates”.

63 From around 25 October 2022, newspaper articles published by the Australian Financial Review and the Sydney Morning Herald in relation to the Cyber Incident, raised the prospect of potential class action legal proceedings being investigated. By this time, Mr Wilkins considered that there was a real prospect that Medibank would face legal proceedings in the form of regulatory actions and/or actions by customers or shareholders. He considered it essential for the Board to understand Medibank’s potential legal exposure flowing from the Cyber Incident.

64 By 25 October 2022, Ms Ramsay considered that Medibank should arrange for the conduct of an external review, where the purpose was to verify, from a suitably qualified person external to Medibank, the facts of the Cyber Incident in order to obtain legal advice and prepare for legal proceedings. Ms Ramsay explained that this was because the legal teams needed to know what happened in order to provide legal advice to the Board on potential legal risks and prepare for the likely legal proceedings.

65 On 26 October 2022, CrowdStrike provided a further incident response status update for the “Bluemarsupial” project which summarised ongoing systems analysis and investigations and Falcon software deployment. At this point, CrowdStrike did not identify any evidence of ongoing activity by the Threat Actor.

66 Medibank issued a further ASX release on 26 October 2022 which provided an event update in relation to the Cyber Incident, a first quarter performance and an update to FY23 outlook. That day, Medibank’s trading suspension from the ASX was lifted.

67 On 26 October 2022, KWM briefed senior counsel to advise Medibank in relation to the legality of paying a ransom in respect of the Cyber Incident. There were at least two calls that day with senior counsel and KWM lawyers including Mr James Russell (partner at KWM) and Ms Charlston and Medibank lawyers including Ms Melissa Monks (Senior Executive – Compliance, Privacy and Regulatory Affairs at Medibank), Ms Ramsay and Mr Spencer. There was a further call with senior counsel on 27 October 2022 which included Mr Lim, Ms Charlston, Ms McCormack, Ms Ramsay and Mr Spencer.

68 The relevant advice about the legality of paying the ransom was provided to Medibank’s Board on 29 October 2022. Around that time KWM executed the CyberCX Statement of Work, which is extracted below at [208].

69 On 29 October 2022, the Board met at 4 pm via Zoom to receive an event update and update from external advisors. The minutes for the meeting record that the Board noted the paper entitled “Board Briefing-Cybercrime – Ransom framework” dated 28 October 2022 and attached appendices and the paper entitled “Board Briefing – Cybercrime – Ransom framework – Supplemental Paper” dated 29 October 2022 and attached appendices. The Board minutes also record that the meeting was attended by Ms Ramsay and five other Medibank management personnel, three partners from KWM, and representatives from CyberCX, Coveware and Ashurst Risk Advisory. According to Mr Gatto (as informed by Mr Lim) the KWM advice discussed at this Board meeting related to the payment of a ransom and directors’ and officers’ duties.

4.2.3    1 November 2022 to 31 December 2022

70 Mr Koczkar deposed that by, at the latest, 1 November 2022, Ms Ramsay informed him that she was considering that the Board should commission an external review into what had occurred in the Cyber Incident, so that the legal team including KWM could understand in a non-technical manner what had occurred and provide legal advice to Medibank in relation to it. Mr Koczkar and Mr Gatto both deposed that, at that time, the reports that had been prepared by Medibank and the various cyber experts on the Cyber Incident were quite technical in nature and difficult to understand for people not trained in IT. Such reports included logs which were in raw form and not able to be interpreted without technical assistance.

71 Ms Ramsay also considered it important for Medibank’s internal and external legal teams to obtain an understanding of what happened in a non-technical form, which could be digested and understood by them so that they could provide legal advice.

72 With respect to the idea of engaging an external review of the Cyber Incident, Mr Koczkar’s evidence was:

I knew that the Board needed to understand Medibank’s legal position. By this time, I thought that it was appropriate that the Board be given an external perspective on what had happened in order to get advice on Medibank’s potential legal exposure. For example, at this time [Medibank] could not confirm that the Cyber [Incident] had not involved someone internally or contracted by our business, so while I considered our internal investigation had already given us a reasonable understanding of what had occurred, we could not discount anything. Having someone external come in and review what had happened and explain this to Medibank’s lawyers provided the best method for the Board to understand what the Cyber [Incident] meant legally for Medibank. In this regard, I note that while I was aware an external review would serve a purpose of assisting us to understand what had happened, in the sense of providing a means of verifying our internal investigation, that purpose was very much secondary to the primary purpose of ensuring the Board could receive advice on Medibank’s legal position based on an external review of what had occurred. In particular, as I note above, by this time I felt I already had a reasonable understanding of what had occurred based on Medibank's internal investigation. Finally, I was also very particular that it had to be a Board-led external review, not management-led.

73 On 4 November 2022, the Board met to consider, among other matters, an update on the response to the Cyber Incident, including the potential release of an ASX announcement. At this meeting, the Board made an “in-principle decision” that Medibank would not pay the ransom. The minutes of the meeting show that in addition to the Board and Ms Ramsay, five members of management were present for the Cyber Incident Update during which the Board considered whether to pay the ransom. According to Ms Ramsay, it was the view of the Board as expressed in Board meetings at which she was present — and with which she agreed —that external experts (i.e. non-Medibank personnel) should conduct an external review, so the legal team would have the benefit of an assessment of the facts by persons unconnected with the circumstances of the Cyber Incident.

74 According to Mr Wilkins, between 4 and 6 November 2022, the Board decided that it would instruct KWM to commission an external review by external experts discussed above at [70]–[72]. Mr Wilkins’ evidence was that the purpose of the external review was clear to him: the Board needed advice on Medibank’s legal exposure which was based on a complete understanding of what had happened. It was important to Mr Wilkins that the review be conducted by an external party.

75 Mr Wilkins stated that the purpose of the external review was:

… to assess any potential legal exposure arising from the [Cyber Incident] and inform our response (including defences) to the legal proceedings which I thought at the time were highly likely to eventuate. In my mind, the purpose of the external review was clear: the Board needed advice on Medibank's legal exposure which was based on a complete understanding of what had happened.

It mattered to me that the review be done by an external party. The Board had already received information from Medibank’s IT security team about the cyber event based on their internal investigations, but I considered that the Board needed an external perspective of what had taken place within the organisation and any legal risks arising from it. For this reason, it was decided that the Board, not Medibank's Executive Leadership Team (i.e. representatives of management at the executive level) (ELT), would instruct KWM to commission the external review, so that the Board had oversight of the process. The Board needed an unfiltered external review that reconstructed from the ground up what had happened in order to understand whether Medibank was legally exposed and the nature of any potential exposure.

If the Board had just needed to know what had happened for operational purposes, it would not have decided to instruct KWM to commission an external review of the kind we did. It would only have continued with Medibank's internal investigation, and then potentially looked to have someone validate or provide assurance around the veracity of that investigation. But because the Board wanted legal advice about its legal exposure, Medibank decided to proceed with an external review which would reconstruct what had happened for the purpose of lawyers giving advice to us on legal exposure.

76 On Sunday, 6 November 2022, the CRC held a meeting which was also attended by five members of management and Ms Ramsay. During that meeting, Ms Ramsay informed the CRC that the Board was comfortable with a proposed announcement to the ASX which announced that: Medibank would not pay the ransom; provided details concerning what data Medibank believed at the time had been exfiltrated by the Threat Actor; and announced that Medibank would commission an external review of the Cyber Incident. The minutes of the CRC meeting record that the draft ASX announcement “incorporated all the feedback received from the Directors”, and that all Board members had advised that they were comfortable with the content of the draft announcement. Neither the draft announcement nor (the unredacted part of) the minutes made any reference to the external review having any legal purpose. The ASX announcement was approved by the CRC on 7 November 2022 and released to the ASX that same day (7 November 2022 ASX Announcement).

77 The 7 November 2022 ASX Announcement stated:

Medibank has today announced that no ransom payment will be made to the criminal responsible for this data theft.

Mr Koczkar said: “Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

“It is for these reasons we have decided we will not pay a ransom for this event,” he said.

This decision is consistent with the position of the Australian Government. …

“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers,” [Mr Koczkar] said. …

As we have worked through this cybercrime, Medibank has committed to being transparent as events unfold and more is understood, including how that could impact our customers, our people, and the broader community. …

External review

In addition to its ongoing forensic investigations, Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers.

Medibank will announce more details of this review in the near future. …

Medibank commits to sharing the key outcomes of the review, where appropriate, having regard to interests of its customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

(Emphasis added.)

78 The external review named in the 7 November 2022 ASX Announcement was the review ultimately carried out by Deloitte, and which resulted in the three reports: the PIR, RCA and CPS 234 Reports. At the time of the announcement, the identity of who would conduct the external review was not determined.

79 As to the 7 November 2022 ASX Announcement, Mr Wilkins’ evidence was:

I recall it was important to me that we got the message out that we were taking appropriate steps to understand what had occurred so that we could remedy any issues that may be revealed to us and share those issues within the constraints of any legal advice taken by us.

I did not at any time intend to release the reports of the proposed external review into the public domain, as I thought that to do so could expose Medibank legally, and provide details of Medibank’s IT systems that I did not think should be in the public domain (including due to the potential IT security risk that this could create for Medibank). …

However, if there were key findings that could be shared in a way that would not impact on Medibank’s legal position or Medibank’s claims for LPP, or present an IT security risk, or compromise the Australian Federal Police’s ongoing investigation, then that was something that the Board was open to sharing. That is what was meant when the Board said in the announcement that Medibank would share the key outcomes “where appropriate”.

80 In cross-examination, Mr Koczkar agreed that Medibank was trying to be as transparent as possible, however, he noted the reason for the “where appropriate” was “because we had no intention of sharing the – that external review in full”. He agreed that he intended to share the key outcomes of the external report and also agreed that there was no reference to the external review being commissioned for any legal purpose.

81 Regarding the 7 November 2022 ASX Announcement, Mr Koczkar deposed that at the time of the announcement, Medibank was still determining who was going to conduct the external review. Medibank was also still developing what the terms of reference would be for the external review. With respect to the intended purpose of the external review, Mr Koczkar gave evidence that:

Since the Cyber [Incident] had occurred, Medibank had been trying to be as transparent as possible with stakeholders, within reason, and the Board also wanted to share what it could with the community to avoid this happening to anyone else. At the same time, the words “where appropriate” were included in the ASX announcement because the Board was not going to share any of the key outcomes with anyone if doing that would increase the risk of a claim against Medibank, reduce Medibank’s ability to defend a legal proceeding, or give any other cybercriminals a roadmap to Medibank’s IT systems for that matter. In particular, the words “where appropriate” were included because, in my view, the Board had no intention (nor made any decision) to waive [legal professional privilege] in respect of the external review.

At that time, I did not consider it appropriate to include in the ASX announcement the fact that the external review was being obtained for legal advice, because in my experience that would only serve to make investors concerned and suspicious. I know from my experience of approximately 30 years of working in corporations with lawyers that I should not publicly reference legal advice. For these reasons, I did not think that the ASX announcement should expressly state that the external review was being engaged for legal purposes.

82 Mr Koczkar’s evidence was that he was aware of the fact that APRA would likely require an external review into the Cyber Incident to support its regulatory oversight. As such, and in discussions with Mr Wilkins, Mr Koczkar was keen to ensure that Medibank’s decision to conduct the external review was communicated to APRA and that APRA was consulted on its terms and scope so that it may satisfy any requirements APRA had, and ideally avoid the need for APRA to also conduct a separate review which would put an additional burden on Medibank’s resources. Ms Ramsay deposed to a similar view, subject only to the qualification that the outcomes would be shared with APRA to the extent that doing so would not waive privilege.

83 Ms Ramsay provided advice on the form of the ASX announcement. In relation to the statement that Medibank would share key outcomes of the review “where appropriate”, Ms Ramsay’s evidence was that she considered it important to convey that it may not be appropriate to share all outcomes, which would include making any public statement that would undermine Medibank’s claims for privilege in communications relating to the external review. Ms Ramsay considered that including details of the external review in the ASX announcement was consistent with the philosophy adopted by Medibank in relation to the Cyber Incident that Medibank would be as transparent as possible “within appropriate reason and bounds”.

84 By about 10 November 2022, Mr Gatto had formed the view that KWM would need to engage:

(a)    one or more third-party cyber experts with relevant experience and expertise who could conduct an investigation, review the relevant information and reports prepared to date, and provide a report to KWM which would explain, in terms the legal team could understand, what had happened, the cause of the Cyber Incident and whether Medibank had and was continuing to comply with its obligations under the Privacy Act;

(b)    third-party experts to provide ongoing assistance to KWM on specific and technical cyber security issues relating to the Cyber Incident; and

(c)    a third-party expert with specific expertise and experience in the application of the standards in Australian Privacy Principle 11.1 and Prudential Standard CPS 234.

85 In an 8 November 2022 email from Ms Kylie Bishop (Medibank’s Group Executive People, Culture & Sustainability), a draft “Cyber Incident Program Office” document was attached which set out a Governance flow diagram. In this diagram, “Incident Investigation” and “External Review” were grouped together and pictured as being under the supervision of the Board Sub Committee and the ELT Sub Committee, which included Mr Koczkar, Ms Ramsay and Mr Mark Rogers (Medibank’s Group Executive, Chief Financial Officer and Strategy), with no mention of KWM. The purpose given for the external review was to “conduct an external and independent review and share findings and lessons with stakeholders”.

86 On 10 November 2022, Mr Wilkins and Mr Koczkar received legal advice from Ms Ramsay and KWM in relation to the form of the external review and the terms of reference.

87 Ms Ramsay gave evidence, on information and belief from Mr Rogers, that he and Ms Karen Phillips (Senior Executive – Internal Audit) met with potential candidates to conduct the external review to assess their capacity and technical capability to conduct the proposed review on or about 12 November 2022. Mr Rogers and Ms Phillips are not lawyers nor part of Medibank’s legal team.

88 In an 11 November 2022 email from Ms Phillips to Mr Rogers, headed “Cyber Incident – Review and Internal Audit”, Ms Phillips referred to an earlier phone call with Mr Rogers and noted:

Deloitte

*    Has confirmed they are happy to work with us to get us into a position to announce a relationship at the AGM, noting they would need to be across the wording to be used. KWH [sic] has already reached out independently and Deloitte Partners have connected to ensure Firm alignment

*    Meeting being arranged for over the weekend for Deloitte to share insights on potential scope, leveraging Optus, Energy Australia, other work. Would you like to join?...

KPMG…

As discussed, the high level objective of this first piece of work is to assess why were we exposed (how did we get here) and what do we have planned to remediate? The scope that sits below this will need to be fleshed using the expertise of the provider.

(Emphasis in original.)

89 Following their meetings, on either 13 or 14 November 2022, Mr Rogers and Ms Phillips recommended that Deloitte be appointed to undertake the external review. Mr Koczkar was aware that Ms Phillips and Mr Rogers met with potential candidates to assess their capacity to undertake the external review.

90 On or about 14 November 2022, Ms Ramsay instructed KWM to prepare draft terms of reference for an external review to be conducted by Deloitte, and a draft engagement letter to retain Deloitte to conduct the external review. Mr Gatto had a telephone discussion with Mr Ian Blatchford of Deloitte in the evening of 14 November 2022, and later that evening provided him with a draft engagement letter including the draft terms of reference.

91 On 15 November 2022, Ms Phillips informed APRA that “as you were already aware, King & wood Mallesons (KWM) has been engaged to act on our behalf and appoint an external provider to perform a review in relation to the recent cyber incident”. Ms Phillips noted that after consideration of a number of advisers, Deloitte had been chosen as preferred external review provider. Medibank provided APRA with the draft terms of reference and a proposed governance structure for engaging Deloitte to conduct the external review. Ms Phillips concluded “[p]rior to us making any announcement at our AGM, we welcome any queries or comments APRA may have in relation to our proposed course, in particular our preferred external provider, the high level governance structure we will have in place, and the draft terms of reference”.

92 Medibank’s dealings with APRA are discussed further at 4.3 under the heading “APRA involvement”. However, it is of note that APRA had “no objection” to the use of Deloitte. Mr Bruce Young (at the time, General Manager Operational Resilience at APRA) set out in an email APRA’s “suggested amendments/additions to your original scope paragraph” and requested a copy of the final scope prior to completion. APRA’s suggested additions included:

A timeline/sequence of events;

What specifically was the root cause, series of weaknesses, and/or control deficiencies which facilitated the breach, and was there anything that could have alerted Medibank to the control weakness and/or breach prior;

Identify the areas of non-compliance to APRA’s Prudential Standard CPS 234, which contributed to the breach; and

Did Medibank effectively respond to the incident from the point when it became known?

93 In her response email to Mr Young of 15 November 2022, Ms Phillips thanked APRA for its suggestions and confirmed that “they will either be considered as part of the detailed scope and approach of this external review, or we have already considered them to be potential future external reviews/internal audits’. Ultimately, the APRA suggestions were not incorporated into the final engagement letter for Deloitte.

94 On 15 November 2022, a virtual Board meeting was held, the minutes of which noted that the Board resolved to approve the appointment of Deloitte to conduct the external review of the Cyber Incident. That same day, Ms Ramsay contacted Mr Gatto seeking legal advice in relation to the engagement of Deloitte and referring to the Deloitte review in the speeches of Mr Koczkar and Mr Wilkins at the Annual General Meeting the following day.

95 Later on 15 November 2022, Mr Gatto says that he “issued” the engagement letter to Deloitte (Deloitte Engagement Letter) to conduct the “first review”. This particular choice of wording suggests that it was not Mr Gatto who drafted the terms of the engagement letter. The engagement letter read:

1     Medibank has engaged King & Wood Mallesons (KWM) to provide confidential legal advice and assistance to it about the legal risks and potential exposures associated with the recent cyber incident.

2     The scope of our advice includes whether, in relation to the recent cyber incident, Medibank or its directors, officers or employees may have, amongst other things, complied with (and continue to comply with) the provisions of the Privacy Act 1988 (Cth) or other Australian privacy laws, breached any contractual or equitable obligations (including obligations of confidence), engaged in misleading or deceptive conduct or breach of disclosure obligations, and/or been negligent in the design or implementation of its IT systems and processes.

3     In addition, at least two class actions against Medibank are being actively investigated by plaintiff law firms (with one class action reportedly expected to be commenced within a week), and the Office of the Australian Information Commissioner has commenced inquiries in relation to the cyber incident. The Australian Federal Police is also conducting an investigation. Accordingly, it is presently anticipated that one or more class actions or regulatory investigations / prosecutions will be commenced against Medibank or others in relation to the incident. We are providing legal advice and assistance to Medibank in relation to these matters.

4     In order for us to provide the legal advice and assistance to Medibank as outlined above, we require Deloitte to provide expert forensic assistance and cyber expertise to us, and we hereby retain you for this purpose.

5     In relation to this retainer, Deloitte is engaged for the dominant purpose of providing assistance to KWM to enable us to provide legal advice and assistance in relation to cyber incident to Medibank.

6     We will be in contact with you separately to discuss the assistance you are to provide to us in more detail, including your proposal to scope and resource the matter (including timing and costs estimates), and the terms and conditions of your engagement.

7     In the meantime, we confirm that the terms of reference for Deloitte’s retainer are to investigate and prepare a report on the following matters:

*    How were Medibank’s IT systems accessed and information removed?

*    What information was accessed? What information was removed?

*    Will the enhancements to Medibank’s IT systems and processes implemented since the incident mitigate the risk of a reoccurrence of the same sort of incident?

*    Are there any recommendations for further enhancements to Medibank’s systems and processes?

8     These terms of reference may need to be adjusted during the course of your engagement. If this is required, we will discuss it with you and confirm any changes in writing.

Communications protocol

9     Because your engagement is being undertaken for the dominant purpose of assisting us to provide legal advice to our client, legal professional privilege will attach to confidential communications engaged in during the course of, or documents created for the purposes of, your engagement.

10     It is important that you keep confidential information regarding the assistance you are providing in connection with this engagement and that legal professional privilege be maintained in any documents and communications that form part of your engagement.

96 Mr Gatto’s evidence as to the Deloitte Engagement Letter was as follows:

KWM required Deloitte to investigate the relevant matters for the following reasons:

(a)     with respect to the first dot point under paragraph 7 of Deloitte's engagement letter, I considered that it was important that KWM obtain a fulsome understanding, in plain English, of what occurred during the Cyber Event, to be able to advise Medibank in relation to the legal issues it was confronting and to be able to effectively represent Medibank in the Anticipated Legal Proceedings;

(b)     with respect to the second dot point under paragraph 7 of Deloitte's engagement letter, I considered this important to understanding the extent of Medibank's potential legal exposure to affected customers and expected that it would be important to Medibank's defence to the Anticipated Legal Proceedings; and

(c)     with respect to the third and fourth dot points under paragraph 7 of Deloitte's engagement letter, I considered that it was relevant for KWM to understand these matters to advise Medibank in relation to the risk of any ongoing and continuing non-compliance with Medibank's legal obligations post the Cyber Event. I also considered, based on my experience advising clients in respect of their engagements with and formal actions taken by regulators (including APRA), that the third and fourth dot points would likely be relevant to advising Medibank in relation to its engagement with the OAIC and APRA and the prospects of one or both of these regulators taking formal action against Medibank, because regulators, in my experience, usually consider it relevant to their decisions as to what investigatory and enforcement action they will take whether there is a material risk of the same or similar thing happening again and whether steps have been taken to mitigate that risk.

97 Early in the morning of 16 November 2022, Ms Phillips received an internal email (the sender is not identified) which stated:

… for what it is worth, I suspect the risk of raising this is that it opens up a can of worms of APRA’s involvement/concerns/capital overlay which probably outweighs any cudos we would get (personally I would use the APRA angle when (if) we release any findings.

98 On 16 November 2022, Medibank’s AGM was held, during which Mr Wilkins and Mr Koczkar relevantly stated the following:

MR WILKINS:     In addition to our ongoing investigations and engagement with the Federal Police and Australian Cyber Security Centre, we have commissioned an external review, to be undertaken by Deloitte. This review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers. The appointment has been made in consultation with APRA.

We will share the key outcomes of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation. We are also committed to sharing, where it is safe to do so, what we have learnt from our experience, so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future. …

MR KOCZKAR:     As Mike has announced, the external review to be conducted by Deloitte, in addition to our ongoing investigation, will help us further strengthen our ability to safeguard our customers.

99 On 16 November 2022, after the AGM, Mr Koczkar sent an email to all employees of Medibank:

Hi everyone, …

In addition, we announced that we have commissioned an external review, to be undertaken by Deloitte. This review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers. We will share the key outcomes of the review, where appropriate, to you, to our customers and our stakeholders.

100 As at the time of the 16 November 2022 AGM, there was no talk of three separate reports, rather just an “external” review involving investigation and the preparation of a report. Only Mr Gatto in his affidavit refers to the external review as “the first review”.

101 After receiving a request from Mr Blatchford to discuss the scope of the review in more detail, Mr Gatto, Mr Lim and Ms Phillips met with Mr Blatchford and others from Deloitte to discuss the external review on 17 November 2022.

102 On 18 November 2022, KWM engaged CrowdStrike directly. Prior to this, CrowdStrike had been engaged by Medibank directly to provide, amongst other things, investigation services and reports as required.  The CrowdStrike engagement is discussed further at section 7.2 below.

103 On 23 November 2022, Mr Koczkar emailed an unidentified customer:

We have commissioned Deloitte to complete an external review of the cybercrime and the findings of this review will be taken into consideration by the Board when determining any bonus payments at the end of the 2023 financial year. We will do everything we can to ensure that we learn from this crime and our focus remains on the needs of our customers first and foremost.

104 In late November 2022 to early December 2022, Mr Gatto spoke with Mr Blatchford and Mr Evan Carvouni (both partners at Deloitte) in relation to whether Deloitte had the requisite expertise to undertake a second review focussed on identifying the root cause of the Cyber Incident and a third review focussed on assessing Medibank’s compliance with APP 11.1 and/or CPS 234. Following further consultation with Ms Ramsay and Mr Spencer, Mr Gatto spoke to Mr Carvouni in relation to KWM engaging Deloitte to undertake two further reviews in respect of the root cause of the Cyber Incident and about the scope of these reviews and Medibank’s compliance with CPS 234.

105 On 1 December 2022, the ELT held a meeting. Also on 1 December 2022, the OAIC had announced the commencement of a formal investigation into Medibank in respect of the Cyber Incident, on the Commissioner’s own-initiative under s 40(2) of the Privacy Act and also served Medibank with a notice to produce documents pursuant to s 44 of the Privacy Act.

106 Medibank published an article on the ‘Features’ section of its website on 1 December 2022 entitled ‘A letter to our customers’ that Mr Koczkar approved. The letter was also published in media publications around Australia, and relevantly stated:

We’re working alongside the best cyber security experts to ensure our systems are better protected. We’ve improved our capability to block overseas and untrusted network access, and added advanced threat monitoring. We are also supporting the Australian Federal Police, who are actively monitoring the internet and known criminal online sites to identify those who are buying or selling stolen information. …

We’ve commissioned Deloitte to carry out an external review of recent events. This review will help inform the changes we make as a company and, where we can, we will openly share its findings with the broader community. It’s not just data that’s affected. It’s people. People we care for, and whose health and wellbeing remains our absolute focus. …

107 Ms Ramsay’s evidence was that throughout December 2022, KWM advised Medibank in relation to the scope of the reviews to be undertaken by Deloitte for the purpose of preparing the RCA Report and the CPS 234 Report. Deloitte commenced work on the PIR Report on or about 2 December 2022.

108 The Board meeting held on 14 December 2022, was attended by two staff from Deloitte, Mr Gatto, Mr Lim and Ms Charlston from KWM, and Ms Phillips, Mr Rogers, Ms Ramsay and a number of people from Medibank’s management. All were present for the Cyber Incident update given at the meeting. Ms Ramsay informed the meeting that she had instructed KWM to engage Deloitte to undertake the reviews the subject of the RCA and CPS 234 Reports.

109 On 14 December 2022, Mr Koczkar sent an email to an unidentified Medibank customer, copied to Mr Wilkins, which stated:

We have commissioned Deloitte to complete an external review of the cybercrime in addition to our ongoing investigation and the criminal investigation being undertaken by the Australian Federal Police. We will do everything we can to ensure that we learn from this crime and our focus remains on the needs of our customers first and foremost. …

110 On 15 December 2022, in email sent by Becky Hyde (Senior Executive Corporate & Overseas Business at Medibank) responding to a question asked by Rio Tinto: ‘will Medibank be undertaking a cyber security review of their service providers/vendors (e.g. Doctors on Demand)?’. Ms Hyde responded:

[Redacted] Deloitte. This review will ensure that we learn from this cyber attack and continue to strengthen our ability to safeguard our customers. We will share the key outcomes of the review, where appropriate, having regard to the interests of our customers and stakeholders [redacted], Australian Federal Police [Redated]. We are also committed to sharing, where it is safe to do so, what we have learnt from our experience, so that Australian businesses and the broader community can be better placed to navigate any similar challenges in the future. The learnings from this will be extended to Medibank’s enterprise-wide partners and if required we will make updates to our assessments to ensure they meet Medibank requirements.

111 Sometime after the OAIC launched its investigation, Mr Gatto was of the view that KWM required immediate technical cyber security assistance in order to advise in relation to its response to the OAIC investigation. In mid to late December 2022, Mr Gatto recommended to the Medibank legal team that KWM engage Threat Intelligence (Medibank’s standing DFIR partner as at the date of the Cyber Incident, who assisted the Medibank IT security team respond to the Cyber Incident) to provide KWM with ongoing cyber security expert consultancy services in relation to various matters arising from the Cyber Incident, in order for KWM to provide ongoing legal advice and legal assistance to Medibank. KWM entered into a separate engagement with Threat Intelligence on or around 22 December 2022.

4.2.4    January 2023 to June 2023

112 Medibank customer support staff also informed Medibank customers directly of the external review being undertaken by Deloitte in response to queries for financial compensation in relation to the Cyber Incident. In an email dated 4 January 2023, a Medibank customer support staff member stated in response to a customer email:

Since the cyberattack, we have prioritised preventing further unauthorised entry to our IT network and are continuing to monitor for any further suspicious activity. This has included bolstering existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties. We have not seen any suspicious activity since 12 October.

In addition to this, we have also commissioned an external review, to be undertaken by Deloitte. This review will ensure that we learn from this cybercrime and continue to strengthen our ability to safeguard our customers. We will share the key outcomes of the review, where appropriate with our customers and stakeholders.

113 On 11 January 2023, KWM issued a letter of engagement for the RCA Report to Deloitte, and a separate letter of engagement to Deloitte in respect of the CPS 234 Report.

114 Ms Ramsay’s evidence was that Deloitte commenced the RCA Report review in around mid to late January 2023, and the CPS 234 Report on around 30 January 2023.

115 Another Board meeting was held on 9 February 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, three KWM partners and around 14 Medibank management staff, many of whom were not lawyers. The agenda for the meeting lists as item 1.1 the “Cyber Incident Update” which included a “Deloitte review update”.

116 Medibank released its 2023 half year results on 23 February 2023, together with an investor presentation about the results the same day. Both publications referred to the ongoing external review being conducted by Deloitte.

117 Another Board meeting was held on 11 April 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, two KWM partners, including Mr Gatto, and around eight Medibank management staff, most of which were not lawyers. The agenda for the meeting shows as item 1.2 the “Deloitte Report”. The minutes record Mr Blatchford and Mr Carvouni speaking about the “Deloitte Report” and answering questions from the Board. A copy of this report, the PIR Report, was provided to APRA on 12 April 2023.

118 Another Board meeting was held on 16 May 2023. Prior to the meeting, a copy of the RCA Report was provided to the Board on 10 May 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, two KWM partners and Ms Phillips, Mr Rogers, Mr Loizou and Mr Greg Gokavi-Whaley (Medibank’s Chief Risk Officer and Senior Executive). The minutes for the meeting shows as item 1, the “Deloitte Root Cause Analysis Report”. Mr Blatchford and Mr Carvouni are recorded as speaking about this Report and answering questions from the Board.

119 On 17 May 2023, Ms Ramsay received from Mr Gatto a further and final version of the RCA Report which had been amended following the 16 May Board meeting.

120 On 23 June 2023, KWM provided a copy of Deloitte’s CPS 234 Report to the Board of Medibank under the cover of a letter of the same date. The letter stated:

Pursuant to those engagements, we now enclose for your information a copy of the Deloitte ‘APRA Prudential Standard CPS 234’ report. We are currently considering this report for the purposes of providing legal advice to Medibank.

Please note that this letter and the attached report are confidential and subject to Medibank’s legal professional privilege.

121 A Directors’ meeting was held on 26 June 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, including Mr Carvouni, two KWM partners including Mr Gatto, and a large cast of Medibank management staff, including Ms Phillips and Mr Rogers, most of whom were not lawyers. The minutes for 26 June 2023 meeting recorded:

APRA MEETING UPDATE (No. 1)

The Chair provided an update on the meeting he and the CEO attended with APRA on the afternoon of Friday 23 June 2023, noting the APRA attendees were Suzanne Smith (Member) and Sean Carmody (Executive Director). The Chair advised that APRA had indicated that it may soon be in a position to advise the Board of APRA’s response to Medibank’s October 2022 cyber incident, and that APRA’s position may include a potential APRA Supervisory Adjustment with no quantum specified. The Chair noted that APRA had requested another meeting with the Chair and CEO in the late afternoon of Monday 26 June 2023.

…

CYBER INCIDENT UPDATE

1.1 Deloitte Report

The Board noted the letter from King & Wood Mallesons (KWM) addressed to Medibank and the Board dated 23 June 2023 in which KWM referred to their engagement by Medibank to provide legal advice and legal assistance in relation to last year’s cyber incident, and KWM’s subsequent engagement of Deloitte to provide expert assistance for that purpose, as detailed in KWM’s letter to Deloitte dated 11 January 2023 and Deloitte’s letter to KWM dated 12 January 2023. Pursuant to those engagements, KWM noted that it had provided to Medibank and the Board for its information a copy of the Deloitte ‘APRA Prudential Standard CPS 234’ report (Report). KWM further noted that it was currently considering the Report for the purposes of providing legal advice to Medibank, and that KWM’s letter and the Report are confidential and subject to Medibank’s legal professional privilege.

Mr Carvouni and Mr Lee spoke to the Report and answered questions from the Board.

122 A Board of Directors’ Meeting was held on 27 June 2023. In addition to the Board and Ms Ramsay, this meeting was attended by two people from Deloitte, two KWM partners including Mr Gatto, and a number of Medibank management staff, including Ms Phillips and Mr Rogers, most of which were not lawyers. The agenda for 27 June 2023 recorded both KWM and Deloitte as the ‘presenter’ of the ‘Deloitte Report’.

123 The papers for the 27 June 2023 meeting included Mr Koczkar’s CEO report, dated 27 June 2023. Item 2 of the CEO Report is titled ‘[REDACTED]’ and includes the following dot point:

[REDACTED]

124 As the extent of involvement of APRA assumed some prominence in the question of whether legal professional privilege subsisted in the Deloitte Reports, I have set out the chronology of APRA’s involvement separately below.

125 Medibank first notified APRA of the Cyber Incident on 13 October 2022. Medibank Board briefing papers from 14 December 2022 record that Medibank had held twice weekly meetings with APRA since 21 October 2022 to provide updates about Medibank’s response, impacts and business continuity plans.

126 On the morning of 15 November 2022, Ms Phillips sent Mr John Huijsen (General Manager Insurance, Insurance Division of APRA) an email headed “External Review”, referring to their conversation late the day before, and advised APRA that:

(a)    KWM had been engaged to act on Medibank’s behalf and appoint an external provider to perform a review into the Cyber Incident;

(b)    After consideration of a number of advisers, Deloitte had been chosen to conduct that review;

(c)    Medibank intended to announce the appointment of Deloitte at the AGM the next day; and

(d)    Ms Phillips, as Senior Executive Internal Audit, would lead the review from the Medibank side.

127 Ms Phillips’ 15 November 2022 email to APRA noted:

The draft terms of reference for this engagement includes the investigation and preparation of a report on the following matters:

1. How were Medibank’s IT systems accessed and information removed?

2. What information was accessed? What information was removed?

3. Will the enhancements to Medibank’s IT systems and processes implemented since the incident prevent a reoccurrence of the same sort of incident?

4. Are there any recommendations for further enhancements to Medibank’s systems and processes?

Prior to us making any announcement at the AGM, we welcome any queries or comments APRA may have in relation to our proposed course, in particular our preferred external provider, the high level of governance structure we will have in place, and the draft terms of reference.

128 Later that morning, Mr Young and Ms Phillips had a telephone conversation. In the afternoon 15 November 2022, Mr Young emailed Ms Phillips in response, and confirmed APRA had no objection to Deloitte’s appointment and “no further comment on the governance arrangements”. APRA then provided some comments on the draft terms of reference. In particular, APRA suggested the following words italicised below be added to the terms of reference set out in Ms Phillips’ email:

1. How were Medibank’s IT systems accessed and information removed, together with a timeline/sequence of events; What specifically was the root cause, series of weaknesses, and/or control deficiencies which facilitated the breach, and was there anything that could have alerted Medibank to the control weakness and/or breach prior”

2. What information was accessed? What information was removed? Identify the areas of non-compliance to APRA’s Prudential Standard CPS 234, which contributed to the breach

3. Will the enhancements to Medibank’s IT systems and processes implemented since the incident prevent a reoccurrence of the same sort of incident? Did Medibank effectively respond to the incident from the point when it became known?

4. Are there any recommendations for further enhancements to Medibank’s systems and processes?

129 In the evening of 15 November 2022, after the letter of engagement had been sent to Deloitte, Ms Phillips replied to Mr Young and confirmed that APRA’s suggested amendments/additions would either be considered as part of the detailed scope and approach of the external review (which Deloitte had already been engaged to undertake) or had already been considered for inclusion in potential future external reviews or internal audits. Ms Phillips noted that Medibank intended to announce its preferred external provider (Deloitte) at the AGM the next day, and asked Mr Young whether APRA would be comfortable with Medibank mentioning it had consulted with APRA on the appointment of Deloitte. Mr Young responded by email later that evening, stating that APRA was comfortable with Medibank mentioning it had been consulted, and seeking clarification as to whether there was a chance that any of the scope items that may fall into the category of potential future reviews would not be undertaken.

130 On 16 November 2022, Mr Young emailed Ms Phillips:

Further to my email, I called and left a message with you this morning to discuss your feedback to our suggested amendments. I understand that you will be very busy this morning, and would like to discuss the items below when time permits.

Items for clarification include:

1.    Given that Internal Audit have a role meeting the requirements of Prudential Standard 234 (e.g., providing assurance over controls), we would like to understand how independence will be maintained if scope items are not included in this independent review.

2.     Our preference would be for all scope items to be included in the independent review.

3.    Please can you provide the procedures/steps that will be followed by the internal audit so as to ensure it will be independent both in the role of managing the review, and in addressing these scope items.

131 On 18 November 2022, Mr Wilkins and Mr Koczkar received legal advice from Ms Ramsay in relation to the scope of the terms of reference of the external review and the governance arrangements concerning the external review, and APRA’s comments on those matters.

132 On 21 November 2022, Ms Ramsay provided further advice to Mr Koczkar in relation to the scope and sequencing of up to four potential investigations to be conducted as part of the external review, being the IT focussed investigation which ultimately led to the production of the PIR Report discussed above, a second investigation adopting a “root cause analysis” which led to the production of the RCA Report, a third investigation into Medibank’s compliance with APRA Prudential Standard CPS 234 which led to the production the CPS 234 Report, and a fourth proposed investigation which did not eventuate.

133 On 25 November 2022, Mr Wilkins and Mr Koczkar received further legal advice from Ms Ramsay in relation to APRA’s comments on the scope of the terms of reference of the external review and the governance arrangements concerning the external review. On that same day, Mr Wilkins and Mr Koczkar had a virtual meeting with Ms Suzanne Smith (Executive Board Member at APRA) and Mr Sean Carmody (Executive Director, Insurance Division at APRA) where they discussed the proposed terms of reference of the external review. During that discussion, Mr Wilkins and Mr Koczkar proposed, and Ms Smith and Mr Carmody ultimately agreed, to the external review being sequenced to ensure the timely flow of information; first looking at what happened, and then looking at what the root cause was and Medibank’s compliance with APRA prudential standard CPS 234. According to Mr Koczkar, it was also agreed during this meeting that Medibank would provide APRA the results of its external review on the basis that Medibank maintained its claim of privilege over any such material.

134 On 25 November 2022, Ms Phillips replied to Mr Young’s email of 16 November 2022:

*    In relation to the procedures/steps that will be followed we have taken on board your comments regarding the proposed governance structure and have appointed the Medibank legal team to act as the internal facilitator of the external review. Going forward, you contacts for this review will be Mei Ramsay, Group General Counsel and Ashley Spencer, Senior Executive, Legal & Governance.

*    In addition, the proposed project governance structure will see Deloitte have direct access and reporting into the Medibank Board, and Deloitte will be working through KWM for outcome discussions and reporting.

*    In relation to your suggested amendments, a time line/sequence of events will form part of the external review, as will aspects of your second bullet point regarding underlying causes and details of the technical incident response. Deloitte's initial focus will be on identifying the relevant events and circumstances relating to the cyber incident. They plan is to do this by 'following the attack path' from the attacker's initial point of entry through to data exfiltration, along with the associated incident response and remediation actions undertaken to prevent reoccurrence. This will include an identification of the IT and technical measures Medibank had in place and how these were bypassed by the attacker. We think it is an important first step that this initial piece of work be undertaken to establish the facts and circumstances before other qualitative assessments are completed (such as a CPS234 assessment).

*    Having established the relevant events and circumstances, Deloitte will go on to identify the enhancements which Medibank has introduced to its IT systems and processes since the incident and then determine whether these enhancements would prevent the reoccurrence of the same type of incident.

*    The alignment of outcomes or impact to requirements set out in CPS234 will follow the finalisation of the initial phase of Deloitte's work. We are continuing to think about how the CPS234 assessment can best be performed, noting there are other rapidly evolving factors which need to be taken into account in the way we move forward with the Deloitte review, the CPS234 assessment and any other similar processes (including the AFP's ongoing criminal investigation and the significant and real class action risk the subject of recent media coverage). We will consult with you once our approach to CPS234 is more developed. We will also share with you the results of our CPS234 assessment.

*    For similar reasons, an assessment of the crisis management response processes will also likely be kept separate (and we think this probably requires a different set of expertise to that possessed by the Deloitte team).

135 On 26 November 2022, Mr Carmody emailed Mr Koczkar, referring to their telephone conversation over the weekend, and setting out key elements required by APRA in the Deloitte review:

*    An assessment of whether the incident revealed any areas of non-compliance with APRA’s Prudential Standard CPS 234 (note that APRA does not require a full CPS 234 review, rather the focus should be on the specific factors relating to the incident itself - for example, if the review revealed that a control failed and that this control had not been subject to systematic testing this may constitute a breach of paragraph 27)

*    Assessment of how effectively Medibank responded to the incident (including considering CPS 234 paragraphs 23 to 26 requirements for robust plans and mechanisms to manage all stages, starting from the ability to detect, to respond, escalate and report to appropriate stakeholders including governing bodies, through to post-incident review)

*    Could Medibank have identified any control weaknesses that allowed the incident to occur earlier (this includes consideration whether there were any internal alerts not responded to as was suggested in the media in relation to MFA weaknesses)?

We would appreciate it if you could confirm in writing that these scope areas will be addressed by the review in order to allow us to proceed with the media release on Monday. We don’t want to be in a position to have to say that the scope of the review does not meet our requirements.

One further consideration which we did not discuss on our call today is that very often when third party reviews are undertaken by regulated entities we conduct a number of “tri-partite” meetings which allows APRA to have direct engagement with the third party review. Taking this approach with the Deloitte review would be helpful and would help to ensure that our scope items are adequately addressed. Direct discussions with Deloitte reduce the risk that anything is lost in translation. We’d be keen to arrange this as the review gets under way.

(Emphasis in original.)

136 On 27 November 2022, Mr Koczkar responded to Mr Carmody’s email, referring to a telephone conversation they had on 26 November 2022, and stating:

We really appreciate your engagement with Medibank and input into the scope of the external review. I also appreciate the teams meetings we had last week and the opportunity to understand some background into APRA's deliberations.

As discussed, I can confirm that the scope of the external review will cover the matters you have noted below in your email. As you have also noted the review will need to be sequenced, and as a result will be commissioned as a number of separate reviews.

To address each of your bullet points below, we intend to:

*    conduct an assessment of whether the incident revealed any areas of non-compliance with CPS 234 on the terms noted in bullet point one of your email;

*    address the question as to how effectively Medibank complied with paragraphs 23 to 26 of CPS 234, being bullet point two of your email; and

*    address the question of whether Medibank could have identified any control weaknesses that allowed the incident to occur earlier, including the matters noted in bullet point three of your email.

In relation to your final point regarding holding a number of ‘tri-partite’ meetings, we are comfortable to do so, and will let Deloitte know to expect the meetings.

Finally, I wish to reiterate Medibank’s commitment to working constructively and cooperatively with APRA to ensure we meet APRA’s expectations. As always, if you have other suggestions as to how we can achieve this objective, then I would be very appreciative to hear those from you.

137 In an email sent to Ms Phillips on 28 November 2022 after the virtual meeting, Mr Young noted that following discussions between Mr Carmody and Mr Koczkar:

“David has committed to APRA that the review scope will include the following key elements:

*    An assessment of whether the incident revealed any areas of non-compliance with APRA’s Prudential Standard CPS 234 (note that APRA does not require a full CPS 234 review, rather the focus should be on the specific factors relating to the incident itself – for example, if the review revealed that a control failed and that this control had not been subject to systematic testing this may constitute a breach of paragraph 27)

*    Assessment of how effectively Medibank responded to the incident (including considering CPS 234 paragraphs 23 to 26 requirements for robust plans and mechanisms to manage all stages, starting from the ability to detect, to respond, escalate and report to appropriate stakeholders including governing bodies, through to post-incident review)

*    Could Medibank have identified any control weaknesses that allowed the incident to occur earlier (this includes consideration whether there were any internal alerts not responded to as was suggested in the media in relation to MFA weaknesses)?”

138 In this same 28 November 2022 email, Mr Young also noted that Medibank agreed to APRA participating in “tri-partite” sessions with Deloitte, which he noted “as is typical for APRA in cases like this”.

139 On 28 November 2022, APRA published a media release in relation to Medibank’s Cyber Incident (28 November 2022 APRA Release). The release relevantly stated:

APRA has been working alongside Medibank and other government agencies in response to the cyber incident reported last month. Medibank has been open and cooperative with APRA during this time.

APRA Member Suzanne Smith confirmed that APRA has informed the scope of the external review announced by Medibank on 16 November to ensure that it will meet APRA 's requirements. This review, to be conducted by Deloitte, will examine the incident itself, control effectiveness and the response of Medibank.

Ms Smith said: “While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear.”

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate,” Ms Smith said.

(Emphasis added.)

140 Following this, Medibank published an ASX announcement (28 November 2022 ASX Announcement) acknowledging the APRA media release and stating that:

Medibank CEO David Koczkar said: “Since we detected this cybercrime we have been in regular consultation with APRA.

“Given the nature of this event we believed it was important to have an external review which we announced at our Annual General Meeting on 16 November 2022. As part of our engagement, Medibank consulted with APRA on the scope of the external review we commissioned Deloitte to undertake.

“The review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers.

“We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

“We are also committed to sharing what we have learnt from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future.

“Our absolute focus is to continue to support and protect our customers through this time.

“Safeguarding our customers’ data is a responsibility we take very seriously, and we will continue to support all people who have been impacted by this crime.

“Our dedicated Cyber Response Support Program is providing customers with mental health and wellbeing support, identity protection services and financial hardship measures.

“Medibank will continue to work with APRA in a transparent and cooperate way as well as with the Australian Government, Australian Federal Police and Australian Cyber Security Centre.

141 On 29 November 2022, Ms Phillips sent an email to Mr Young in which she stated

[a]s noted in your email, we intend to cover the scope of the work by way of a number of separate discrete external reviews. Deloitte has been commissioned to undertake the first such review. […] We will then look to commission reviews to assess whether the incident revealed any areas of non-compliance with CPS 234…

142 There was further email correspondence between APRA and Medibank directed to the scope of the external review from 30 November 2022. On 30 November 2022, Mr Huijsen wrote to Ms Phillips:

I mentioned to Greg Gokavi-Whaley at our regular catch up yesterday that APRA would like to meet Medibank on this topic, so we are clear on the various review scopes and timings.

Based on our discussions with David and Mike [Wilkins], APRA understands the rationale for individually commissioning the separate phases of the investigation.

However, given the importance of the full range of scope items it is our expectation that, even if some elements are conducted sequentially, that the engagement and planned dates are locked in as soon as possible rather than waiting to an as yet unspecified date before anything is committed to.

Another important point is that we have reservations about separating out all of the assessment of potential non-compliance with CPS 234.

While there may be good grounds for separating the assessment of Medibank’s response to the incident, the analysis of the incident itself would naturally consider the effectiveness of Medibank’s controls and we would consider it appropriate to include in that assessment consideration of the expectations of CPS 234, such as for systematic testing of controls. This point is one that we believe could be addressed through a tri-partite meeting with Deloitte, so we would also be keen to get the first of these scheduled as soon as possible.

143 On 1 December 2022, Mr [REDACTED] of APRA emailed a staff member of Medibank:

As foreshadowed at our catchup on Tuesday and correspondence yesterday between John Huijsen and Karen Phillips, we would like to arrange a meeting next week to discuss the approach, scope and timing of the external review(s) being conducted by MPL.

I’ll confirm APRA attendees in due course, but expect to have representatives from our Operational Resilience area and our supervision team. We understand MPL is forming a PMO (or similar) function to govern the external review(s), representation from which would presumably be useful, but we’ll leave it to MPL to determine relevant attendees.

144 On 6 December 2022, Mr Huijsen sent an email to Ms Ramsay thanking her for the opportunity to discuss the external report and clarifying what was required by APRA as Medibank’s prudential regulator:

Further, upon reflection, we feel that combining all items into a single report would facilitate timely communication of the findings and able to be covered by the single provider (Deloitte).

To clarify, APRA requires the following areas to be in scope:

*    How were Medibank’s IT systems accessed and information removed, together with a timeline/sequence of events?

*    What specifically was the root cause, series of weaknesses, and/or control deficiencies which facilitated the breach, and was there anything that could have alerted Medibank to the control weaknesses and/or breach prior.

*    What information was accessed? What information was removed?

*    Identify the areas of non-compliance to APRA’s Prudential Standard CPS234, which contributed to the breach (not a full CPS234 review).

*    Will the enhancements to Medibank’s IT systems and processes implemented since the incident prevent a reoccurrence of the same sort of incident?

*    Did Medibank effectively respond to the incident from the point when it became known?

*    Are there any recommendations for further enhancements to Medibank’s systems and processes?

145 In the same 6 December 2022 email, Mr Huijsen noted that it was APRA’s preference to have visibility of known findings prior to the Christmas break, with a final report to be received by APRA in January 2023.

146 On 8 December 2022, Mr Huijsen met with Ms Ramsay to discuss the scope of the review. Mr Gatto did not attend this meeting, but his evidence is that he discussed it with Ms Ramsay both before and after the meeting.

147 After the 8 December 2022 meeting, Mr Huijsen emailed Ms Ramsay summarising APRA’s understanding of the discussion, with the boldened text appearing to be additional notes by APRA (8 December 2022 Email):

APRA messages:

*    Acknowledge MPL has motivations to compartmentalise elements of the external review.

*    Encourage a sense of urgency to the work being completed, ensure as much work as possible being done in parallel.

*    Expect to be informed of any known findings prior to the 23rd of December.

*    A complete review of CPS 234 compliance is not required, but rather, consideration of CPS 234 should be a focused assessment of the incident.

*    End to end life cycle of incident response will be integral to consideration of CPS 234 compliance.

*    Work to assess CPS 234 compliance should also reflect on the existence, if any, of known weaknesses which contributed to the incident.

*    May need to adjust requirements as the review evolves, and expect prompt notification of any material findings.

Medibank messages:

*    Appreciate APRA’s input to the scope and conduct of the External Review.

*    Commit to all seven points (previously communicated by APRA) being within scope for the External Review.

*    Acknowledge it is a significant body of work for Deloitte to undertake and MPL does not have absolute control over the timing of deliverables.

*    Thinking has progressed since AGM on the best way to structure the External Review to protect the company.

*    Review will be completed and presented as three separate reports (colloquially: IT Incident Review, Root Cause Review, Compliance with CPS234).

*    APRA will be provided with all reports and findings, regardless of intention to maintain legal professional privilege over contents.

Agreed outcomes:

*    Medibank to provide APRA with written scope of “IT Incident Review”. APRA requests this be provided via email ASAP, so that it can be considered prior to our meeting with Deloitte.

*    APRA to meet with Deloitte prior to the scheduled board meeting on the 14th/15th of December. APRA will contact MPL regulatory affairs team to facilitate this.

*    APRA legal to meet with MPL legal to discuss assurances APRA can provide around legal professional privilege. APRA will contact MPL regulatory affairs team to facilitate this.

*    Meeting on 16th December will include: MPL Chair, MPL CEO, APRA Member, APRA Executive Director Insurance. Arrangements have already commenced.

148 Mr Huijsen’s 8 December 2022 Email is the first recorded mention of legal professional privilege in the correspondence between APRA and Medibank.

149 Ms Ramsay responded by email to Mr Huijsen on 9 December 2022:

Thank you again for your time yesterday, and for clarifying the areas APRA requires to be in scope of the external review to be conducted by Deloitte. Medibank appreciates your engagement and input and wishes to ensure that the scope of the reviews meets APRA’s expectations.

In response to the points you make in your email:

*    Thank you for acknowledging and agreeing to our approach to managing the commissioning of the various reviews. As discussed, Medibank will be engaging Deloitte to perform the work under three separate engagements and each engagement will result in a standalone report. As you note, the 3 reviews are colloquially know as [sic]: IT Incident Review (which Deloitte has already commenced), Root Cause Review and Compliance with CPS234.

*    Medibank will provide APRA with the findings from the three reports in a manner to be agreed in order to protect legal professional privilege in the contents to the greatest extent possible.

*    We have commenced discussions with Deloitte on the 2 additional engagements and as part of those discussions conveyed to Deloitte the sense of urgency for the work to be completed as soon as possible and where possible to ensure the work is being done in parallel. However, a s [sic] you have highlighted below, the reviews represent a significant body of work for Deloitte to undertake and Medibank does not have absolute control over the timing of deliverables.

*    We are working with Deloitte as a matter of urgency to agree the scope for the two additional engagements, and have discussed the following broad outline with Deloitte:

*    Root Cause Review: To the extent relevant to the events and circumstances identified in the IT Incident Review and applying a root cause analysis methodology, in Deloitte’s opinion what was the root cause of the incident?

*    Compliance with CPS234 Review: To the extent relevant to the events and circumstances identified in the IT Incident Review, in its opinion has Deloitte identified areas of non-compliance with APRA’s Prudential Standard CPS234 which contributed to the breach, including in the end-to-end life cycle of the incident response in the context of compliance with paragraphs 23 to 26 of CPS 234?

*    We acknowledge that APRA may need to make adjustments to their requirements as the review evolves and will promptly notify APRA of any material findings as we become aware of them.

In relation to the agreed next steps:

*    I attach the written scope of the “IT Incident Review”. This is provided on a confidential basis for the limited purpose of APRA understanding the scope of this Review, and Medibank expressly reserves legal professional privilege in this document and the Review itself. Please note that we are discussing with Deloitte whether it is necessary and/or preferable (especially from a timing perspective) to expressly add an examination of the events and circumstances of the incident response to the IT Incident Review or whether this fact-finding work should be undertaken in the Compliance with CPS 234 Review.

*    Our Regulatory Affairs team will facilitate the tripartite meeting with Deloitte and the Medibank/ APRA legal meeting.

*    I note that arrangements have already commenced for the 16th December meeting between our Chair and CEO and the APRA Member and APRA Executive Director Insurance.

Once again thank you for your time yesterday. I wish to reiterate Medibank’s commitment to working constructively and cooperatively with APRA to ensure we meet APRA’s expectations.

150 On 12 December 2022, APRA representatives met with Deloitte personnel and Ms Ramsay to discuss the external review. In an email to Ms Ramsay dated 13 December 2022, Mr Huijsen summarised the discussion as follows:

*    APRA’s requirements for the external review, initially shared with Medibank in mid-November 2022, were recently shared with Deloitte. In addition to the IT Incident Review, the scope for which was provided to APRA last Friday 9 December, a Root Cause Review and Compliance with CPS234 Review will operate in conjunction to provide coverage of the seven points raised by APRA …

*    Deloitte and Medibank indicated that scopes for these reviews, including consideration of 4 Matters not included at this time in the scope provided, could be finalised within the next 24 hours and a copy provided to APRA for review and feedback. The review work will be undertaken concurrently rather than consecutively to achieve timely completion. Work required to be undertaken is not being held up in the interim.

*    Deloitte indicated that reliance will be placed on other reviews already completed, to the extent it was appropriate to do so, including sample testing to verify outcomes.

*    APRA’s urgency for the external reviews to provide insights was understood. Findings are unlikely to be available before Christmas, however a meeting between Medibank, Deloitte and APRA will be arranged for late next week (target Thursday 22 December) for APRA to gain a progress update on the reviews.

(Emphasis in original.)

151 On 13 December 2022, Mr [REDACTED] of APRA sent an email to Mr Robert Urquhart of Medibank:

We are proposing to cancel the existing series of recurring meetings as we shift our focus to the external review, which will likely feature one or two more bespoke update meetings before we settle into some sort of routine for progress updates against findings.

So, to summarise:

*    I will cancel the recurring Tues/Thurs meetings

*    We will continue to work on arranging the meeting with APRA legal to discuss LPP

*    APRA, MPL and Deloitte agreed to meet on the 22nd of December for a progress update

(Emphasis added.)

152 During the week commencing 12 December 2022 until 19 December 2022, Mr Gatto worked with Ms Ramsay, Mr Spencer and Mr Carvouni to finalise the scope of the Deloitte RCA and CPS 234 reviews and KWM’s letters of engagement. Mr Gatto deposed that, in preparing the scope for the RCA and CPS 234 reviews, he had regard to APRA’s investigatory, enforcement and other powers as Medibank’s prudential regulator, as well as Medibank’s discussions and correspondence with APRA. At the time, Mr Gatto believed that the substance of the matters which APRA had indicated it considered should be included in the scope of these two reviews were already going to be covered in the scope he had originally conceived back in November 2022. Mr Gatto stated that he nevertheless considered it would be beneficial for Medibank’s overall engagement with APRA to include wording which APRA had requested — provided it did not materially add to or alter the scope he had originally conceived.

153 Email correspondence between APRA and Medibank referred to a meeting being arranged on 16 December 2022, at which Mr Wilkins and Mr Koczkar would provide a briefing to APRA Executives Ms Smith and Mr Carmody, following the Medibank Board’s engagement with Deloitte.

154 On 19 December 2022, Mr Spencer provided to APRA a copy of the draft KWM engagement letters in respect of the RCA and CPS 234 reviews.

155 On 21 December 2022, Mr Russell attended a virtual meeting with Mr Spencer, Mr Huijsen and other representatives of APRA, where they discussed the basis upon which Medibank would be prepared to share confidential information concerning the Cyber Incident with APRA (including the Deloitte Reports), for the purpose of APRA’s prudential supervision of Medibank, where that information was subject to claims for legal professional privilege.

156 During this 21 December 2022 meeting, the APRA representatives confirmed that APRA would be content to receive information subject to claims for legal professional privilege on a confidential basis for a limited and specific purpose, that they would not contend that this amounted to a waiver of privilege, and that they would assist with any reasonable request from Medibank to assist if privilege claims were challenged. During this meeting, the APRA representatives indicated that they would confirm APRA’s position in writing in the new year.

157 On 15 February 2023, Mr Huijsen of APRA emailed a letter to Ms Ramsay (15 February 2023 Letter), stating:

I refer to the recent conversations on 21 December 2022 between APRA and Medibank Private Limited (MPL) with regards to certain information relating to the recent data incident that is held by MPL which it claims are subject to legal professional privilege (LPP).

MPL has agreed to provide the LPP information to APRA on a limited and confidential basis with the intention to preserve claims of privilege. In a manner consistent with the maintenance of claims of privilege, APRA agrees:

*    to maintain strict confidentiality in the information while it reviews the information for purposes related to its prudential regulation (acknowledging existing statutory secrecy obligations on APRA staff);

*    that the disclosure of the information to APRA is not a waiver of any privilege existing at the time of the information disclosure to APRA;

*    to assist with any reasonable request, in the event a claim for LPP is challenged due to the provision of the information to APRA;

*    to notify you as soon as reasonably practicable should APRA be legally compelled to disclose the information.

158 On 12 April 2023, Mr Gatto provided a copy of the PIR Report to APRA.

159 On 28 April 2023, Medibank issued the press release titled, ‘Cybercrime update – Deloitte incident review’ (28 April 2023 ASX Announcement). This press release stated the following:

On 23 February 2023, as part of its HY23 financial results presentation, Medibank outlined the circumstances surrounding how the criminal accessed its systems, what it had done in response and its key focus areas going forward, including shutting down the attack path and strengthening its security environment.

Deloitte has been conducting an external incident review into the circumstances surrounding the cybercrime event. Medibank confirms that it has now been provided with Deloitte’s findings from that review.

Deloitte has made recommendations to enhance Medibank’s IT processes and systems. A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank.

Medibank will also continue to review its cyber security governance arrangements, recognising the increasing prevalence of cybercrime and the need to meet the ongoing expectations of our customers.

This cybercrime remains the subject of a criminal investigation. Medibank continues to work with the Australian Federal Police, the Australian Government and regulators. As previously committed, Medibank will continue to share lessons from the cybercrime with other Australian businesses, where it can.

Medibank Chair Mike Wilkins said:

“This cybercrime was a deliberate and malicious attack. Our focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve.

“Medibank has completed a range of enhancements to meet this expectation and the Board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further.

“From the beginning of this cybercrime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations.”

(Emphasis in original.)

160 On 17 May 2023, Mr Gatto provided the final version of the RCA Report to APRA.

161 At a Medibank Board of Directors meeting on 26 June 2023, Mr Wilkins provided an update on the meeting with APRA that he had attended with Mr Koczkar on 23 June 2023. The Board minutes record that Mr Wilkins advised that APRA had indicated that it may soon be in a position to advise the Board of APRA’s response to the Cyber Incident. Mr Wilkins noted that APRA had requested another meeting with him and Mr Koczkar in the late afternoon of 26 June 2023. The minutes for the resumption of the Board meeting at 5.45 pm on 26 June 2023 record a further update from Mr Wilkins on the meeting with APRA that he and Mr Koczkar had attended at 5.15pm that afternoon. Mr Wilkins advised that APRA indicated it would be issuing a letter to Medibank later that day outlining APRA’s response to the Cyber Incident. The Board requested management to prepare a draft ASX announcement for the Board’s review once the letter from APRA had been received.

162 The minutes for the resumption of the Board meeting on the morning of 27 June 2023, record that the Board noted a letter received from APRA dated 26 June 2023 and the draft APRA media release, which was issued on 27 June 2023, and discussed the content of the APRA letter and media release. The Board noted the draft ASX announcement entitled ‘Medibank Response to APRA Announcement’ tabled by management at the meeting and provided feedback on the draft announcement. The Board resolved to approve the draft ASX announcement, subject to the suggested updates from the Board being incorporated, and the release of the announcement to the ASX.

163 No copy of the APRA letter of 26 June 2023 was in evidence. No witnesses from APRA were called by Medibank.

164 Mr Gatto provided a copy of the CPS 234 Report to APRA on 28 June 2023.

5.    Submissions

165 The applicants submitted that none of the engagements, Contested Documents, nor the CyberCX and Coveware Communications are (or ever were) privileged.

166 The applicants identified five discrete non-legal purposes for the engagements of the Cyber Experts. These purposes include:

(1)    Operational purpose — to ascertain the cause and extent of the data breach, as well as to contain it and determine appropriate preventative actions to stop future cyber incidents;

(2)    Governance purpose — for the business and Board to discharge its oversight functions, including in relation to overseeing regulatory compliance and other obligations, performance, and consequence management and remuneration outcomes for executives;

(3)    APRA purpose — to address concerns raised by APRA and to satisfy the regulator’s requests for information, thereby avoiding an independent APRA review of the Cyber Incident;

(4)    ASX purpose — to update the ASX and assuage market concerns; and

(5)    Public relations purpose — to communicate with and assuage concerns of customers and shareholders, and the community more generally, by showing that Medibank was looking to learn from the Cyber Incident to safeguard its customers’ information.

167 I refer to Medibank’s purpose of obtaining legal advice, or for use in litigation or regulatory investigations or proceedings as the legal purpose. For the purpose of the analysis, I will group the latter two purposes together, as ASX/PR purpose. These communications, whether they be ASX announcements or emails to customers or statements at the AGM, publicly and repeatedly emphasised that the external report would be for the purpose of Medibank learning from the Cyber Incident in order to safeguard customers.

168 The applicants submitted that none of these purposes were ancillary and that — even if there was a legal purpose for any of the engagements/reports of the Cyber Experts — for none did that purpose predominate. If anything, for each, the legal purpose was ancillary.

169 The applicants further submitted in the alternative, that if the Court was not satisfied that the Deloitte Reports were privileged, the privilege in those documents has been waived.

170 Medibank submitted that the reports of the various Cyber Experts were commissioned for the dominant purpose of assisting lawyers to understand and interpret the factual substratum associated with the Cyber Incident. This knowledge was required so that lawyers assisting Medibank could provide legal advice, which would be used in preparation of anticipated legal or regulatory proceedings, and the representation of Medibank in any such proceedings.

171 Medibank maintained that this legal advice was provided in circumstances where litigation was a real prospect, on a properly informed basis. The respondent contends that the applicants have only addressed the advice privilege, noting that the respondent’s privilege claim is made in respect of both the advice and the litigation privilege

6.    Legal principles — Privilege

6.1    General matters

172 This dispute concerns whether an immunity applies to the documents which would otherwise be disclosed pursuant to an order of this Court. As such, the claims for privilege are to be assessed under common law principles rather than ss 118 or 119 of the Evidence Act 1995 (Cth): Esso Australia Resources Ltd v Commissioner of Taxation (1999) 201 CLR 49 at [16]–[17] (per Gleeson CJ, Gaudron and Gummow JJ).

173 This proceeding concerns both the advice and litigation limbs of the common law doctrine of legal professional privilege, as Medibank has invoked both grounds of privilege.

174 Where a question of legal professional privilege arises, the party claiming that legal professional privilege applies bears the onus of establishing that the privilege applies: Grant v Downs (1976) 135 CLR 674 at 689 (per Stephen, Mason and Murphy JJ). Conversely, the party claiming that privilege has been waived bears the onus of establishing any waiver: Robertson v Singtel Optus Pty Ltd [2023] FCA 1392 at [86] (per Beach J).

175 Medibank bears the onus of establishing that legal professional privilege applies to the documents and the applicants bear the onus of establishing any waiver in respect of that privilege.

176 At common law, legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations or proceedings. The protection is confined to confidential communications made for the dominant purpose of giving or obtaining (including preparation for obtaining) legal advice or the provision of legal services, including legal representation in litigation or other proceedings: Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 at [24] (per Murphy, Anderson and Neskovcin JJ); Robertson at [87] (per Beach J).

177 Privilege can only exist and be maintained when the conditions of the test for its existence are strictly complied with and continue to apply: Grant at 677 (per Barwick CJ), 685, 688, 690 (per Stephen, Mason and Murphy JJ); Commissioner of Australian Federal Police v Propend Financial Pty Ltd (1997) 188 CLR 501 at 508 (per Brennan CJ), 540, 543 (per Gaudron J), 552 (per McHugh J), 568 (per Gummow J), 584–5 (per Kirby J); Esso at [35] (per Gleeson CJ, Gaudron and Gummow JJ).

178 The Full Court of the Federal Court in Singtel Optus recently reaffirmed the relevant legal principles applicable in respect of legal professional privilege at common law at [25]–[27] (per Murphy, Anderson and Neskovcin JJ):

The purpose for which a document was created is a matter of fact to be determined objectively, having regard to the evidence, the nature of the document, and the parties’ submissions. Dominant purpose may be established by evidence and other material and circumstances showing such a description is justified. Proof of dominant purpose can be achieved in a variety of ways depending on the case at hand. In discharging that onus, focused and specific evidence is needed. But the nature and extent of the evidence needed to prove the existence of privilege is fact and circumstance dependent.

The evidence of the intention of the person who made the document, or the person who authorised or procured it, is not conclusive of purpose. In many instances, it is the character of the documents over which privilege is asserted that will illuminate the purpose for which they were created.

It is not sufficient to show a substantial purpose or that the privileged purpose is one of two or more purposes of equal weighting; rather it must be predominant and be the paramount or most influential purpose. The ordinary meaning of dominant purpose indicates the need for a ruling, prevailing or most influential purpose.

(Citations omitted.) (Emphasis added.)

179 The entirety of a document may be privileged or only part of a document: Asahi Holdings (Australia) Pty Ltd v Pacific Equity Partners Pty Ltd (No 4) [2014] FCA 796 at [34] (per Beach J). A document may be privileged to the extent in which it records a privileged communication, even if the document itself would not satisfy the ‘dominant purpose test’: Asahi at [35] (per Beach J).

6.2    Dominant purpose

180 As articulated by the Full Court in Singtel Optus, in order for privilege to arise, it is not sufficient that giving or obtaining legal advice or providing legal services was in part the purpose; it must be the dominant purpose of the relevant communication: at [27] (per Murphy, Anderson and Neskovcin JJ).

181 Further, if two purposes are of equal weight, “neither can be said to be the dominant purpose”: Commonwealth Director of Public Prosecutions v Citigroup Global Markets Australia Pty Ltd [2021] FCA 511 at [95](f) (per White J). If the most that can be said on the evidence is that one of the purposes of the communication included providing legal advice to the client, privilege will not apply: Esso at [50] (per Gleeson CJ, Gaudron and Gummow JJ). If the decision to bring the document into existence would have been made irrespective of any purpose of obtaining legal advice, the latter purpose cannot be dominant: Commissioner of Taxation (Cth) v Pratt Holdings Pty Ltd (2005) 225 ALR 266 at [30](8) (per Kenny J); Asahi at [33] (per Beach J).

182 The relevant purpose will typically be that of the author of the document in question, or “of the person or authority under whose direction, whether particular or general, it was produced or brought into existence”: Grant at 677 (Barwick CJ). Where a “technical report” has been commissioned by a solicitor, the relevant intention may be that of the solicitor: Mitsubishi Electric Australia Pty Ltd v Victorian Workcover Authority (2002) 4 VR 332 at [14] (per Batt JA, Charles and Callaway JJA concurring). In other cases, it may be necessary “to examine the evidence concerning the purpose of other persons involved in the hierarchy of decision-making or consultation that led to the creation of the document and its subsequent communication”: AWB Ltd v Cole (2006) 152 FCR 382 at [110] (per Young J).

183 In many cases, the character of the documents will reveal the purpose for which they were brought into existence: Grant at 689 (Stephen, Mason and Murphy JJ). Alternatively, if that is not the case, it may be established by identifying the circumstances in which the communication took place and the topics to which the instructions or advice were directed: Commissioner of Taxation v PricewaterhouseCoopers [2022] FCA 278 at [146] (per Moshinsky J).

6.3    Third parties and agents

184 If it is determined that a person is an agent of the client, and the agent communicates with the lawyer on behalf of, and at the direction of, the client for the dominant purpose of obtaining legal advice, then those communications are privileged: Pratt Holdings Pty Ltd v Commissioner of Taxation (2004) 136 FCR 357 at [1], [22] (per Finn J); PricewaterhouseCoopers at [155] (per Moshinsky J).

185 Legal professional privilege can extend to communications between the client or lawyer and a third-party who is not an agent: PricewaterhouseCoopers at [156] (per Moshinsky J); Pratt Holdings at [41]–[42], [49] (per Finn J), [105]–[107] (per Stone J).

186 Privilege does not extend “to third party advices to the principal simply because they are then ‘routed’ to the legal adviser”: Pratt Holdings at [46] (per Finn J). The relevant principles in respect of documents which are third-party adviser internal documents or communications between a third-party adviser and the litigant specifically were addressed in Pratt Holdings at [41]–[47] (per Finn J) and [105]–[107] (per Stone J). These principles were summarised by Beach J in Asahi at [38]–[44].

187 Further, in the context of advice provided for the purpose of a transaction or investigation — such as a due diligence specialist or other non-legal genus performing work in a non-litigation setting — the advice by non-legal advisors “will rarely be capable of attracting privilege for the reason that they will almost invariably have the character of discrete advices to the principal as such, with each advice, along with the lawyer’s advice, having a distinctive function and purpose in the principal’s decision making”: Asahi at [40] (per Beach J), citing Pratt Holdings at [46] (per Finn J). This remains true even where the non-legal and legal advice are interrelated, in that they “provide a collective basis for an informed decision by the client”: Asahi at [41] (per Beach J).

188 The High Court in Glencore International AG v Commissioner of Taxation (2019) 265 CLR 646 noted the “serious consequences” and effect of privilege on the conduct of litigation, noting that legal professional privilege must be “confined within strict limits”: at [30] (per Kiefel CJ, Bell, Gageler, Keane, Nettle, Gordon, Edelman JJ). In Singtel Optus, the Full Court of this Court emphasised that one such limit is the requirement that a party claiming privilege must satisfy the Court regarding the dominant purpose and that the dominance of purpose is not established by bare ipse dixit: at [29] (per Murphy, Anderson and Neskovcin JJ).

189 It is open to a trial judge having regard to the way in which a case is conducted to reject, or to accord limited weight, to assertions of a witness testifying that documents were for a privileged purpose: Kennedy v Wallace (2004) 142 FCR 185 at [4], [7], [14], [38] and [44] (per Black CJ and Emmett J). In Kennedy, notwithstanding the subjective evidence of the person who created the document, the evidence of surrounding circumstances demonstrated the presence of such significant non-legal purposes that there was insufficient evidence to satisfy the Court that the legal purpose was dominant.

190 When undertaking the requisite objective assessment, “a court is not obliged to accept evidence of state of mind merely because it is asserted, and nor is it obliged to find evidence to be persuasive irrespective as to challenge by cross-examination, particularly where it is contradicted by facts otherwise established by contemporaneous material having regard to the evidence, the nature of the document, and the parties’ submissions”: Singtel Optus at [32] (per Murphy, Anderson and Neskovcin JJ), citing Precision Plastics Pty Limited v Demir (1975) 132 CLR 362 at 370–1 (per Gibbs J, with whom Stephen J agreed, and Murphy J generally agreed).

6.4    Time for assessment of dominant purpose

191 The relevant time for ascertaining purpose is when the communication was made or when a written document comes into existence: Asahi at [30] (per Beach J). With respect to a report commissioned by an external solicitor, the relevant time for assessing the dominant purpose is the time that the report is commissioned: Roberts-Smith v Fairfax Media Publications Pty Limited (No 23) (2021) 417 ALR 221 at [44] (per Abraham J), citing Singapore Airlines v Sydney Airports Corporation [2004] NSWSC 380 at [19]–[21] (per McDougall J).

192 However, this does not mean that it is illegitimate to look at anything that occurs after the report is commissioned up until the time when the document is brought into existence: Robertson at [135] (per Beach J).

193 The Full Court in Singtel Optus at [88] further explained that:

The proper date upon which to assess purpose will depend upon the particular circumstances of the case. Having said that, it will usually be the case that, where a party has commissioned a report from a third-party provider the relevant time to assess the party’s purpose for doing so will be at the time of commissioning. But that is not to say that evidence as to later events cannot be relevant. For example, the evidence might show that the purpose for the report changed over the period from the commissioning of the report to its provision. In Australian Securities and Investments Commission v Noumi [2024] FCA 349 the respondent, which claimed privilege over a third party report it had commissioned, accepted that the purpose for obtaining a report could evolve over time and may extend from the time a report is commissioned up until the time it was brought into existence (at [77]). Shariff J accepted the parties’ submissions that the purpose for which the report in that case was procured was to be assessed across the continuum of time leading up to the creation of the report (at [80]).

(Emphasis added.)

6.5    Portions of documents

194 While Medibank has asserted privilege over the entire contents of the Cyber Expert Documents, for completeness, I note the following.

195 It is open to the Court to hold that privilege applies to certain portions, as distinct from the entirety, of a particular documentary communication: PricewaterhouseCoopers at [174] (per Moshinsky J).

196 In Kennedy, Allsop J stated at [158]–[159]:

158    If there is one conversation or one body of writing incapable of being broken up into which there is intermingled privileged material and non-privileged material the communication as one or as a whole will only be protected if the dominant purpose of the communication or the creation of the writing was to give or receive or record legal advice.

159    If a conversation or a note can be divided up such that privileged and non-privileged material can be segregated, the communications or writing made for the dominant purpose of obtaining legal advice will be privileged, even if the balance of the communications, perhaps even if most of the communications go to other matters. One does not lose privilege on a note made as an aide-memoire for the asking of legal advice by putting 10 other notes on the same page to remind one to ask about 10 other topics. It depends on the nature of the communication or writing and the circumstances of the creation of the document.

197 Ultimately, the purpose for which a document was created is a matter of fact to be determined objectively, having regard to the evidence, the nature of the document, and the parties’ submissions: Robertson at [89] (per Beach J).

7.    Consideration

7.1    CyberCX and Coveware Communications

198 Medibank asserts that the CyberCX and Coveware Communications were prepared for the dominant purpose of KWM providing legal advice and assistance to Medibank in relation to whether the payment of a ransom by Medibank might contravene Australia’s anti-money laundering, terrorism financing and autonomous sanctions laws and/or give rise to issues relating to the compliance with directors’ and officers’ duties under the common law and Corporations Act 2001 (Cth).

199 Coveware describes itself as a “category defining” cyber extortion incident response firm specialising in negotiations with cyber threat actors, “empowering victims of cyber extortion to recover their data with transparency, efficiency and integrity”. Coveware’s website describes its services as:

Forensic triage analysis, extortion negotiation, cryptocurrency settlements and description services are bundled together to reduce guesswork by collecting and sharing data with victims in a similar situation. The data collection and recovery is enabled by the development of both proprietary and open-source software with the goal of enabling and empowering victims of cyber extortion, regardless of their technical ability or budget. …

200 Coveware was involved in communications with the Threat Actor from around 11 am on 19 October 22 until around 1 December 2022. Medibank’s responses to the Threat Actor’s communications were via Coveware, using a pseudonym.

201 Coveware appears to have been engaged by CyberCX, not KWM or Medibank, to assist with managing communications with the Threat Actor. As such the applicants submit that the Coveware claims stand or fall with the CyberCX claims.

202 Mr Gatto’s evidence on the basis of information from Ms Ritchie, is that on 12 October 2022 Medibank, through Mr Loizou and Ms Ritchie, contacted Mr MacGibbon of CyberCX to discuss Medibank retaining CyberCX to assist with Cyber Crisis Comms. A meeting was held between Medibank and CyberCX later that day.

203 According to Mr Gatto, the initial engagement of CyberCX on 12 October 2022, was for the purposes of Medibank’s External Affairs team to obtain advice from CyberCX in relation to crisis communications with the public and stakeholders. Communications between Medibank and CyberCX pursuant to this initial engagement were conducted primarily though Ms Ritchie and Ms Meaghan Telford (who was at the time Senior Executive − Policy, Advocacy and Reputation at Medibank). Medibank does not claim legal professional privilege over communications pursuant to this initial engagement.

204 On 19 October 2022, Mr MacGibbon wrote an email to Ms Ritchie, Ms Telford, and “David” (who I assume to be Mr Koczkar) which stated:

Our firm advice is that you directly embed some of our strategic advisors on the ground with you in Melbourne.

That way we can participate in your crisis discussions, hear information first-hand and provide timely advice that links together all elements of Medibank’s response: incident response, attacker engagement, public communications.

This incident has now moved into a different phase. Crisis communications with your stakeholders is inseparable from Medibank’s overall strategy for engaging with - and, ideally, gaining the upper hand over - your attacker.

How this incident progresses, and the ultimate impact on customers, is not a technical nor a tactical issue that will be managed by incident responders or ransom negotiators. It must be guided by a strategic Board-level response in lockstep with your crisis communications.

In our experience, Medibank has a narrowing window of opportunity to use its public communications to aid your attacker engagement strategy - whether that engagement is to verify the information they hold, understand (or even delay) release of customer information, or to negotiate. This is a live, ongoing situation and the strategic decisions made now will affect the impact this incident has on your customers.

205 On or about 19 October 2022, Mr Gatto was informed by Mr Lim that, in his view, KWM would need expert assistance from CyberCX in gathering information about the Threat Actor and understanding the nature of their operations, and advice in relation to engagement and negotiations with them. This assistance was required for KWM to advise Medibank in relation to the legal issues and legal risks (including those arising under Australia’s anti-money laundering, financing of terrorism and sanctions laws) in the context of potential negotiations with the Threat Actor in relation to the payment or non-payment of a ransom. On 19 October 2022, Mr Lim met with representatives of CyberCX, and Medibank’s in-house lawyers, including Ms Ramsay.

206 On 20 October 2022, Mr Nick Klein of CyberCX provided KWM with a Statement of Work. The Background to the Statement of Work recorded that KWM was engaging CyberCX to support legal advice provided to Medibank, including in relation to potential litigation against it in relation to the Cyber Incident, in the areas of stakeholder management and crisis communications, data discovery, threat actor intelligence and engagement, and advice on other investigation and response activities as required.

207 On 26 October 2022, Mr Tony Abraham of Medibank emailed Mr John Goodall, Ms Kylie Williamson and Mr Loizou of Medibank a draft of an email responding to Mr MacGibbon’s email to Ms Ramsay of “Sunday last”. After responding in relation to a list of recommended actions, the email concludes:

There was another issue raised in your email to Mei which causes concern – your view that the threat actors remain present or active in our systems.

A. Proper containment of Threat Actor and remediation of vulnerabilities exploited in this incident - I am not convinced Medibank can have certainty that the Threat Actor has been removed, nor that they cannot re-enter. My team are across the work completed and in flight and can assist in coordination and delivery.

Can you elaborate on any specific information or forensic data that supports this? We want to ensure this is not the case as our efforts to date, and the views of Crowdstrike, MS, Threat Intel, the ACSC and others, all reaffirm our current position that the TA are no longer present in the estate. If you would like to take this one offline we can set up a call ASAP.

(Emphasis in original.)

208 The CyberCX Statement of Work was executed by Mr Lim on 29 October 2022, and described the scope of work as falling into three categories:

2.1 Strategic advisory, stakeholder management and crisis communications

CyberCX will provide strategic cyber breach advisory services, which may include:

*    Strategic advice on the impacts and likely developments of the evolving cyber incident

*    Identifying stakeholders, both internal and external

*    Advising on management and communications to each stakeholder group

*    Drafting and / or reviewing communications for stakeholder groups

*    Interfacing with teams performing technical investigation and restoration

*    Supporting media engagement, including media liaison and interview preparation.

2.2 Threat actor intelligence and engagement

CyberCX will collect and share cyber intelligence on the TA, which will help to inform next steps and key decisions as the incident proceeds.

CyberCX will also engage in communications with the TA, with the following objectives:

*    Influence the TA’s actions, especially those such as disclosing samples of stolen data and communicating with other parties

*    Confirm what information the TA has stolen, so the associated risks can be assessed, and mitigations identified (refer Data discovery phase of work below)

*    If necessary, facilitate resolution with the TA.

CyberCX will engage the third-party company Coveware to assist with TA engagement. Coveware will be instructed not to release any communications to the TA without prior approval. Coveware will also provide information to assist sanctions obligations, should it be required.

2.3 Data discovery

In situations where data has been stolen, data discovery is performed to determine the categories of sensitive data and the associated risks and reporting obligations to affected individuals, regulators, and other third parties.

The typical data categories are as follows, but can be amended based on the circumstances of the situation:

*    Private information - which carries a legislative obligation to notify affected individuals and the Office of the Australian Information Commissioner (OAIC)

*    Contractually notifiable - for which Medibank has any contractual obligations to notify third parties, e.g. suppliers, business partners, medical providers

*    Internal sensitive - for which no obligation exists to notify others, but the data is sensitive to Medibank

*    Security related - information which may further affect the security of Medibank's systems and data, e.g. network security details.

To perform this work, CyberCX will obtain copied of data from Medibank, which is believed to have been taken. The scope of this collection will be informed by the findings of the technical investigation and the output from TA engagement. The collected data will be treated as follows:

*    Structured data - such as homogenous database tables, will not require additional processing, as Medibank should be able to readily identify the data fields and individuals within that data.

*    Unstructured data - such as directories from network file shares, will be processed by CyberCX onto an electronic discovery and review platform Nuix. Scanned documents will have their text contents rendered using optical character recognition (OCR) to allow for keyword searching (e.g. to extract text fields from scanned identity documents such as passports). Password protected files will also be cracked to allow their contents to be accessed. CyberCX will perform an initial review and classification of the data, with input from Medibank data owners and KWM. CyberCX will also provide privacy advice with respect to personal information contained in the data set.

(Emphasis in original.)

209 Mr Gatto gave evidence on the basis of information and belief from Mr Lim of the following matters relating to CyberCX’s further engagement by KWM:

(1)    On 19 October, Mr Lim met with representatives of CyberCX and Ms Ramsay.

(2)    Direct interactions between CyberCX representatives and non-legal Medibank personnel during the course of the engagement were limited to:

(i)    interacting with Medibank IT to obtain documents and other information. KWM and Medibank’s in-house legal team facilitated and/or were directly involved in most of these interactions, but on some limited occasions, CyberCX also engaged directly with Medibank personnel;

(ii)    meeting with Medibank’s CEO, Mr Koczkar, to update him. Medibank’s in-house legal team representatives were present at all relevant meetings and Coveware representatives attended some of these meetings; and

(iii)    presenting updates to Medibank’s Board on approximately three occasions on the demands and communications by the Threat Actor. On each occasion, Mr Lim was present, and either led or introduced the discussion on these updates.

210 Mr Gatto was informed by Mr Lim, Ms Ramsay and Ms Monks that throughout the period of the CyberCX KWM engagement, Mr Lim, Ms Ramsay and Ms Monks communicated with CyberCX and Coveware with respect to:

(1)    communications and negotiations with the Threat Actor;

(2)    the payment of a ransom to the Threat Actor;

(3)    relevant intelligence about the Threat Actor; and

(4)    the nature and veracity of the data exfiltrated by the Threat Actor,

for the dominant purpose of KWM and Medibank’s in-house lawyers providing legal advice to Medibank.

211 Ms Ramsay’s evidence was to similar effect. On or around 19 October 2022, KWM indicated to Medibank that CyberCX could be engaged to provide expert consultancy assistance to KWM for the purpose of assisting KWM to advise Medibank in relation to the Cyber Incident, including in relation to Medibank's negotiations with the Threat Actor and the legality of paying a ransom.

212 The applicants assert that the best evidence as to the purpose of CyberCX’s engagement by KWM is the 19 October 2022 email from Mr MacGibbon to Mr Koczkar, Ms Telford, and Ms Ritchie, none of whom are lawyers. The applicants submit that on the basis of the matters set out by Mr MacGibbon in his email, the engagement with CyberCX was for the purpose of further assisting Medibank “with ‘Cyber Crisis Comms’”. In other words, what CyberCX had been doing pursuant to the initial engagement.

213 The applicants assert that this advice and initial engagement was for Operational, and ASX/PR purposes. Given that the initial engagement of CyberCX was for such purposes, the applicants contend that any re-engagement by KWM could not be privileged. The applicants submit that it is conspicuous that Medibank claims privilege over all communications that post-date KWM’s “re-engagement” of CyberCX. The applicants submit that it strains credulity that the legal purpose would predominate precisely as and from the time that KWM sent an engagement letter. Instead, the applicants assert that the inescapable inference is that Medibank claims privilege because of KWM’s engagement, and not because, actually properly tested, the document is privileged.

214 With respect to the presentations to Medibank’s Board outlined at [209(iii)], the applicants submitted that CyberCX presented to the Board; CyberCX did not assist KWM for KWM then to advise the Board. In this vein, while Mr Lim may have been present and either led or introduced the discussion — the applicants noted that it does not change the fact that CyberCX was directly updating the Board. The applicants stated that this bespeaks, at the least, the Operational, Governance, ASX/PR purposes.

215 As the applicants submit, the CyberCX Statement of Work covered multiple facets, including: strategic advisory, stakeholder management, crisis communications, Threat Actor intelligence, Threat Actor engagement and data discovery. While I accept the applicants’ assertion that, at face value, the overall engagement does not appear to be strictly for a dominant legal purpose, the precise corpus of evidence for each relevant document must be assessed.

216 Privilege is claimed in relation to three particular emails (and their attachments). While a number of purposes may underlie the engagement of CyberCX by KWM, the claim for privilege must be assessed in relation to each of the particular documents in respect of which the claim is made. It is not sufficient to deny the claim to privilege that a document is created pursuant to a Statement of Works that may contemplate more than one purpose for the engagement. It is the particular document itself and the circumstances in which it was created which must be examined to ascertain whether the document was created for the dominant purpose of legal advice, not the overarching engagement and statement of works under which it was created.

217 For the limited purpose of substantiating Medibank’s claims of privilege and without intending to waive privilege in the CyberCX and Coveware Communications, Mr Gatto gave evidence (informed by Mr Lim) regarding each communication. Mr Gatto’s evidence as informed by Mr Lim, is that the CyberCX Communications were prepared for the dominant purpose of KWM providing legal advice and assistance to Medibank in relation to whether the payment of a ransom by Medibank might contravene Australia’s anti-money laundering, terrorism financing and autonomous sanctions laws and/or give rise to issues relating to the compliance with directors’ and officers’ duties under the common law and Corporations Act.

218 Before considering the individual documents, I note that the engagement of CyberCX by KWM and the production of the documents must be viewed in the context of the rapidly unfolding Cyber Incident during the period 19 to 29 October 2022. Each of the emails (Documents 1, 2 and 4) were sent during the last three days of the period in the run up to the Board Meeting of 29 October 2022.

219 As noted above, on 19 October 2022, Medibank shares went back into an ASX trading halt which lasted until 21 October 2022, at which time Medibank’s securities were suspended from quotation until 26 October 2022. The first contact of the Threat Actor was made on the morning of 19 October 2022, via a WhatsApp message to Mr Koczkar. The message included material which indicated that Medibank customer data had been exfiltrated and seeking the payment of a ransom. Prior to that first contact, Medibank was unaware that any customer data had been exfiltrated. Shortly after that first contact, KWM briefed senior counsel to advise in relation to the Cyber Incident.

220 Over the next few days, there were at least three telephone calls with senior counsel and KWM lawyers. By 26 October 2022, it had been confirmed that Medibank customer data had been exfiltrated by the Threat Actor, and that day, counsel was briefed to advise in relation to the legality of paying a ransom. From that point on Mr Koczkar considered that the Cyber Incident had the potential to be even more significant than it already was. The Board received legal advice as to the legality of paying a ransom and directors’ and officers’ duties at the Board Meeting held on 29 October 2022.

221 I disagree with the applicants’ submission that it strains credulity that the legal purpose would predominate precisely as and from the time that KWM sent an engagement letter to CyberCX.  I consider that it is entirely consistent with the chronology of the rapidly evolving Cyber Incident and the run up to the Board Meeting of 29 October 2022, at which the Board was to be briefed on the legality of paying a ransom, amongst other matters, that KWM would in the course of preparing legal advice to the Board on that issue, seek information from CyberCX to assist it in preparing that advice. As such it is unsurprising that Medibank would claim privilege in the documents created in the days leading up to the Board Meeting as its lawyers prepared the legal advice for that meeting.

7.1.1    Document 1

222 This document is an email from Mr Klein of CyberCX to Mr Lim of KWM on 26 October 2022 at 7.48 am with subject line “Re: Medibank | Key ransom issues and action plan”, sent in response to an email from Mr Lim to Mr MacGibbon and Mr Klein earlier that day. Mr Klein’s email was copied to Ms Urszula McCormack (a partner at KWM who specialises in advising clients on Australian and foreign anti-money laundering, financing of terrorism and sanctions laws), Ms Ramsay and Ms Monks.

223 Mr Gatto was informed by Mr Lim that this email related to a request that CyberCX and Coveware provide Mr Lim with information in relation to the identity of the Threat Actor. According to Mr Lim, that information was relevant to KWM providing legal advice to Medibank in respect of its compliance with anti-money laundering, terrorism financing and sanctions laws, and other legal considerations relevant to paying a ransom to the Threat Actor.

224 By 26 October 2022, it had been confirmed that Medibank customer data had been exfiltrated by the Threat Actor. That same day, counsel was briefed to advise in relation to the legality of Medibank paying the ransom demanded by the Threat Actor. At the time, on 26 October 2022, it remained uncertain whether Medibank could legally pay the ransom. It also remained uncertain whether, from a public relations and risk mitigation perspective, Medibank should pay the ransom. No doubt, a multiplicity of concerns governed the ultimate decision-making as to whether a ransom would or would not be paid.

225 Whether to pay a ransom was a matter considered at the Board meeting of 29 October 2022. The minutes for that meeting record that the Board noted a paper entitled “Board Briefing – Cybercrime – Ransom Framework – Supplemental Paper’ and attached appendices. The Board Minutes also recorded that “overnight the Threat Actor had advised that Medibank had 5 days to agree on a ransom amount and acceptable payment terms otherwise the ransom amount would double at the end of the 5 days”. The paragraph following was redacted on the basis of privilege.

226 In order for privilege to apply to this particular document, Medibank must discharge its onus of proof that the dominant purpose of this email was for the provision of legal advice to Medibank or in anticipation of litigation. Document 1 was sent in response to an email from Mr Lim early on the morning of 26 October 2022. It was also sent to Ms McCormack, Ms Ramsay and Ms Monks, each of whom are lawyers.

227 While the CyberCX Statement of Work and CyberCX’s presentation to the Board of Medibank suggest that the engagement of CyberCX by KWM appears to be for more purposes than the dominant purpose of legal advice — in the case of this specific document, I am satisfied by Mr Gatto’s explanation that the legal purpose in this case predominated over any other potential purpose. After considering the circumstances surrounding the production of Document 1, I am satisfied that Medibank has discharged its onus that the dominant purpose of this communication was to provide Medibank with legal advice on the legality of paying a ransom to the Threat Actor.

228 The context at the time, coupled with Mr Gatto’s explanation, indicate that the dominant purpose of this communication was for Medibank to obtain legal advice from KWM regarding the legality of making a ransom payment, which advice was provided to the Board at the 29 October 2022 Board meeting. I consider that Document 1 listed in Annexure A is privileged.

7.1.2        Documents 2 and 3

229 Documents 2 and 3 are an email from Mr Klein to Mr Lim on 27 October 2022 at 3.57 pm with the subject line “Re: Project Opera (privileged and confidential)” and its attachment. Mr Klein’s email is copied to Ms Charlston, a KWM partner involved in advising Medibank in respect of the Cyber Incident, and Ms Ramsay.

230 Mr Gatto was informed by Mr Lim that this email related to a request that CyberCX and Coveware provide Mr Lim with an update relating to the identity of the Threat Actor which was relevant to KWM to providing legal advice to Medibank in respect of its compliance with anti-money laundering, terrorism financing, sanctions laws and other legal considerations relevant to paying a ransom to the Threat Actor.

231 The timing of KWM’s engagement of CyberCX aligns with the rapid evolution of the Cyber Incident from a breach of Medibank’s systems to a more serious exfiltration of customer data with accompanying demand for payment of a ransom. It is consistent with the rapid evolution of the circumstances of the Cyber Incident that KWM was providing advice to Medibank and its Board as to the legality of paying a ransom. As noted above, senior counsel was briefed to advise on the ransom issue, and there were at least three telephone conversations involving senior counsel and KWM lawyers prior to the Board meeting on 29 October 2022, at which the Board was briefed on the legality of paying a ransom. I am satisfied that Medibank has discharged its onus that the dominant purpose of this communication was to provide Medibank with legal advice on the legality of paying a ransom to the Threat Actor.

232 If a host email is privileged and the attachment was attached for a privileged purpose, then the attachment is privileged: Turner v Bayer Australia Ltd (No 5) (2023) 70 VR 290 at [136] (per Matthews AsJ). I accept that the attachment to the email is also privileged.

233 Therefore, I consider that Documents 2 and 3 listed in Annexure A are privileged.

7.1.3    Documents 4, 5, 6, 7, 8 and 9

234 These documents are an email from Mr Klein to Mr Lim on 29 October 2022, the morning of the Board meeting, at 11 am with subject line “Fwd: Update on TA comms (privileged and confidential)” (Document 4) and accompanying attachments (Documents 5 to 9). Each of Documents 5 to 8 is described as a “screenshot” and each screenshot was taken on 28 October 2022 at times between 10.17 am and 10.20 am. Document 9 is an attachment entitled “Case 06064 – Coveware.pdf”. Mr Klein’s email was copied to Mr MacGibbon of CyberCX, Ms Ramsay and Ms Monks.

235 Mr Gatto was informed by Mr Lim that this email was sent to Mr Lim following a request by him that Mr Klein provide an update on communications with the Threat Actor. This update was sought to enable KWM to provide legal advice to Medibank in relation to compliance with anti-money laundering, terrorism financing and sanctions laws and other legal considerations relevant to paying a ransom to the Threat Actor.

236 For the same reasons set out above in relation to Documents 1, 2 and 3, I consider that Documents 4, 5, 6, 7, 8 and 9 in Annexure A are also privileged.

237 As I discussed above at [36], [102], CrowdStrike was engaged twice in relation to the Cyber Incident. First, by Medibank on 12 October 2022 at around the time that Medibank became aware of the Cyber Incident. Second, by KWM directly on 18 November 2022, with a formal Statement of Work being executed on 29 October 2022. The engagement on 12 October 2022 appears to be earlier in the afternoon than Medibank’s first contact with KWM.

238 According to Mr Gatto, CrowdStrike was initially approached by Datacom (Medibank’s primary IT service-provider) to see what assistance it could provide in relation to the Cyber Incident. Meetings between Medibank and CrowdStrike took place on 12 October 2022, and CrowdStrike was engaged by Medibank to provide incident-response and investigation services pursuant to the CrowdStrike SOW of that date.

239 Mr Gatto explained that CrowdStrike was then engaged to assist KWM to understand, from its knowledge acquired performing the incident-response services for Medibank described above, what had occurred in the Cyber Incident. In particular by helping KWM to understand the information in technical logs collected by CrowdStrike which recorded the dates and times that various systems and applications had been accessed by the Threat Actor.

240 Pursuant to the CrowdStrike SOW, CrowdStrike was to provide investigation services, analyse data, deploy CrowdStrike tools including the Falcon software, determine compromised or accessed systems, develop a timeline of attacker activity, provide recommendations for containment and recovery actions and produce recommendations for long-term continuous security posture improvement. The Falcon software was deployed in the Medibank system on 12 October 2022.

241 CrowdStrike Falcon is described in the CrowdStrike SOW as a cloud-managed end point detection and response application that was used to assist Medibank’s IT security team with threat detection, data collection (including logs and forensic artefacts) and to provide an additional protection against the execution of malware. CrowdStrike Falcon is comprised of two core components, the cloud-based application and the on-premise device sensor application.

242 The CrowdStrike SOW listed Ms Elaine Liew as “Counsel Contact” and noted that all “communications and documents exchanged between CrowdStrike and Counsel or Customer pursuant to this SOW are intended to support Counsel’s rendering of informed legal advice to Customer. CrowdStrike understands and acknowledges that its work and communications pursuant to this SOW are intended to support Counsel’s legal strategies concerning Customer.”

243 Mr Gatto was informed by Ms Liew (who, at the time, was the Head of Legal, Privacy and Data Protection at Medibank) that the 12 October 2022 engagement of CrowdStrike by Medibank was for the dominant purpose of enabling Ms Liew and other members of the Medibank in-house legal team to advise Medibank in relation to the legal risks associated with the Cyber Incident. Ms Liew was responsible for Medibank’s compliance with the Privacy Act, including its obligations under the OAIC’s notifiable data breach scheme. According to Ms Liew, Medibank’s in-house legal team required technical assistance from CrowdStrike to determine whether any customer data had been accessed and exfiltrated, and whether the Threat Actor had been expelled from Medibank’s environment. These matters in turn had potential ramifications with respect to aspects of Medibank’s compliance with the Privacy Act, including with respect to notifications required to made to customers and the OAIC under the Privacy Act.

244 The CrowdStrike SOW was subsequently modified on two occasions to provide for additional hours of CrowdStrike services under the engagement:

(1)    the first modification was dated 17 October 2022 and signed by Medibank and CrowdStrike on 20 and 21 October 2022 respectively; and

(2)    the second modification as dated 28 October 2022 and signed by Medibank and CrowdStrike on 3 and 7 November 2022 respectively.

245 Aside from increasing the scope of works for an additional 240 hours, the first modification to the CrowdStrike SOW on 17 October 2022 provides no information as to the work to be done, as the section under the heading “fees” is redacted. The second modification dated 28 October 2022, provides for an additional 350 hours, but again, redacts details of the scope of work.

246 Medibank does not claim privilege in relation to CrowdStrike’s deployment of its Falcon detection and response software, or the broader incident response component of CrowdStrike’s engagement pursuant to the CrowdStrike SOW. Mr Koczkar’s evidence is that the Falcon software continues to be deployed on Medibank’s computer systems as an “ongoing mitigant”.

247 On 18 November 2022, KWM engaged CrowdStrike directly. The KWM retainer letter of 18 November 2022 (18 November 2022 Letter) stated:

Purpose of your Retainer

1    We refer to Statement of Work 1 entered into between CrowdStrike and Medibank on 12 October 2022, as modified on 21 October and 28 October 2022 (SOW), which defines the scope of work that CrowdStrike is to provide to Medibank (CrowdStrike Services).

2     As set out in the SOW, the CrowdStrike Services are being provided to Medibank for the purpose of Medibank being provided with confidential legal advice in relation to the recent cyber incident, and you understand and acknowledge in the SOW that all communications in relation to the CrowdStrike Services must be kept confidential and are subject to legal professional privilege.

3     Medibank has engaged King & Wood Mallesons (KWM) to provide it with the confidential legal advice and assistance referred to in the SOW.

4     The scope of our advice includes whether, in relation to the recent cyber incident, Medibank or its directors, officers or employees may have, amongst other things, complied with (and continue to comply with) the provisions of the Privacy Act 1988 (Cth) or other Australian privacy laws, breached any contractual or equitable obligations (including obligations of confidence), engaged in misleading or deceptive conduct or breach of disclosure obligations, and/or been negligent in the design or implementation of its IT systems and processes.

5     In addition, at least two class actions against Medibank are being actively investigated by plaintiff law firms, and the Office of the Australian Information Commissioner has commenced inquiries in relation to the cyber incident. The Australian Federal Police is also conducting an investigation. Accordingly, it is presently anticipated that one or more class actions or regulatory investigations / prosecutions will be commenced against Medibank or others in relation to the incident. We are providing legal advice and assistance to Medibank in relation to these matters.

6     In order for us to provide the legal advice and assistance to Medibank as outlined above, we require CrowdStrike to provide expert IT assistance to us, and we hereby retain you for this purpose.

7     In relation to this retainer, CrowdStrike is engaged for the dominant purpose of providing assistance to KWM to enable us to provide legal advice and assistance in relation to cyber incident to Medibank.

8     We will be in contact with you separately to discuss the assistance you are to provide to us in more detail, including in relation to billing arrangements and whether any amendments to the SOW are required.

248 The KWM 18 November 2022 Letter referred to the CrowdStrike SOW and the two modifications to the CrowdStrike SOW, noting that the purpose of the services provided by CrowdStrike pursuant to the SOW were for the purpose of Medibank being provided with confidential legal advice in relation to the cyber incident.

249 Much of the KWM 18 November 2022 Letter is in like terms to the Deloitte Engagement Letter of 15 November 2022, extracted above at [95]. In particular, paras 4 and 7 are in identical terms to paras 2 and 5 of the Deloitte Engagement Letter.

250 Medibank claims privilege in respect of two CrowdStrike Reports which it says were commissioned by KWM: the CrowdStrike Investigation Report of 22 December 2022 (Document 10 listed in Annexure A) and the CrowdStrike Atlassian Report of 11 May 2023 (Document 11 listed in Annexure A). The circumstances of the commissioning of these reports are discussed below.

251 Much of the applicants’ submissions regarding CrowdStrike were directed to the operational nature of the CrowdStrike’s activities at large since its engagement on 12 October 2022, including the still ongoing deployment of the Falcon software, rather than the two particular documents in respect of which Medibank claims privilege.

252 The applicants submit that given the operational nature of CrowdStrike’s activities leading up to the re-engagement, the separate re-engagement of CrowdStrike by KWM indicates an attempt by Medibank to cloak the CrowdStrike engagement in privilege.

253 Mr Gatto’s evidence was that KWM sought an investigation report from CrowdStrike in order for KWM to understand the activities of the Threat Actor for the purposes of KWM being able to provide legal advice to Medibank in relation to those activities, including to assist with preparing notifications to the OAIC and customers under the Privacy Act, and for the purposes of the anticipated legal proceedings.

254 Mr Gatto explained the purpose of KWM engaging CrowdStrike as being to assist KWM to understand, from its knowledge acquired performing the incident-response services for Medibank, what had occurred in the Cyber Incident, in particular by helping KWM to understand the information in technical logs collected by CrowdStrike which recorded the dates and times that various systems and applications had been accessed by the Threat Actor.

255 After 18 November 2022, CrowdStrike continued to communicate directly with Medibank’s internal IT security team in relation to the incident-response services being provided and the operation of CrowdStrike’s Falcon software. Mr Gatto was informed by Mr Loizou that those interactions were generally limited to CrowdStrike:

(a)    interacting with the Medibank IT team for the purposes of implementing and maintaining CrowdStrike Falcon;

(b)    interacting with Medibank’s procurement and billing teams for the purpose of issuing and following up on the payment of invoices;

(c)    attending approximately two meetings with Medibank technical staff to provide status updates for the purpose of keeping Medibank’s technical staff apprised of the progress of CrowdStrike’s work; and

(d)    attending meetings between Medibank technical staff and other third parties such as Datacom and Microsoft’s Detection and Response team to coordinate and provide updates to Medibank.

256 Following the 18 November 2022 engagement of CrowdStrike by KWM, on 22 November 2022, Mr Russell was a party to a telephone call with Mr Mark Goudie and Mr Nathaniel Smith of CrowdStrike. On that call, Mr Russell requested that CrowdStrike prepare an investigation report for KWM based on the data which CrowdStrike had collected through operation of the Falcon software during the period in which it provided the incident-response services to Medibank. This report would explain to KWM which Medibank systems were accessed by the Threat Actor and when, and any other findings from the work CrowdStrike conducted during the incident-response phase of their engagement by Medibank.

257 On or around 16 December 2022, CrowdStrike provided a draft of the CrowdStrike Investigation Report to KWM.

258 On or around 19 December 2022, Mr Russell asked CrowdStrike a question concerning a finding in the draft report relating to Medibank’s Atlassian suite of products which were in use in the Medibank IT environment at the time of the Cyber Incident.

259 On 20 December 2022, Mr Russell requested that CrowdStrike undertake a further investigation in relation to Medibank’s Atlassian suite of products, and prepare a report of its findings (being the CrowdStrike Atlassian Report), in order for KWM to understand the activities of the Threat Actor and provide legal advice to Medibank.

260 On 22 December 2022, CrowdStrike provided the CrowdStrike Investigation Report to KWM via an online file share.

261 Between 20 December 2022 and 3 April 2023, KWM liaised directly with CrowdStrike in relation to the preparation of the CrowdStrike Atlassian Report. During this time, CrowdStrike’s instructions were provided by Mr Russell. All meetings with CrowdStrike in relation to the CrowdStrike Atlassian Report were attended by KWM and, on occasion, members of Medibank’s in-house legal team. All requests from CrowdStrike for further information necessary to continue its work on the CrowdStrike Atlassian Report were directed through KWM.

262 On 11 May 2023, CrowdStrike provided the CrowdStrike Atlassian Report to KWM and Medibank’s in-house legal team, as well as Mr James Majer, then Medibank’s Head of Network Engineering, who had responsibility for Medibank’s Atlassian suite of products.

263 The applicants point out that — whilst Medibank’s external legal team would require such technical assistance — the evidence also indicates that a variety of persons within Medibank would require this technical assistance to determine whether any customer data had been accessed and exfiltrated, and whether the threat had been expelled. The applicants give examples of various non-legal staff which also required this assistance at the relevant time. Such non-legal staff at Medibank include staff responsible for regulated relationships, external communications, the Board and senior management.

264 The applicants also cite the 16 October 2022 Draft Paper discussed above at [57] as evidence of the fact that CrowdStrike’s engagement was always anticipated for Operational, Governance and APRA purposes.

265 Further the applicants also point to the fact that CrowdStrike’s initial engagement was noted in an investor call on 26 October 2022 and in a response to a 10 November 2022 request from S&P Global regarding the Cyber Incident as being for the apparent purpose of assuaging market concerns.

266 The applicants submit that the initial engagement, pursuant to the 12 October 2022 CrowdStrike SOW, was predominantly for an Operational purpose. Initially, privilege had been claimed in respect of this engagement, and Medibank relied on the 12 October 2022 CrowdStrike SOW as having been for a predominant legal purpose.

267 Comparing the CrowdStrike SOW with KWM’s 18 November 2022 Letter, the applicants further submitted that the effect of the 18 November 2022 engagement was to place KWM into the shoes formerly occupied by Medibank’s in-house legal counsel, Ms Liew. This submission is bolstered by paras 1, 2 and 3 of the 18 November 2022 Letter cited above at [247] which stated that:

(1)    CrowdStrike’s services were being provided to Medibank for the purpose of Medibank being provided with confidential legal advice in relation to the Cyber Incident; and

(2)    Medibank had engaged KWM to provide it with the confidential legal advice and assistance referred to in the CrowdStrike SOW.

268 The applicants contend that the fact that KWM’s 18 November 2022 engagement is directly tied to Medibank’s 12 October 2022 engagement bespeaks of the fact that the second engagement is no more privileged than the first engagement. The applicants contend that the fact of the initial privilege claim being abandoned is telling, particularly in light of the fact that there has been no clear demarcation between the expert IT assistance CrowdStrike was to provide pursuant to the 12 October engagement, as opposed to the assistance it was to provide pursuant to the 18 November engagement. As such, the applicants submitted that the 18 November engagement is a continuation of the previous arrangements, and its purpose was to cloak in privilege an ongoing (non-privileged) engagement.

269 Against this background, I turn to the two CrowdStrike Reports in question. Mr Gatto’s evidence is that the CrowdStrike Reports were prepared for the dominant purpose of KWM understanding how the Cyber Incident occurred, so that KWM could provide both:

(1)    legal advice to Medibank in relation to its legal obligations and position; and

(2)    legal assistance to Medibank in relation to anticipated legal proceedings.

270 Mr Gatto’s evidence is that the CrowdStrike Reports prepared have been relied on and used by him, and other lawyers at KWM, to provide legal advice to Medibank, including in relation to legal proceedings now on foot against Medibank. For example, the CrowdStrike Reports have been used by him and others at KWM for the purpose of:

(1)    briefing counsel;

(2)    advising Medibank on its compliance with the Privacy Act;

(3)    responding to compulsory OAIC notices;

(4)    preparing Medibank’s defences in legal proceedings;

(5)    identifying key issues and areas requiring further work to manage and/or mitigate Medibank’s legal risks and liabilities; and

(6)    preparing summaries and notes on key factual and legal issues.

271 In addition to the CrowdStrike Reports, according to Mr Gatto, CrowdStrike also provided responses to ad-hoc queries raised by KWM and Deloitte, to enable KWM to advise Medibank in relation to the Cyber Incident as matters evolved.

272 Before descending into a detailed consideration of the circumstances surrounding the creation of the two CrowdStrike Reports, it is necessary to say something about CrowdStrike’s initial engagement pursuant to the 12 October 2022 CrowdStrike SOW, as the KWM engagement refers to that initial CrowdStrike SOW and follows on from that engagement.

273 I do not accept that the initial 12 October 2022 CrowdStrike engagement was for the dominant purpose of providing legal advice or assistance. CrowdStrike was engaged shortly after the discovery, and within hours of Medibank becoming aware of, the Cyber Incident. CrowdStrike was contacted by Datacom to assist in the urgent response to the just discovered Cyber Incident, to shut down the attack path and prevent further breaches, to ensure the Threat Actor had been expelled and to ascertain whether any customer data had been exfiltrated. That Medibank’s immediate focus was on shutting down the breach of Medibank’s computer system, assessing the extent and nature of the breach and preventing further breaches is evidenced by: the fact that CrowdStrike was approached before KWM; and the nature of the services to be provided pursuant to the CrowdStrike SOW, including the deployment of the Falcon software.

274 There is no evidence from anyone at Medibank as to how the CrowdStrike services supplied under the CrowdStrike SOW were used to facilitate the provision of legal advice. This is in contrast to the evidence about the CyberCX Communications discussed above and how they were referable to the provision of legal advice at the 29 October 2022 Board Meeting as to the legality of the payment of a ransom.

275 The KWM 18 November 2022 Letter assumed that the earlier CrowdStrike services were being provided to Medibank for the purpose of Medibank being provided with confidential legal advice in relation to the Cyber Incident. The KWM 18 November 2022 Letter notes at para 3 that KWM has been engaged by Medibank to “provide it with the confidential legal advice and assistance referred to in the [CrowdStrike] SOW”. As the applicants submit, the KWM 18 November 2022 Letter has KWM stepping into the role of “Counsel” previously filled by Ms Liew so that from that point onwards, KWM would provide the legal advice and assistance which CrowdStrike’s services were purposed to support.

276 The applicants submit that there is no clear demarcation between the work done by CrowdStrike pursuant to the CrowdStrike SOW and the work done pursuant to the KWM engagement. The services to be provided by CrowdStrike under the KWM 18 November 2022 Letter were the same services as that were to be provided pursuant to the CrowdStrike SOW. As I have found above, the services to be provided by CrowdStrike pursuant to the CrowdStrike SOW were the deployment the Falcon software in Medibank’s computer system, shutting down the attack path, preventing future breaches, ensuring the expulsion of the Threat Actor and ascertaining whether any customer data had been exfiltrated. There is nothing in the KWM 18 November 2022 Letter to suggest that the services to be provided by CrowdStrike had changed in any way.

277 According to Mr Gatto, after 18 November 2022, CrowdStrike also continued to communicate directly with Medibank’s internal IT security team in relation to the incident-response services being provided and the operation of CrowdStrike’s Falcon software. Examples given by Mr Gatto of the CrowdStrike interactions with Medibank after 18 November 2022, included attending meetings between Medibank technical staff and other third parties, such as Datacom and Microsoft’s Detection and Response team, to coordinate and provide updates to Medibank and attending approximately two meetings with Medibank technical staff to provide status updates for the purpose of keeping Medibank’s technical staff apprised of the progress of CrowdStrike’s work.

278 However, even if the services to be provided by CrowdStrike pursuant to the CrowdStrike SOW and then the KWM 18 November 2022 Letter do not appear to be for the dominant purposes of legal advice or assistance, the relevant question is whether the two CrowdStrike Reports are the subject of legal professional privilege. This is to be determined by reference to the documents themselves and the purpose for which they came into existence. The scope of the services provided under the CrowdStrike SOW and 18 November 2022 engagement is but one factor to consider.

7.2.1    Document 10 — CrowdStrike Investigation Report

279 This document is a report from CrowdStrike dated 22 December 2022 entitled, “Privileged Investigation Report”.

280 As explained above at [256], according to Mr Gatto this report was prepared following a request by Mr Russell on 22 November 2022, that CrowdStrike prepare an investigation report for KWM based on the data which it had collected through operation of the CrowdStrike Falcon software during the period in which it provided the incident-response services to Medibank.

281 As discussed above at [269], Mr Gatto explained that KWM sought an investigation report from CrowdStrike in order for KWM to understand the activities of the Threat Actor for the purposes of KWM being able to provide legal advice to Medibank in relation to those activities, including to assist with preparing notifications to the OAIC and customers under the Privacy Act, and for the purposes anticipated legal proceedings.

282 For the limited purpose of substantiating Medibank’s claims of legal professional privilege and without intending to waive any privilege in this document, Mr Gatto noted that the front page of the CrowdStrike Investigation Report states in bold type: “Privileged and confidential”; and “Prepared for the dominant purpose of KWM providing legal advice to Medibank”. On page 4 of the CrowdStrike Investigation Report it is recorded that: “[t]his report has been prepared on the request of KWM for the dominant purpose of KWM providing legal advice to Medibank.”. That these forms of wording are included in the report are neither surprising, nor determinative, particularly as the wording follows that specified under the “Communications protocol” heading in the KWM 18 November 2022 Letter.

283 That much of the services provided by CrowdStrike pursuant to the CrowdStrike SOW and the KWM 18 November 2022 Letter may have been for Operational purposes, does not detract from Mr Gatto’s evidence in relation to the purpose for which this particular document was brought into existence.

284 I accept Mr Gatto’s evidence that Document 10 was created by CrowdStrike in response to a specific request from Mr Russell made on 22 November 2022 for the dominant purpose of KWM being able to provide legal advice and assistance to Medibank. Mr Russell requested CrowdStrike to prepare, based on the data collected by it through the operation of its Falcon software in order to explain to KWM what systems were accessed by the Threat Actor and when, for the purposes of KWM being able to provide legal advice to Medibank.

285 I note that my finding that Document 10 is subject to legal professional privilege does not render privileged the earlier non-privileged CrowdStrike information on which Document 10 is based. It is only Document 10 itself that is privileged.

286 I am satisfied that Medibank has discharged its onus and established that the dominant purpose of this communication was to assist KWM to provide Medibank with legal advice.

7.2.2    Document 11 — CrowdStrike Atlassian Report

287 This document is a report from CrowdStrike dated 11 May 2023 entitled “Privileged Investigation Report - Atlassian Crowd Analysis”.

288 According to Mr Gatto the CrowdStrike Atlassian Report was prepared following:

(1)    as noted above at [258], a question by Mr Russell on or around 19 December 2022, concerning a finding in the draft investigation report which related to Medibank’s Atlassian suite of products which were in use in the Medibank IT environment at the time of the Cyber Incident; and

(2)    as noted above at [259], a request by Mr Russell on 20 December 2022, that CrowdStrike undertake a further investigation in relation to Medibank’s Atlassian suite of products, and prepare a report of its findings (being Document 11), in order for KWM to understand the activities of the Threat Actor and provide legal advice to Medibank.

289 On 11 May 2023, CrowdStrike provided the CrowdStrike Atlassian Report to KWM and Medibank’s in-house legal team, as well as Mr Majer.

290 For the limited purpose of substantiating Medibank’s claims of legal professional privilege and without intending to waive any privilege, Mr Gatto noted that: the front page of the CrowdStrike Atlassian Report states: “Privileged and confidential: Prepared at the Direction of Counsel” and that it was “Prepared for KWM”. Page 3 of the CrowdStrike Atlassian Report records:

Privileged Engagement - KWM (“Counsel”) engaged CrowdStrike Services ("CrowdStrike”) on behalf of Counsel's client, Medibank (“Customer”), in connection with a privileged investigation. CrowdStrike’s services were performed at the direction of Counsel, pursuant to a Privileged engagement letter (PEL) between Counsel, Customer, and CrowdStrike dated November 18, 2022, to assist Counsel in providing legal advice to Customer in response to a suspected computer security incident.

291 Again, that these forms of wording are included in the CrowdStrike Atlassian Report are neither surprising, nor determinative, particularly as the wording follows that specified under the “Communications protocol” heading in the KWM 18 November 2022 Letter.

292 As with Document 10, that much of the services provided by CrowdStrike pursuant to the CrowdStrike SOW and the KWM 18 November 2022 Letter may have been for Operational purposes rather than for the dominant purpose of providing legal advice, does not detract from Mr Gatto’s evidence in relation to the purpose for which Document 11 was brought into existence.

293 I accept Mr Gatto’s evidence that Document 11 was created by CrowdStrike in response to the request from Mr Russell for the dominant purpose of KWM being able to provide legal advice and assistance to Medibank in relation to the activities of the Threat Actor. As noted in relation to Document 10, my finding that privilege subsists in Document 11, does not render privileged any prior non-privileged information referenced in Document 11.

294 I am satisfied that Medibank has discharged its onus to establish that the dominant purpose of this communication was to provide Medibank with legal advice.

7.3    Threat Intelligence Reports

295 As noted at [26] above, at the time of the Cyber Incident, Medibank had a standing engagement with Threat Intelligence to act as its DFIR partner. Pursuant to that DFIR standing engagement, Threat Intelligence investigated the circumstances of the Cyber Incident and conducted dark web monitoring activities to look for data being published on the dark web, which resulted in two reports being provided to Medibank.

296 No claim of privilege is made by Medibank in respect of material the subject of Threat Intelligence’s DFIR standing engagement.

297 Mr Koczkar’s evidence was that, after the Cyber Incident, Medibank sought and obtained two reports from Threat Intelligence:

(1)    on 9 November 2022, a report entitled: “Medibank Dark Web Data Leak Report” which explained the outcome of the dark web monitoring; and

(2)    on 2 December 2022, a report entitled: “Digital Forensics and Incident Response Report" together with an accompanying “Detailed Incident Timeline”, prepared for the purpose of assisting Medibank to understand what happened, and how the Threat Actor infiltrated Medibank’s IT systems,

(together, the Medibank TI Reports).

298 Mr Gatto gave evidence to similar effect as to the Medibank TI Reports.

299 Medibank makes no privilege claim in respect of either of the Medibank TI Reports, or any other material relating to the Medibank Threat Intelligence DFIR engagement, save for material that disclosed the substance of other privileged communications. Both reports have been produced to the OAIC and to the applicants in this proceeding.

300 Mr Gatto’s evidence was that by no later than 20 December 2022, he formed the view that KWM should seek expert assistance from Threat Intelligence in relation to specific cyber security technical issues. This was, according to Mr Gatto, so that KWM could advise Medibank in relation to the legal risks associated with the Cyber Incident and legal proceedings which were anticipated.

301 On or about 22 December 2022, Threat Intelligence commenced providing cyber security expert assistance to KWM. KWM sent a letter of engagement to Threat Intelligence on 22 December 2022 (KWM 22 December Letter), and a further one on 3 January 2023. According to Mr Gatto, the two Threat Intelligence Reports (Documents 12 and 13), were produced pursuant to this engagement.

302 The KWM 22 December Letter stated:

Purpose of your Retainer

1     Medibank has engaged King & Wood Mallesons (KWM) to provide confidential legal advice and assistance to it about the legal risks and potential exposures associated with the recent cyber incident.

2     The scope of our advice includes whether, in relation to the recent cyber incident, Medibank or its directors, officers or employees may have, amongst other things, complied with (and continue to comply with) the provisions of the Privacy Act 1988 (Cth) (Privacy Act) or other Australian privacy laws, breached any contractual or equitable obligations (including obligations of confidence), engaged in misleading or deceptive conduct or breach of disclosure obligations, and/or been negligent in the design or implementation of its IT systems and processes.

3     The Office of the Australian Information Commissioner (OAIC) has commenced an investigation into the cyber incident under s 40(2) of the Privacy Act, and a representative complaint has been made to the OAIC by Maurice Blackburn pursuant to s 38 of the Privacy Act, with at least one other being contemplated. In addition, at least two class actions against Medibank are being investigated by plaintiff law firms. The Australian Federal Police is also conducting an investigation. Accordingly, one or more class actions, prosecutions or additional regulatory investigations may be commenced against Medibank or others in relation to the incident. We are providing legal advice and assistance to Medibank in relation to these matters.

4     We note you have previously been engaged by Medibank to provide services in connection with the cyber incident. Now, in order for us to provide the legal advice and assistance to Medibank as outlined above, KWM wishes to engage Threat Intelligence to provide cyber security expert assistance to us, including [Redacted]

5    In relation to this retainer, Threat Intelligence is engaged for the dominant purpose of providing assistance to KWM to enable us to provide legal advice and assistance in relation to cyber incident to Medibank.

…

9 (d)     You should include on the front page of any draft report and any other document you produce in the course of this engagement the following wording “Privileged and Confidential: Prepared for the dominant purpose of KWM providing legal advice to Medibank”. …

303 By December 2022, KWM was receiving assistance from Deloitte and other expert third-parties. However, Mr Gatto considered Threat Intelligence — with its technical cyber expertise and accumulated knowledge in relation to Medibank’s systems (by reason of its standing DFIR engagement) — was best-placed to provide immediate assistance to KWM. Further, according to Mr Gatto, in December 2022, KWM required immediate technical cyber security assistance in order to advise Medibank in relation to its response to the own motion investigation that had been commenced by the OAIC on 1 December 2022.

304 Threat Intelligence provided all advice, reports or other findings in relation to the KWM Engagement to Mr Russell of KWM. Mr Gatto’s evidence is that Mr Russell kept him regularly informed of the status of Threat Intelligence’s work and he was also sent and reviewed a substantial portion of the correspondence between Threat Intelligence and KWM, including the two Threat Intelligence Reports the subject of this application.

305 Mr Gatto also gave evidence that he was aware of some overlap in time between the Threat Intelligence KWM Engagement and the standing DFIR engagement. As a result, there were some direct communications between Threat Intelligence and Medibank employees after 22 December 2022 which were limited to matters relating to the DFIR engagement, such as penetration testing, dark web monitoring and incident response services. Mr Gatto understood that those communications were limited to matters relating to the DFIR engagement (for example, in relation to penetration testing, dark web monitoring and incident response services).

306 In the further engagement letter sent by Mr Russell to Mr Miller of Threat Intelligence dated 3 January 2023 (KWM 3 January Letter), KWM referred to the earlier KWM 22 December Letter, and stated:

KWM now wishes to engage Threat Intelligence to provide further cyber security expert assistance to us (in addition to the matters set out in our Engagement Letter), for the purpose of KWM providing legal advice and assistance in relation to cyber incident to Medibank.

307 According to Mr Gatto, the KWM 3 January Letter set out the further work KWM required Threat Intelligence to perform, however the details of the two matters of further work that KWM would like Threat Intelligence to do pursuant to the further engagement are redacted.

308 According to Mr Gatto, the Threat Intelligence Reports were procured for the dominant purpose of providing expert cyber security assistance to KWM so that KWM could provide legal advice to Medibank. Mr Gatto explained that KWM required “immediate technical cyber security assistance” in order to advise Medibank in relation to Medibank’s response to the investigation that had been commenced by the OAIC on 1 December 2022. The Threat Intelligence Reports were utilised by KWM lawyers to provide advice, including in relation to legal proceedings now on foot. For example, Mr Gatto noted the Threat Intelligence Reports were used for the purposes of:

(1)    briefing counsel;

(2)    advising Medibank on its compliance with the Privacy Act;

(3)    responding to compulsory OAIC notices;

(4)    preparing Medibank’s defences in legal proceedings;

(5)    identifying key issues and areas requiring further work to manage and/or mitigate Medibank’s legal risks and liabilities;

(6)    preparing summaries and notes on key factual and legal issues; and

(7)    preparing advice to Medibank on steps it should take in relation to leaked data in order to comply with its legal obligations and mitigate any legal risk.

309 The applicants contend that Mr Gatto does not explain with any specificity what Threat Intelligence was engaged to do from KWM’s re-engagement on 22 December 2022 and why KWM needed to re-engage Threat Intelligence again on 3 January 2023.

310 The applicants assert that “cyber security expert assistance” was exactly what Threat Intelligence was already engaged to do under the standing DFIR engagement. Further, the KWM 3 January Letter is almost wholly redacted, with no contemporaneous documents elucidating the scope of the 3 January 2023 engagement.

311 Mr Gatto has explained the context in which KWM sought the Threat Intelligence Reports, namely the OAIC investigation which commenced on 1 December 2022. As Mr Gatto explained Threat Intelligence were best placed to provide immediate technical assistance to KWM to enable KWM to provide advice to Medibank about its response to the OAIC investigation. Mr Gatto’s explanation goes beyond ‘mere generalised assertion’ and provides a connection between the Threat Intelligence Reports and the legal advice provided by KWM.

312 However, even if the services to be provided by Threat Intelligence pursuant to the DFIR engagement and then pursuant to the KWM 22 December Letter appear to be for the Operational purpose of “cyber security expert assistance” rather the dominant purposes of legal advice or assistance, the question is whether the two Threat Intelligence Reports are the subject of legal professional privilege. This is to be answered by reference to the documents themselves and the purpose for which they came into existence, rather than the scope of the services provided under the Threat Intelligence DFIR engagement.

7.3.1    Document 12

313 This document is a report from Threat Intelligence dated 4 January 2023 entitled “Medibank Digital Forensics and Incident Response Report”.

314 For the limited purpose of substantiating Medibank’s claims of legal professional privilege and without intending to waive any privilege in this document Mr Gatto noted that the front page of this report states “Privileged and Confidential: Prepared for the dominant purpose of KWM providing legal advice to Medibank.” The inclusion of such a statement is not surprising, and again, nor determinative, given the express instruction to include such a notation in the first engagement letter, being the KWM 22 December Letter.

315 I accept Mr Gatto’s evidence that Document 12 was created by Threat Intelligence as KWM required “immediate technical cyber security assistance” in order to advise Medibank in relation to Medibank’s response to the investigation that had been commenced by the OAIC on 1 December 2022. Further, there is no evidence to the contrary which expressly contradicts Mr Gatto’s evidence with respect to this document. I also accept that, in this case, the requisite specificity to bespeak a legal purpose is made out in light of the immediate OAIC investigation at the relevant time. As such, I am satisfied that the communication was created for the dominant purpose of KWM being able to provide legal advice and assistance to Medibank. I am also satisfied that Medibank has discharged its onus that the dominant purpose of this communication was to provide Medibank with legal advice.

7.3.2    Document 13

316 This document is a report from Threat Intelligence dated 23 February 2023 entitled “Draft Investigation Report - Medibank Sharepoint Investigation”.

317 Mr Gatto’s evidence is that between 10 January 2023 and 23 February 2023, KWM engaged Threat Intelligence with respect to the further engagement as outlined in the KWM 3 January Letter. This included emails and calls between predominantly Mr Bradley at Threat Intelligence, and KWM partners including Mr Russell and Mr Gatto, to take and provide instructions, and to ensure that the further engagement was progressing pursuant to KWM’s requirements. On occasion, Threat Intelligence personnel attended meetings with KWM partners and Medibank’s in-house legal team to assist KWM in providing legal advice in connection with the engagement as outlined in the KWM 3 January Letter.

318 According to Mr Gatto, for the limited purpose of substantiating Medibank’s claims of legal professional privilege and without in any way intending to waive any privilege, this report marks on every page in bold type “Confidential and Legally Privileged”. This report also states in the Executive Summary on page 4 that “Threat Intelligence was engaged by Medibank via external legal counsel, King & Wood Mallesons (KWM), on 9th January 2023. KWM requested support to conduct a forensic investigation pertaining to ...”. Mr Gatto understands that the reference to “9th January 2023” is a reference to the date Threat Intelligence confirmed the engagement the subject of KWM’s letter of 3 January 2023, which occurred on 9 January 2023.

319 I accept Mr Gatto’s evidence that Document 13 was created by Threat Intelligence to further assist KWM to advise Medibank in relation to Medibank’s response to the investigation that had been commenced by the OAIC on 1 December 2022. I am satisfied that the communication was created for the dominant purpose of KWM being able to provide legal advice and assistance to Medibank. I am also satisfied that Medibank has discharged its onus that the dominant purpose of this communication was to provide Medibank with legal advice.

7.4    Datacom document — Document 14

320 According to Mr Gatto, Datacom did not conduct an investigation into the Cyber Incident for Medibank.

321 Following the commencement of the OAIC investigation, KWM provided legal advice to Medibank to assist it in responding to numerous notices issued by the OAIC to Medibank in relation to the Cyber Incident. As part of this legal engagement, KWM required Medibank to provide it with a very significant volume of documents for the purposes, inter alia, of KWM reviewing them to determine whether they fell within the terms of the notice and whether they contained communications or information to which Medibank’s legal professional privilege attached. Datacom assisted KWM by collecting the documents from Medibank and providing them to KWM so that KWM could provide legal advice and assistance to Medibank in respect of the notices issued by the OAIC.

322 According to Mr Gatto, the Datacom Communication (Document 14) is an example of a communication occurring in the course of Datacom providing assistance to KWM and Medibank. The applicants did not press for the production of this document on the basis that Medibank’s evidence and submissions indicated that these communications concerned document management services.

7.5    Deloitte Reports

323 For the reasons which follow, I do not consider that the provision of legal advice and/or assistance was the dominant purpose for which the Deloitte Reports were commissioned. That purpose was only one of several equally dominant purposes for which the Deloitte Reports were commissioned.

324 The evidence shows (and Mr Koczkar and Mr Wilkins accepted) that Medibank had multiple purposes motivating it to procure the Deloitte Reports. As noted at [166] above, in addition to the legal purpose, there were at least the following purposes:

(a)    Operational;

(b)    Governance;

(c)    APRA; and

(d)    ASX/PR.

325 An examination of each of the purposes for which the initial Deloitte external review was commissioned, and then expanded into three reports, shows that the ASX/PR and APRA purposes were at least equally dominant, if not more dominant purposes than the provision of legal advice and/or legal assistance — the legal purpose.

326 The background to the engagement of Deloitte, the Deloitte Engagement Letter, the expansion of the scope of the external review and the role of APRA is discussed above in the ‘Relevant Facts’ section.

327 That the ASX/PR purpose was an important purpose can be seen from the numerous public references to the commissioning of the external review and appointment of Deloitte made by Medibank in its ASX announcements, communications with employees and millions of customers and health partners. Each of the public statements was approved by the Board of Medibank, or a Medibank executive prior to publication. In each of these public statements, Medibank stated that Medibank, not its lawyers, commissioned the external report, and that the purpose of the external review was to protect and safeguard customers. That the ASX/PR purpose continued to be an important underlying purpose of the external report can be seen from the fact that Medibank continued to publicly reference that purpose whilst Deloitte was undertaking the review, and following receipt of the first of the Deloitte Reports.

328 Within a day of the Board deciding to commission an external review on 6 November 2022, and before the identification of the external reviewer and engagement of Deloitte, Medibank was communicating that decision to its shareholders via the 7 November 2022 ASX Announcement, reviewed by Ms Ramsay and approved by the Board. The public purpose given in the ASX announcement for the commissioning of the external report was twofold: the protection of customers, and to learn from the Cyber Incident in order to strengthen Medibank’s ability to safeguard customers:

… Medibank is committed to taking decisive action to protect our customers, our people, and the community in relation to the cybercrime perpetrated against its customers last month. …

Medibank will commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers …

Medibank commits to sharing the key outcomes of the review, where appropriate…

(Emphasis added.)

329 The applicants contend that the content of this 7 November 2022 ASX Announcement is cogent evidence that, from the outset, Medibank’s dominating purposes for the engagement of Deloitte and the Deloitte Reports were some or all of the Operational purpose, the Governance purpose, and the ASX/PR purpose. They submit that the APRA purpose also assumed a prominence in Medibank’s rationale for Deloitte’s engagement as by mid-November 2022, it became clear to the business that APRA would require the review to fulfil APRA’s requirements — as well as Medibank’s — if Medibank were to avoid APRA undertaking its own independent review. APRA’s role in setting the scope of the external review is discussed in the next section.

330 Mr Wilkins’ evidence in relation to the 7 November 2022 ASX Announcement was that “it was important to [him] that we got the message out that we were taking appropriate steps to understand what had occurred so that we could remedy any issues that may be revealed to us and share those issues within the constraints of any legal advice taken by us”. Both Mr Wilkins and Mr Koczkar accepted that a purpose of the Deloitte external review was to learn from the Cyber Incident in order to strengthen Medibank’s ability to safeguard its customers.

331 There were many other Medibank public references to the fact that an external report had been commissioned for the purpose of learning from the Cyber Incident and strengthening Medibank’s ability to safeguard customers, including at the AGM on 16 November 2022, the day after Deloitte’s engagement. Mr Wilkins and Mr Koczkar both highlighted the engagement of Deloitte in their speeches at the AGM on 16 November 2022. In each of their public statements the purpose given for commissioning the external report was said to be to learn from the Cyber Incident in order to strengthen Medibank’s ability to safeguard its customers. See the AGM statements of Mr Wilkins and Mr Koczkar extracted at [98] above.

332 The same day as the AGM, Mr Koczkar sent an email to all Medibank employees (around 3750 people), which is extracted above at [99], stating that the purpose of the external report was to ensure that Medibank learnt from the Cyber Incident, and strengthened its ability to safeguard customers. Mr Koczkar, and other executives, reiterated that purpose in the many emails to Medibank’s customer cohort and healthcare partners sent shortly after the AGM. The tenor of Medibank’s public announcements and other public statements never varied, always giving the purpose for commissioning the external review as being to learn from the Cyber Incident and to strengthen Medibank’s ability to safeguard customers. No public mention was ever made as to the purpose of the external review being for the purposes of legal advice or providing legal assistance, or as to the external review being commissioned by Medibank’s lawyers, rather than Medibank itself.

333 On 1 December 2022, Medibank published a letter to its customers in media publications across Australia, which is extracted above at [106]. Under the heading “Strengthening our ability to safeguard your data”, the letter stated:

We’ve commissioned Deloitte to carry out an external review of recent events. This review will help inform the changes we make as a company and, where we can, we will openly share its findings with the broader community. It’s not just data that’s affected. It’s people. People we care for, and whose health and wellbeing remains our absolute focus.

334 The Medibank 2023 half year results released on 23 February 2023 in a section headed “External review/OAIC investigation” noted as the first dot point: “Deloitte conducting an external review, and that review is ongoing”. The Deloitte external review was also mentioned in the “Highlights” section of an Investor Presentation on the half year results released the same day under “Cybercrime event impacts – our focus remains on our customers”. The ongoing Deloitte review was reported under “What we have done in response”.

335 The 28 April 2023 ASX Announcement (approved by the Board) announced that Medibank had been provided with Deloitte’s findings from its external review, reporting that a number of Deloitte’s recommendations to enhance Medibank’s IT processes and systems had already been implemented (see above at [159]). Medibank stated that it intended to implement all the recommendations from the review which were not already implemented. Mr Koczkar gave evidence that Deloitte identified — and directly informed Medibank about — areas of its IT systems that still needed to be enhanced.

336 Mr Wilkins confirmed that Deloitte in its reports had, in fact, made recommendations and opined on the enhancements that needed to be made to Medibank systems and the adequacy of those systems. Mr Wilkins is quoted in the 28 April 2023 ASX Announcement as saying “[o]ur focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve”. The 28 April 2023 ASX Announcement concludes with Mr Wilkins saying “[f]rom the beginning of this cybercrime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations”.

337 Mr Koczkar also made reference to the Deloitte findings from the external review in his Presentation to the Macquarie Australia Conference and an FY23 outlook update dated 2 May 2023. Under the heading “Key point”, Mr Koczkar notes “Deloitte made recommendations to enhance Medibank’s IT processes and systems, a number of which have already been implemented”.

338 The repeated public references to Medibank’s commissioning of an external review, the engagement of Deloitte to carry out that review, and the stated public purpose of such review being to learn from the Cyber Incident so as to strengthen Medibank’s ability to safeguard its customers is contrary to the legal purpose being the dominant purpose. As the applicants observe, if the Board was really only concerned with the legal purpose and envisaged that Deloitte’s engagement and any reports resulting from the external review were and would be treated as privileged, there was no need for Medibank to refer to the external review at all in any public communications. The reference to the external review and its ASX/PR purpose was clearly intentional as it was repeated in many of the public communications, all of which had been reviewed within Medibank before publication. Nor did any of the public statements include any qualification that the external review was recommended by Medibank’s lawyers or that it was being done for the purposes of providing legal advice and/or assistance.

339 Medibank’s repeated public references to the external review conducted by Deloitte is in marked contrast to the treatment of the work of the other Cyber Experts, such as Threat Intelligence and CrowdStrike, which Medibank contends were also engaged for the purposes of KWM providing legal advice and assistance. Deloitte is the only consultant identified in the public communications, and the Deloitte Reports are the only external review identified in those communications.

340 This purpose of the external report — to enable Medibank to learn from the Cyber Incident and to strengthen Medibank’s ability to safeguard its customers — was a forward-looking purpose. In this sense, the Deloitte review would identify and make recommendations to Medibank as to enhancements and changes that needed to be made to Medibank’s IT processes and systems in order to strengthen its security environment to better safeguard its customers’ data in the future. In contrast, the legal purpose was a backward-looking purpose, whereby the Deloitte Reports would translate the technical IT data about the Cyber Incident into a form intelligible to the lawyers in order for the lawyers to provide Medibank with legal advice or assistance in relation to legal issues associated with the Cyber Incident.

341 Each of the Medibank public communications also contained a commitment to share the results of the external review — a commitment inconsistent with the preservation of legal professional privilege. However, Mr Wilkins downplayed that commitment, conceding that despite the repeated public statements about Medibank sharing the results of the external review, at no time did he intend to release or “share” the results of the external review into the public domain.

7.5.2    APRA purpose

342 The APRA purpose was another important purpose to Medibank.

343 APRA is the prudential regulator for Medibank. Medibank first notified APRA of the Cyber Incident on 13 October 2022. Since the next week, APRA held twice weekly meetings with Medibank at which Medibank provided updates about Medibank’s response, impacts and business continuity plans.

344 Mr Koczkar and Mr Wilkins gave evidence that a key concern for Medibank was to avoid the need for APRA to conduct its own review of the Cyber Incident. It was highly likely that unless Medibank conducted a review that accorded with APRA’s requirements, the regulator would conduct its own investigation, potentially as a precursor to enforcement action. Mr Koczkar considered the ideal situation to be one review as there was “a lot of time and energy needed to respond to the questions in a review” and it would be “expedient if the one review could satisfy [APRA’s] requirements as well”.

345 Medibank sought APRA’s approval before it announced the engagement of Deloitte as the external reviewer at the AGM, in particular that it had consulted APRA about the appointment. Medibank also sought APRA’s approval of the draft Deloitte Engagement Letter and the scope of the review to be undertaken pursuant to that engagement. As noted at [154], on 19 December 2022, Mr Spencer of Medibank provided to APRA a copy of the draft KWM engagement letters in respect of the RCA Report and CPS 234 Report so that APRA could confirm that it was satisfied with the scope of the review.

346 In framing the terms and scope of Deloitte’s engagement to undertake the external review, Medibank was concerned to ensure that it met the requirements and expectations of its regulator, in order to provide the regulator with the information it required and so as to avoid the regulator undertaking its own separate review. APRA publicly confirmed its role in informing the scope of the external review in order “to ensure that it will meet APRA’s requirements”, noting that the review would examine “the incident itself, control effectiveness and the response of Medibank”.

347 Mr Wilkins confirmed that it was his understanding that APRA had informed the scope of the external review to ensure that it met APRA’s requirements, and that APRA was going to use the findings of the external review as part of its consideration as to whether further regulatory action might be needed against Medibank. Mr Wilkins’ understanding accorded with APRA’s public statement that it “would consider whether further regulatory action is needed when findings of the [Deloitte] report become clear”.

348 The applicants point to the “striking coincidence” that the three stages of assistance which KWM required aligned almost precisely with the same matters that APRA wished to have reported to it. The overlap is no coincidence given the extent of Medibank’s communications with APRA outlined above, APRA’s role in informing the scope of the review, and the Chair and CEO’s aim for there to be only one external review, that undertaken by Deloitte, and to avoid a separate APRA review.

349 Mr Koczkar agreed (consistently with APRA’s public statement) that APRA expected Medibank to use the findings of the external review to undertake remediation actions and consequence management, including assessing executive remuneration impacts. Mr Koczkar further agreed that the Deloitte Reports were apt to inform whether there should be remuneration consequences within Medibank as a result of the Cyber Incident as that fact had been communicated in emails to customers.

350 The only way the APRA purpose could be satisfied was for APRA to be given a copy of the Deloitte Reports, and for APRA to be able to fulfil its regulatory obligations and duties based on the matters in the reports. APRA publicly confirmed that it had informed the scope of the external review to be conducted by Deloitte in the 28 November 2022 APRA Release, noting Medibank’s constructive response to date and that “APRA will consider whether further regulatory action is needed when findings of the report become clear”. Medibank in its 28 November 2022 ASX Announcement, noted that it had been in regular consultation with APRA and stated that as “part of our engagement, Medibank consulted with APRA on the scope of the external review we commissioned Deloitte to undertake”. As noted previously, copies of the draft Deloitte Engagement Letters for the RCA and CPS 234 Reports were provided to APRA before being sent to Deloitte in order for APRA to be satisfied as to the content.

351 The details of the communications between Medibank and APRA relating to the commissioning and scope of the external review are set out in section 4.3 above. It is notable that most of the emails discussing the scope of the external review did not copy in any KWM lawyer. Nor was it discussed in the communications that one of the purposes of the external review was to ground legal advice. Further, as the applicants contend, KWM played only a minor role in the selection of the external expert or in determining the scope of their engagement, with APRA taking a leading role in determining the scope, at least in so far as required to meet the APRA requirements.

352 According to Mr Koczkar, the “ideal situation” for Medibank was for only one review to occur:

… there’s a lot of time and energy needed to respond to the questions in a review, so we were doing our review, and then given that APRA was likely to do their review, we thought it would be expedient if the one review could satisfy their requirements as well … given we were doing review anyway, that was why we were keen to avoid two reviews, to make sure they were satisfied with the scope.

353 An email from Mr Koczkar to Mr Carmody of APRA on 27 November 2022, stated:

Finally, I wish to reiterate Medibank's commitment to working constructively and cooperatively with APRA to ensure we meet APRA's expectations. As always, if you have other suggestions as to how we can achieve this objective, then I would be very appreciative to hear those from you.

354 Mr Wilkins agreed with the proposition that the commissioning of the external review was also apt to help reassure the regulator that Medibank was taking appropriate action. He accepted that his intention was that Medibank would do what it could to ensure that Deloitte’s review met APRA’s expectations and thus avoid a further review.

355 To further Medibank’s aim of avoiding a separate APRA review, APRA was consulted on the terms of reference for the external review. APRA made suggestions for additions to the scope of the external review. APRA was concerned that the review be independent, and questioned whether Medibank’s Internal Audit team, as the team leading the external review could maintain its independence given that an aspect of the external review would consider (at APRA’s insistence) compliance with CPS 234, for which ‘Internal Audit’ was partially responsible from a compliance perspective. This led to a governance change with the internal lead being reassigned from Internal Audit. Ms Phillips informed Mr Young — in the only apparent reference to KWM — that “the proposed governance structure will see Deloitte have direct access and reporting into the Medibank Board, and Deloitte will be working through KWM for outcome discussions and reporting”.

356 Mr Koczkar and Mr Wilkins met with Mr Carmody and Ms Smith of APRA on 25 November 2022 to discuss the proposed terms of reference of the external review. At that meeting, Mr Koczkar and Mr Wilkins proposed, and APRA agreed, that the review would be sequenced, dealing first with post-incident review (the PIR Report), secondly with a root cause analysis (the RCA Report), and then finally with Medibank’s compliance with CPS 234 (the CPS 234 Report). It was for this reason that the scope of Deloitte’s engagement was refined and expanded in the terms of the engagement letters dated 11 January 2023.

357 Mr Koczkar’s evidence was that on 25 November 2022, he and Mr Wilkins discussed with Mr Carmody and Ms Smith putting in place arrangements so that Medibank could maintain privilege.

358 According to Mr Koczkar it was agreed during the 25 November 2022 meeting that Medibank “would provide APRA with the results of its external review on the basis that Medibank maintained its claim of [legal professional privilege] over such material”. Mr Koczkar did not say that he articulated the basis of any such claim to APRA. Legal professional privilege was not mentioned in correspondence between Medibank and APRA until Mr Huijsen’s 8 December 2022 Email which noted “APRA legal to meet with [Medibank] legal to discuss assurances APRA can provide around legal professional privilege”.

359 In his email to Mr Koczkar of 26 November 2022 (set out at [135] above), Mr Carmody proposed that there be “tri-partite” meetings which would allow APRA to have direct engagement with the third-party review. Mr Carmody considered that such meetings would help ensure that APRA’s scope items were adequately addressed and reduce the risk that anything was lost in translation. Mr Koczkar agreed to the proposed tri-partite meetings in an email the next day. Neither Mr Carmody’s email of 26 November 2022 nor Mr Koczkar’s email of 27 November 2022 made any mention of maintaining privilege. Five tri-partite meetings between Medibank, APRA and Deloitte took place during the course of the Deloitte engagement.

360 Ms Ramsay was “keen to ensure, if possible, that part of Medibank’s proposed external review would address APRA’s desire to understand the circumstances of the Cyber Incident, and that outcomes would be shared with APRA. Ms Ramsay’s correspondence with APRA was explicit about Medibank’s priority to meet APRA’s expectations. Those expectations would include being able to use the information in the external report for APRA’s regulatory purposes. Ms Ramsay’s email of 9 December 2022 to Mr Huijsen stated:

Thank you again for your time yesterday, and for clarifying the areas APRA requires to be in scope of the external review to be conducted by Deloitte. Medibank appreciates your engagement and input and wishes to ensure that the scope of the reviews meets APRA's expectations.

In response to the points you make in your email:

*    Thank you for acknowledging and agreeing to our approach to managing the commissioning of the various reviews. As discussed, Medibank will be engaging Deloitte to perform the work under three separate engagements and each engagement will result in a standalone report. AS [sic] you note, the 3 reviews are colloquially known as: IT Incident Review (which Deloitte has already commenced), Root Cause Review and Compliance with CPS234.

…

Once again thank you for your time yesterday, and I wish to reiterate Medibank's commitment to working constructively and cooperatively with APRA to ensure we meet APRA's expectations.

361 As can be seen from Ms Ramsay’s 9 December 2022 email, by this time, the external report had evolved into three separate reports, the most relevant one to APRA being the “Compliance with CPS234” report. However, APRA received copies of all three Deloitte reports.

362 An agreed privilege protocol between Medibank and APRA was entered into on 15 February 2023 expressed in the 15 February 2023 Letter, well after the external review had been commissioned. As the applicants note, that protocol could not and does not retrospectively establish the existence of a dominant legal purpose for the commissioning of the external review undertaken by Deloitte: Robertson at [161] (per Beach J).

363 APRA was provided with copies of all three Deloitte Reports, not just the CPS 234 Report. The final copy of the CPS 234 Report was provided to APRA by KWM on 28 June 2023, two days after APRA had sent a letter to Medibank about action it would take following APRA’s review of the Cyber Incident.

364 The close involvement of APRA in the informing the scope of the external review, support the conclusion that the APRA purpose — to avoid a separate APRA external review — was a very important purpose to Medibank. The hands on involvement of APRA in developing the scope of the external review, the multiple tri-partite meetings allowing APRA — Medibank’s regulator, and a potential protagonist in penalty proceedings against Medibank over the Cyber Incident — direct access to all the Deloitte Reports was antithetical to ensuring maintenance of that privilege on the basis that the dominant purpose for commissioning the Deloitte Reports was the provision of legal advice or assistance.

7.5.3    Role of the Board

365 It was the Board of Medibank that resolved to approve the appointment of Deloitte to conduct an external review of the Cyber Incident. During the 15 November 2022 Board meeting, where it was resolved that Deloitte would be appointed to conduct an external review, no lawyers (other than Ms Ramsay) attended the meeting, with the language of the Board resolution also silent to the fact that Deloitte was to be engaged by KWM for the purpose of the review. The Board meeting minutes redact any discussion of the reasons for the external review. Mr Gatto did not recall being informed or consulted about the Board resolution.

366 According to Mr Wilkins the Board “wanted to have a […] unvarnished view of what had occurred, and [they] felt that it was important that they had that access to the [B]oard to be able to report that”. Mr Wilkins also met with the people from Deloitte and offered that Deloitte should contact him personally should there be any issues with respect to access to information or assistance to conduct the review.

367 Mr Wilkins agreed that he had expressed a preference on or around 6 November 2022, that it be clear that the Board was commissioning the external review, rather than management, to demonstrate how seriously the Board was treating the Cyber Incident and to ensure a level of separation between the external review and management. Mr Koczkar shared the same view.

368 At the same time as approving the appointment of Deloitte, the Board appointed Ms Ramsay to liaise with KWM and Deloitte in relation to the review. To this, Mr Wilkins’ evidence was that Ms Ramsay was appointed primarily in her role as Group General Counsel but that, in circumstances where Ms Ramsay is also the Company Secretary of Medibank (in addition to being the Group General Counsel), he also thought Ms Ramsay was the most appropriate person to take carriage of this matter as it would involve “administrative” tasks.

369 Mr Wilkins personally spoke with either Mr Blatchford or Mr Carvouni of Deloitte prior to Board meetings at which Deloitte were scheduled to present a report so that they could “give [him] an update on what they were going to talk about”. Mr Wilkins confirmed that he met with Deloitte representatives on several occasions prior to Board meetings and before Deloitte delivered each of the Deloitte Reports; and that he did so without any lawyers present. Mr Wilkins confirmed that in these meetings, Deloitte briefed him on what matters Deloitte were going raise at the meetings.

370 Deloitte attended meetings of the Board to brief directors on the progress of their review and to address their reports on around five occasions. Mr Wilkins confirmed that Deloitte reported directly to the Board on its findings, not via KWM. The Board agenda and Board minutes reveal — confirmed by Mr Wilkins — that many non-lawyer and non-Board member management employees of Medibank attended the meetings and were present for Deloitte’s presentations on each of the three Deloitte Reports. Mr Wilkins also had a “service quality call” with the Chair of Partners at Deloitte, Mr Tom Imbesi, in which Mr Imbesi asked for “feedback on the quality of Deloitte’s work”.

371 The applicants submit that this evidence indicates that the Board, or at least, Mr Wilkins, contemplated that the Board would always have a function in, and even ultimately oversight of, Deloitte’s engagement. As such, the applicants note that it may be imputed that the Board sought the Deloitte Reports for a Governance purpose in addition to the ASX/PR purpose, the APRA purpose and the legal purpose.

372 In addition to the multiple public statements as to the purpose of the external review being to safeguard its customers’ information discussed in 7.5.1 above, I consider that the following factors further tend against the dominant purpose for the commissioning of the external review being for the legal purpose:

the Board’s desire for an unvarnished view of what had occurred, rather than unvarnished legal advice;

the Board’s close oversight of the external review, including the personal attention and intervention of the Chair of the Board;

the direct reporting by Deloitte to the Board rather than via KWM;

the pre-Board meeting briefings with the Chair of Medibank; and

the Board’s desire to be seen by its stakeholders (shareholders, customers, health partners) to be treating the Cyber Incident seriously.

7.5.4    Mr Gatto’s evidence as to the legal purpose

373 Mr Gatto gave several reasons why “KWM required Deloitte to investigate the relevant matters”.

374 The first reason might be described as a “technical translation” reason. Because of the technical nature of the cyber security systems and documents created by those systems, Mr Gatto considered that it was important that KWM obtain a fulsome understanding, in plain English, of the facts and circumstances of the Cyber Incident in order to be able to advise Medibank in relation to the legal issues it was confronting and to be able to effectively represent Medibank in the potential legal proceedings, including briefing counsel.

375 The technical information provided by Medibank’s internal cyber security team was in the form of raw technical data, and Mr Gatto considered that Medibank’s internal cyber security team had little capacity to provide technical assistance with interpreting the technical information for KWM, given their focus on containing the Cyber Incident, then remedying the IT systems after the Cyber Incident.

376 Second, Mr Gatto considered it important to understand what information had been accessed and removed to ascertain the extent of Medibank’s potential legal exposure to affected customers. He also expected that it would be important to Medibank’s defence in potential legal proceedings, and to advising Medibank in relation to the risk of any ongoing and continuing non-compliance with Medibank’s legal obligations following the Cyber Incident.

377 Third, Mr Gatto considered that Deloitte’s review of whether the enhancements to Medibank’s IT systems and processes implemented since the Cyber Incident mitigated the risk of recurrence of a similar incident, and any recommendations as to further enhancements to those systems and processes, would assist KWM to understand those matters to advise Medibank in relation to the risk of any ongoing and continuing non-compliance with Medibank’s legal obligations post the Cyber Incident. This was relevant to mitigating the risk of further investigations brought about by regulators, such as APRA and the OAIC, as in Mr Gatto’s experience, regulators usually consider it relevant to their decisions as to what investigatory and enforcement action they will take whether there is a material risk of the same or similar thing happening again and whether steps have been taken to mitigate that risk.

378 On Mr Gatto’s evidence, CrowdStrike and Threat Intelligence were also engaged by KWM to provide at the very least, assistance to KWM that overlapped with that provided by Deloitte to enable KWM to provide legal advice and assistance to Medibank in relation to the Cyber Incident and in providing responses to the OAIC own motion investigation.

379 Mr Gatto’s evidence was that KWM engaged CrowdStrike directly on 18 November 2022 and later requested that CrowdStrike provide an investigation report. This was in order for KWM to understand the activities of the Threat Actor for the purposes of KWM being able to provide legal advice to Medibank in relation to those activities, including to assist with preparing notifications to the OAIC and customers under the Privacy Act, and for the purposes of the anticipated legal proceedings. Mr Gatto’s evidence was that, as at 20 December 2022, Threat Intelligence had become the primary cyber security firm used by KWM to provide it with technical expert assistance so that it could provide legal advice to Medibank or legal assistance in relation to the class actions and representative complaints commenced against Medibank. That both CrowdStrike and Threat Intelligence were well placed to provide “technical translation” services in relation to Medibank’s IT information tends to undermine Medibank’s contention that the provision of such services by Deloitte, in order for KWM to provide legal advice or assistance, was the dominant purpose for the external report being commissioned.

380 Mr Koczkar also gave evidence that the purpose of the external review was to translate the technical information into something that the Board and Medibank’s lawyers could understand. Mr Koczkar explained that the reports that had been prepared by Medibank’s in-house IT team and the various cyber experts on the Cyber Incident were quite technical in nature and difficult to understand for people not trained in IT. Mr Koczkar contemplated that “[h]aving someone external [i.e., Deloitte] come in and review what had happened and explain this to Medibank’s lawyers provided the best method for the Board to understand what the Cyber [Incident] meant legally for Medibank”. Mr Koczkar also referred to another purpose of the external review, as providing a means of verifying Medibank’s internal investigation, although he described that purpose as “very much secondary to the primary purpose of ensuring the Board could receive advice on Medibank’s legal position based on an external review of what had occurred”.

381 The overwhelming need for a technical translation of the Medibank IT information in order for KWM to be able to provide legal advice to the Board does not sit comfortably with Mr Koczkar’s evidence that he considered that Medibank’s “internal investigation had already given us a reasonable understanding of what had occurred” and that “by this time [he] felt [he] already had a reasonable understanding of what had occurred based on Medibank's internal investigation”.

382 The external review ultimately commissioned went far beyond mere technical translation of the available technical information produced by Medibank’s internal IT investigations. Even if this legal purpose was an influential purpose, it could not override the ASX/PR purpose or APRA purpose. The effect was to bolster public communications which stated that the external review enabled Medibank to learn from the Cyber Incident and to better safeguard its customer data, as well as avoiding the need for a separate APRA external review.

383 Finally, Mr Gatto’s evidence was that KWM required input on what was required to meet the “commensurate with” standard and other requirements of CPS 234 and whether Medibank’s system met that standard. Such a purpose is inconsistent with the same report being provided to the regulator, APRA, for the purposes of assessing whether Medibank’s systems were adequate to meet its obligations and whether or not to impose sanctions in respect of any deficiencies identified.

384 The applicants contend that Mr Gatto’s evidence simply reflects a significant purpose perceived by him for the Deloitte Reports — namely, the legal purpose, but that is not determinative of the dominant purpose being the legal purpose. I agree.

385 I do not doubt that the legal purpose was one of the multiple purposes for which the external review conducted by Deloitte was commissioned. However, I do not consider that the legal purpose was the dominant purpose for which the external review was commissioned.

7.5.5    Document 15 — PIR Report

386 This document is a report from Deloitte dated 4 April 2023 titled “Post Incident Review”.

387 Deloitte prepared a “Board Update” presentation for the 9 February 2023 Board meeting to inform the Board of its progress to date in the Post Incident Review. Mr Blatchford, Mr Carvouni and Mr David Boyd of Deloitte were recorded in the minutes as attending the 9 February 2023 Board meeting. The minutes also record that in addition to the Board, Ms Ramsay, the three people from Deloitte and three partners from KWM were all in attendance. In total, the meeting was attended by 14 Medibank management executives, most of whom from their titles do not appear to be lawyers, all of whom were listed as being present for the Cyber Incident update.

388 A copy of the PIR Report was sent to Mr Gatto on 4 April 2023, and the next day he sent a letter on behalf of KWM to Medibank and its Directors enclosing a copy of the Deloitte PIR Report on a confidential and privileged basis. A copy of the PIR Report was included in the Board papers for the 11 April 2023 Board meeting.

389 The PIR Report was presented to the Board by Mr Blatchford and Mr Carvouni at the 11 April 2023 Board meeting. The agenda allocated 60 minutes for the PIR Report. The minutes record that Mr Blatchford and Mr Carvouni spoke about the Report and answered questions from the Board. Mr Boyd was also present. The minutes also record that, in addition to the Board, Ms Ramsay, the three people from Deloitte and two partners from KWM, the meeting was attended by eight Medibank management executives, most of whom from their titles do not appear to be lawyers, and all of whom were listed as being present for the discussion of the PIR Report.

390 Mr Koczkar’s evidence was that by the time he received the PIR Report, Medibank “had [its] own internal investigation”, so when he read the PIR Report he was looking to see whether there was anything new, as much as anything else in the report. By that time, Mr Koczkar felt he had a good idea of how Medibank’s systems and processes needed to be enhanced and strengthened based on Medibank’s own internal investigations.

391 Mr Gatto provided a copy of the PIR Report to APRA on 12 April 2023.

392 Mr Koczkar considered it important for Medibank to update the market on the progress of Deloitte’s external review. As noted above, in its 28 April 2023 ASX Announcement, Medibank confirmed that it had been provided with Deloitte’s findings from its external incident review in the circumstances of the Cyber Incident, noted that a number of Deloitte’s recommendations had already been implemented, and expressed Medibank’s intention to implement all recommendations not already undertaken. Mr Koczkar also made reference to the findings of the Deloitte external review and its recommendations in a presentation on 2 May 2023.

393 Mr Gatto’s evidence was that the PIR Report had been relied on and used by him, and other lawyers at KWM, to provide legal advice to Medibank, including in relation to legal proceedings now on foot against Medibank. For example, without waiving legal professional privilege, Mr Gatto gives examples of how the Deloitte PIR Report has been used by Mr Gatto and others at KWM (and still is being used) for the purpose of:

(1)    briefing counsel;

(2)    advising Medibank on its compliance with the APPs (including APP 11.1) and CPS 234;

(3)    responding to OAIC notices;

(4)    preparing advice to Medibank on potential third-party liability;

(5)    preparing Medibank's defences in legal proceedings;

(6)    identifying key issues and areas requiring further work to manage and/or mitigate Medibank's legal risks and liabilities;

(7)    preparing summaries and notes on key factual and legal issues;

(8)    advising Medibank on breach reporting to APRA; and

(9)    advising on Medibank’s engagement with APRA.

7.5.6    Document 16 — RCA Report

394 This document is a report from Deloitte dated 10 May 2023 titled “Root Cause Analysis”.

395 On 10 May 2023, Mr Gatto sent a letter on behalf of KWM to Medibank and its Board enclosing a copy of the RCA Report on a confidential and privileged basis.

396 Mr Gatto did not attend the 16 May 2023 Board meeting at which the RCA Report was discussed due to a longstanding commitment that same day. The agenda for the meeting indicates that 60 minutes of the 90-minute meeting was allocated to the RCA Report. Mr Blatchford and Mr Carvouni spoke about the contents of the RCA Report at the Board meeting. The Board asked questions of Mr Blatchford and Mr Carvouni about the RCA Report. Mr Blatchford and Mr Carvouni provided responses to those questions and indicated that they wanted to consider making some amendments to the RCA Report to address those questions. The minutes also record that, in addition to the Board, Ms Ramsay, the three people from Deloitte and two partners from KWM, the meeting was attended by four Medibank management executives. Again, based on their titles, none of them appear to be lawyers, all of whom were listed as being present for the discussion of the RCA Report.

397 On 17 May 2023, Mr Gatto received an email from Mr Carvouni, attaching a further version of the RCA Report (being, the final version) with two minor amendments to the version provided on 10 May 2023 to address some comments and queries raised at the 16 May Board meeting. Mr Gatto then provided the final version of the RCA Report to Ms Ramsay. Later the same day Mr Gatto provided a copy of the RCA Report to APRA.

398 According to Mr Gatto, the RCA Report was used by KWM for the same purposes as set out above in relation to the PIR Report, aside from responding to OAIC notices.

7.5.7    Document 17 — CPS 234 Report

399 This document is a report from Deloitte dated 23 June 2023 titled “External Review - APRA Prudential Standard CPS 234”.

400 Mr Gatto received a copy of the CPS 234 Report on 23 June 2023. Later the same day, Mr Gatto sent a letter on behalf of KWM to Medibank and its Board enclosing a copy of the CPS 234 Report on a confidential and privileged basis.

401 Mr Gatto attended the Board meeting on 27 June 2023, at which the CPS 234 Report was discussed. The agenda records that 90 minutes was allocated to the CPR 234 Report, with another 30 minutes allocated to “Cyber Incident Litigation and Regulatory Matters”. The minutes record that Mr John Lee and Mr Carvouni of Deloitte spoke about the contents of the report and answered questions from the Board. The minutes also record that in addition to the Board, Ms Ramsay, the three people from Deloitte and two partners from KWM, the meeting was attended by six Medibank management executives, most of whom from their titles do not appear to be lawyers, all of whom were listed as being present for the discussion of the CPS 234 Report.

402 According to Mr Gatto, the CPS 234 Report was used by KWM for:

(1)    advising Medibank on its compliance with the APPs (including APP 11.1) and CPS 234;

(2)    identifying key issues and areas requiring further work to manage and/or mitigate Medibank’s legal risks and liabilities;

(3)    advising Medibank on breach reporting to APRA; and

(4)    advising on Medibank's engagement with APRA.

403 Mr Gatto provided a copy of the CPS 234 Report to APRA on 28 June 2023.

404 Mr Koczkar noted that all the Deloitte Reports are password protected within Medibank, and have only been shared with a select group of people within Medibank on a confidential basis.

7.5.8    Conclusion

405 The evidence establishes that the Deloitte Reports were commissioned by Medibank for multiple purposes, including at least the ASX/PR purpose and the APRA purpose. I accept that there may have also been a legal purpose for the commissioning of the external review, but I do not consider that the legal purpose was the dominant purpose for the commissioning of the Deloitte Reports.

406 The matters discussed above are inconsistent with the dominant purpose being a privileged purpose to enable KWM to give legal advice and assistance to Medibank.

407 For the reasons set out above, I do not consider that the legal purpose was the dominant purpose for which the Deloitte Reports were commissioned, whether the time for the consideration is at the time of the first Deloitte engagement on 16 November 2022, the date of the later engagements, after the scope of the review had been expanded, or the date on which each of the Deloitte Reports were delivered. Furthermore, I consider that the legal purpose became less dominant as the scope of the review was expanded, particularly with the involvement and input from APRA.

8.    Waiver

408 The applicants put an alternative argument in relation to the Deloitte Reports, being the waiver of legal professional privilege.

409 If I found that the Deloitte Reports had been commissioned for the dominant legal purpose, the applicants contend that Medibank’s conduct in providing the three Deloitte Reports to APRA amounts to a waiver of legal professional privilege in the Deloitte Reports.

410 Further, the applicants contend that Medibank’s public statements about the Deloitte Reports, in particular its 28 April 2023 ASX Announcement, amount to a waiver of legal professional privilege.

411 As I have found that legal professional privilege does not subsist in the Deloitte Reports, the issue of waiver does not arise. However, for completeness, I consider the issue of waiver below.

8.1    Legal principles

412 The test for waiver is whether there has been an inconsistency between what a client has done and retention of the privilege: Mann v Carnell (1999) 201 CLR 1 at [29] (per Gleeson CJ, Gaudron, Gummow and Callinan JJ):

What brings about the waiver is the inconsistency, which the courts, where necessary informed by considerations of fairness, perceive, between the conduct of the client and maintenance of the confidentiality; not some overriding principle of fairness operating at large.

413 In TerraCom Ltd v Australian Securities and Investments Commission (2022) 401 ALR 143, an independent investigation into allegations made by a former employee and which had also attracted the attention of the Australian Securities and Investments Commission led to the commissioning of a privileged report from PricewaterhouseCoopers Consulting (Australia) Pty Ltd (PwC). TerraCom had made announcements to the ASX that it had commissioned this report, including by various ASX announcements and in an open letter to shareholders. TerraCom announced that it had commissioned the investigation and, later, that it had found no evidence of wrongdoing. Justice Stewart found that privilege in the report had been waived, with this finding affirmed by the Full Court on appeal: TerraCom Ltd v Australian Securities and Investments Commission [2022] FCAFC 151.

414 In TerraCom, at [61]–[64], his Honour observed:

In my view, reliance by TerraCom on the finding in the PwC report of no wrongdoing by its CEO and CFO is inconsistent with the maintenance of the privilege that otherwise attaches to the report. TerraCom was taking advantage of that finding to deflect criticism of its officers, and itself, the effectiveness of the deflection being heightened by characterising the investigation that led to the report as an independent forensic investigation. That was to employ the findings of PwC for a forensic or commercial advantage — forensic in the sense of seeking to deflect the attention of any regulator in an investigation and commercial in the sense of maintaining the company’s commercial good standing and its share price. It cannot at the same time claim that the report is privileged. That is to seek to approbate and to reprobate.

…

TerraCom submits that the disclosure of the contents of the report is so minor as to be de minimus, but I do not accept that. TerraCom said that the independent investigation concluded that the allegations against, at least, its CEO and CFO were unfounded. Regardless of what other conclusions the report expressed, that is a critical finding of vital relevance to TerraCom, which is no doubt why TerraCom repeated it publicly on a number of occasions. It is not de minimus at all.

In that regard, the voluntary disclosure of the gist or conclusion of legal advice amounts to waiver in respect of the whole of the advice to which reference is made including the reasons for the conclusion … It has long been established that the disclosure in a summary way of only a conclusion expressed in legal advice can result in a waiver of the advice …

(Citations omitted.)

415 The Full Court recently considered the principles relevant to the waiver of legal professional privilege in Australian Securities and Investments Commission v Macleod [2024] FCAFC 174 at [129]–[140] (per Burley, Anderson and Meagher JJ).

416 The Full Court in Macleod noted at [138] the observations of the High Court in Expense Reduction Analysts Group Pty Ltd v Armstrong Strategic Management and Marketing Pty Limited (2013) 250 CLR 303 that waiver in its strict legal connotation is an intentional act done with knowledge whereby a person abandons a right or privilege by acting in a manner inconsistent with that right or privilege. The High Court went on:

[30]    … In most cases concerning waiver, the area of dispute is whether it is to be implied. In some cases, waiver will be imputed by the law [Goldberg v Ng (1995) 185 CLR 83 at 95-96] with the consequence that a privilege is lost, even though that consequence was not intended by the party losing the privilege. The courts will impute an intention where the actions of a party are plainly inconsistent with the maintenance of the confidentiality which the privilege is intended to protect [Mann v Carnell (1999) 201 CLR 1 at 13 [29]].

[31]    In Craine v Colonial Mutual Fire Insurance Co Ltd [(1920) 28 CLR 305 at 326], it was explained that “‘[w]aiver’ is a doctrine of some arbitrariness introduced by the law to prevent a man in certain circumstances from taking up two inconsistent positions ... It is a conclusion of law when the necessary facts are established. It looks, however, chiefly to the conduct and position of the person who is said to have waived, in order to see whether he has ‘approbated’ so as to prevent him from ‘reprobating’”. In Mann v Carnell [(1999) 201 CLR 1 at 13 [29]], it was said that it is considerations of fairness which inform the court’s view about an inconsistency which may be seen between the conduct of a party and the maintenance of confidentiality, though “not some overriding principle of fairness operating at large.”

(Footnotes inserted.)

417 Implied waiver of privilege “reflects a judgement that the conduct of the party entitled to the privilege is inconsistent with the maintenance of the confidentiality which the privilege is intended to protect”: Osland v Secretary to the Department of Justice (2008) 234 CLR 275 at [45] (per Gleeson CJ, Gummow, Heydon and Kiefel JJ).

418 As Beach J observed in Robertson at [196], implied waiver is a fact-based enquiry as to whether by conduct the privilege holder has directly or indirectly put the contents of an otherwise privileged document in issue. That enquiry entails an evaluative decision based on consideration of the whole of the circumstances of the particular case, including the context and circumstances in which disclosure or use is made. The circumstances may include the nature of the matter in respect of which the privileged document was used, the evident purpose of such disclosure or use that is made and the legal and practical consequences of limited, rather than complete, disclosure.

419 In Australian Securities and Investments Commission v Australia and New Zealand Banking Group (No 2) [2020] FCA 1013, Allsop CJ surmised at [31] a touchstone test of whether a waiver of privilege has occurred:

… there is a waiver if one states: ‘I have legal advice. Its substance is.’ But there is no waiver if a party says what he or she believes and legal advice may be seen to be relevant to it…

420 The onus lies on the person asserting waiver to establish that there has in fact been waiver of any privilege found to exist: State of New South Wales v Betfair Pty Ltd (2009) 180 FCR 543 at [54] (per Kenny, Stone and Middleton JJ).

8.2    Submissions

421 The applicants contend that inconsistency arises through Medibank’s disclosure of the three Deloitte Reports to the regulator, APRA for its own advantage — to reduce the likelihood of a second external review. They submit that the inconsistency is even more stark in this case where the privilege holder shares privileged material with a regulator that can bring penalty proceedings against the privilege holder with respect to the very subject matter of the disclosed material.

422 The applicants contend that waiver arises even where, as in Goldberg v Ng (1995) 185 CLR 83, disclosure was on the express basis of confidence.

423 The applicants further submit that Medibank’s public statements are of a different quality to those considered by the Full Court in Singtel Optus. Here, Medibank made the 28 April 2023 ASX Announcement after it had received the PIR Report. As such, there was no ambiguity as to what Medibank was referring.

8.3    Consideration

8.3.1    Provision of Deloitte Reports to APRA

424 The applicants also relied on the finding of an implied waiver in Australian Securities and Investments Commission v Noumi Ltd [2024] FCA 349. There, a PwC report was prepared and provided to ASIC in the circumstance that Noumi had been attempting to cooperate with ASIC’s investigation regarding “unsaleable inventory”. Noumi entered into a “Voluntary Confidential Legal Professional Privilege Disclosure Agreement” (defined as a VDA) with the regulator under which Noumi disclosed various documents (purportedly) covered by privilege at common law, including the PwC report.

425 The Full Court in Macleod recently overturned the finding of an implied waiver on the basis of a “derivative” use of the report by ASIC. The primary judge considered that the PwC report could be used by ASIC to identify witnesses, to examine the topics to be explored with them, the questions to be asked and so on. The Full Court considered that the reference to “derivative use” was a reference to how the contents of the PwC report may be used by ASIC, finding at [147] that such derivative use of information did not amount to a disclosure of that information. To the extent that it might have been, ASIC was prevented by clause 4.1 of the VDA from doing so.

426 The Full Court in Macleod observed at [150] that an information asymmetry between parties does not of itself amount to unfairness in this context. The unfairness that informs inconsistency is forensic unfairness as between the privilege holder and the privilege challenger: Macquarie Bank Ltd v Arup Pty Ltd [2016] FCAFC 117 at [29] (per Middleton, Robertson and Gleeson JJ). The Full Court in Macleod continued at [150]–[151]:

Unlike the position on the facts in Goldberg, here, no disclosure was made by Noumi to gain an advantage over the opposing party in related litigation. Indeed at [212] the primary judge explicitly found that there was no such motive in subjective terms. Nor is one apparent in objective terms. Mere relevance of the withheld material does not by itself establish an inconsistency necessary to give rise to an implied waiver; Kinghorn at [151].

To the extent that investigations and admissible evidence obtained informed the formulation by ASIC of a case against Mr Macleod, he was entitled to access such material as might be deployed against him in the case in the course of normal pre-trial processes. Whether unfairness is considered at the time of the disclosure of the privileged material (here, on 19 October 2020) or at the time the claim for privilege is made by Noumi (13 September 2023), it may be assumed that ASIC and Noumi were aware that such pre-trial processes would make information of the kind considered above available to Mr Macleod.

427 Mere relevance of the withheld material does not by itself establish an inconsistency necessary to give rise to a waiver: Director of Public Prosecutions (Cth) v Kinghorn; Kinghorn v Director of Public Prosecutions (Cth) (2020) 102 NSWLR 72 at [151] (per Bathurst CJ, Fullerton and Beech-Jones JJ).

428 The facts of this case are very different to those in Macleod. The details of APRA’s involvement are discussed above. The following matters are of particular relevance.

429 APRA had been involved since Medibank first notified it of the Cyber Incident on day one, 12 October 2022. From 21 October to mid December 2022, APRA personnel attended twice weekly meetings with Medibank at which they were kept abreast of the developments relating to the Cyber Incident.

430 It was the evidence of both the Chair and CEO that it was a key concern of Medibank to avoid a second external review undertaken by its regulator. As Mr Koczkar observed “it would be expedient if the one review could satisfy [APRA’s] requirements as well”. It was intended from the outset that APRA would be given a copy of the external review (ultimately three reports) for the purposes of carrying out its regulator obligations, which included its enforcement role.

431 Medibank included APRA in the external review process from the first stage. The contact between Medibank and APRA was at the top level of both entities, involving the CEO and Chair of Medibank and Ms Smith and Mr Carmody at APRA. It notified APRA of its intention to commission the external review before Deloitte was engaged. Medibank sought, and received, APRA’s comments on draft scope of the external review, and the proposed external reviewer. APRA personnel attended tri-partite meetings with Medibank and Deloitte, with no lawyers present during the course of the external review.

432 Medibank and APRA issued mutual press releases as to their open and cooperative ongoing relationship. The closeness of the relationship was exemplified by the APRA’s role in the scoping of the external review, their attendance at the tri-partite meetings whilst the review progressed, and APRA’s receipt of all three reports on completion of the external review.

433 APRA’s involvement in setting the scope of the external review and meeting with the Deloitte team conducting the external review took place well before the privilege protocol retrospectively sought to superimpose legal professional privilege before the reports were provided to APRA.

434 In the 28 November 2022 APRA Release, APRA outlined that it has informed the scope of the external review and APRA will have information regarding the findings of the report and consider whether further regulatory action would be required. Medibank’s 28 November 2022 ASX Announcement affirmed that the findings of the review would be shared.

435 The contemporaneous documents which reflect Medibank and APRA’s engagement with respect to the external review and the provision of the Deloitte Reports to APRA were not formalised into a VDA, like in Macleod, but were provided pursuant to a written protocol. This protocol was addressed in the 15 February 2023 Letter from Mr Huijsen to Medibank, as extracted above at [157]. This protocol also refers to discussions between Medibank and APRA on 21 December 2022.

436 APRA expressly indicated via public statements that the information in the Deloitte Reports may be used for APRA to undertake further regulatory action. In Macleod, ASIC indicated similarly that information within the report would be applied for a ‘derivative use’ to prosecute Mr Macleod.

437 There was nothing in the protocol (nor could there be) to stop APRA using the information and intelligence gained through its interactions with Deloitte and the Deloitte Reports themselves for its own regulatory purposes — purposes which were in direct tension with Medibank’s interests in protecting its legal position.

438 Given APRA’s involvement from the very beginning of the Cyber Incident and Medibank’s early intention to keep APRA informed of the substance of the Deloitte Reports, it is evident that whatever information within the Deloitte Reports relevant for ARPA’s purposes was always intended to be shared with it. Rather than supporting a waiver, I consider that this is consistent with my earlier conclusion as to why legal professional privilege does not subsist in Deloitte Reports.

439 In this sense, any “derivative use” of the information in the Deloitte Reports cannot be made out, as in this case, APRA’s involvement in the commission of the Deloitte Reports and their respective scopes, evidences the fact that these reports were never created or commissioned to be used for a dominant legal purpose from their very inception.

8.3.2    Waiver via public statements

440 The applicants submit that by the 28 April 2023 ASX Announcement (and all other such public statements), Medibank voluntarily disclosed the “gist or conclusion[s]” of the Deloitte Reports and what it was doing with them. It did so, if nothing else, because of the obvious forensic advantage to deflect regulatory action, and the obvious commercial advantage to assuage customer concerns that Medibank was, in its own words, “enhanc[ing] [its] systems and processes to provide [its] customers with the security they expect and deserve”.

441 The applicants contend that the inconsistency lies in Medibank’s use of the Deloitte Reports for the ASX/PR purpose — from before their commissioning, during the review process and after completion of the Deloitte Reports — in purporting to provide comfort to its shareholders and customers that it would do the following: learn from this Cyber Incident and strengthen its ability to safeguard customers, and share the learnings. When, in fact, Medibank had no intention of sharing any of the outcomes, and now asserts that the dominant purpose for which the Deloitte Reports were commissioned was for the purpose of providing legal advice and litigation assistance, not the protection of its customers. The applicants submit that there is an inherent inconsistency in seeking to rely on the commissioning of the Deloitte Reports in the midst of a public relations crisis and seeking to rely on privilege in trying to resist production of the Deloitte Reports.

442 Similar submissions to those made by the applicants in this case were made by the applicants in Robertson. They alleged inconsistency in Optus relying upon the Deloitte report whilst it was in the midst of a public relations crisis and then seeking to rely on privilege in trying to resist any inspection of the report itself. Justice Beach rejected the applicant’s waiver argument in Robertson, concluding at [195] that none of the public statements put the contents of the otherwise privileged report in issue.

443 The applicants seek to distinguish Robertson, on the basis that the relevant statements were made before the completed Deloitte report had been received by Optus. Here, the 28 April 2023 ASX Announcement expressly confirms that Medibank “has now been provided with Deloitte’s findings from [the external incident] review” and continues “Deloitte has made recommendations to enhance Medibank’s IT processes and systems. A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken …”. The Chair is then quoted as saying “the Board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further. Following on from the discussion of the Deloitte report’s recommendations, the recommendations spoken of by Mr Wilkins must be the Deloitte recommendations.

444 Only one report had been delivered to Medibank by 28 April 2023, the PIR Report.

445 In my view, by making this reference to the Deloitte PIR Report, Medibank was seeking to take advantage of its implementation of the recommendations resulting from the external incident review conducted by Deloitte to deflect criticism and enhance or maintain its good standing in the eyes of its shareholders and customers and its share price. It cannot at the same time maintain privilege in that part of the report setting out the recommendations to enhance Medibank’s IT processes and systems. I consider that by making the statements in the 28 April 2023 ASX Announcement, Medibank has waived privilege in that part of the PIR Report relating to the recommendations to enhance Medibank’s IT processes and systems.

446 The statements in the 28 April 2023 ASX Announcement were not casually made, they were consciously and deliberately made following consideration by at least the Board, by way of a formal ASX announcement.

9.    Conclusion

447 For the reasons set out above I consider that legal professional privilege does not subsist in the three Deloitte Reports (Documents 15, 16 and 17 listed in Annexure A). I consider that the Cyber CX and Coveware Communications (Documents 1, 2, 3, 4, 5, 6, 7, 8 and 9) listed in Annexure A), CrowdStrike Reports (Documents 10 and 11 listed in Annexure A), the Threat Intelligence Reports (Documents 12 and 13 listed in Annexure A) are privileged.

448 At this stage, I will make orders that within seven days of the date hereof the parties file and serve proposed minutes of orders to give effect to these reasons.

Associate:

Dated:    7 March 2025

ANNEXURE A