This article explores recent Australian case law on legal professional privilege in the context of cyber incident response. It highlights key decisions involving Optus and Medibank, and outlines practical steps lawyers can take to help clients protect sensitive communications and investigation materials. This article was first published in Privacy Law Bulletin issue 22.3 (June 2025).

Key Takeaway Points

To enhance their chances of success in a claim of LPP over investigation reports, businesses should:

  • Have a cyber incident response plan.
  • Engage external counsel early.
  • Identify all purposes for conducting an investigation early and consider separate investigations and reports according to purpose if necessary.
  • Ensure that the scope and terms of engagement of non-lawyer consultants are set within the confines of legal purpose where possible and clearly state that legal purpose if privilege claims are to be made.
  • Ensure that lawyers oversee investigations and receive reports, and align internal and external messaging with the legal purpose.

Introduction

Businesses that experience a cyber incident frequently resist the unwanted disclosure of confidential or sensitive information related to the incident, since such disclosure may have adverse consequences for them.

In 2023, litigation arising from the 2022 cyber attack on Australian telecommunications company Singtel Optus (Optus) prompted renewed interest in protection of communications and documents via assertion of legal professional privilege (LPP).  Robertson v Singtel Optus Pty Ltd[i] was the first Australian case where LPP was considered in the context of a cyber incident.  At issue here was Optus’s claim of privilege over an investigation report prepared for it by Deloitte[ii], together with related documents. Subsequently in 2024, the first-instance decision by Beach J rejecting this claim was upheld on appeal to the Full Court of the Federal Court of Australia, in Singtel Optus Pty Ltd v Robertson[iii].

The 2022 cyber attack on health insurer Medibank Private (Medibank) also gave rise to litigation and proceedings concerning a claim of privilege by Medibank.  In McClure v Medibank Private Limited[iv], 17 documents were at issue including three reports prepared by Deloitte:

  • A ‘Post Incident Review’
  • A ‘Root Cause Analysis’ and
  • An ‘External Review – APRA Prudential Standard CPS 234’.

Production of the Deloitte reports was ordered[v] in both the Optus and Medibank cases when claims of LPP over these ‘contested reports’ failed. But significantly, in the Medibank decision handed down in March 2025, the company succeeded in its claim of LPP over other documents including emails and reports by other non-lawyer consultants – ‘cybersecurity advisory firms’ including CyberCX and CrowdStrike – following a document-by-document consideration, though the documents were not inspected.

What is legal professional privilege?

LPP affords protection to confidential communications and documents between a lawyer and a client that are made for the dominant purpose of:

  • the lawyer providing legal advice or professional legal services to the client (‘advice privilege’), or
  • the lawyer providing legal services for use in current or anticipated litigation (‘litigation privilege’).[vi]

Communications between clients and non-lawyers are not covered by LPP.  This privilege developed under common law[vii] and serves to foster the frank and confidential exchange of information between client and qualified lawyer, so that informed legal advice and services can be obtained with confidence.  The client is the holder of the privilege.

Why did these Deloitte reports fail to attract privilege?

Optus

In his Reasons for Judgment Beach J noted that the Optus respondents relied solely on an affidavit from their general counsel and company secretary, and that following the cyber attack he had appointed external counsel from Optus’s legal panel. His Honour noted that the external lawyers’ scope of work said nothing expressly about the Deloitte review.

Largely on the basis of an Optus press release dated 3 October 2022, together with other documentation including Board meeting minutes, Beach J determined that the review by Deloitte had been recommended by the Optus CEO and supported unanimously by the Singtel Board. He identified the purposes other than for Optus to obtain legal advice or for use in litigation/regulatory proceedings as:

  • to identify the circumstances and root causes of the cyber attack for management purposes and rectification
  • for review of Optus’ management of cyber in relation to its policies and processes
  • to assist the CEO and Board in media messaging relating to identification of cause and rectification to prevent a recurrence. [@121-125]

Justice Beach summarised his overall finding thus:

‘the Optus respondents have not satisfied me that they satisfy the dominant purpose test.  Clearly they had multiple purposes in procuring the review and report by Deloitte, one of which was a privileged purpose.  But I am not satisfied that the latter satisfies the requisite dominant purpose test’.[viii]

Medibank

In her Reasons for Judgment Justice Rofe noted that Medibank relied on the ‘purported intentions and respective states of mind’ of its CEO, a director and chair of the Medibank Board, and Medibank’s general counsel and company secretary. Medibank had engaged external legal counsel, with whom it had a pre-existing standing arrangement under a master services agreement. It was accepted that legal advice provided to Medibank by external counsel related to matters including risks of possible class actions from customers and shareholders, and Medibank’s engagement with the Office of the Australian Information Commissioner (OAIC), the Australian Prudential Regulation Authority (APRA), the Australian Securities Exchange (ASX) and the Australian Federal Police (AFP). External counsel briefed senior counsel in relation to the legality of paying a ransom in respect of the 2022 cyber incident.

The Reports were found to have been commissioned for multiple purposes including not only the legal purpose but also ‘at least’:

  • the ASX/PR purpose. Medibank made statements to the ASX and its shareholders and customers – on the basis of just one Deloitte report received at the time – to the effect that it had received and would implement recommendations to enhance systems and processes [see @ 445ff] Rofe J considered that any privilege in the Deloitte reports in relation to enhancement and systems was waived by statements made in Medibank’s ASX announcement.
  • the APRA purpose. APRA had been notified of the incident on the day it occurred and remained in close contact with Medibank. Medibank advised APRA of its intention to commission the Deloitte review and APRA was involved in setting the review’s scope: ‘it was a key concern of Medibank to avoid a second external review undertaken by its regulator’ @ [430]and always intended to be shared with them. This is inconsistent with a claim that LPP subsists in the Deloitte Reports.

Her Honour also took particular care to set out Board missteps that contributed to the failure of Medibank’s privilege claim:

In addition to the multiple public statements as to the purpose of the external review being to safeguard its customers’ information discussed […] above, I consider that the following factors further tend against the dominant purpose for the commissioning of the external review being for the legal purpose:

  • the Board’s desire for an unvarnished view of what had occurred, rather than unvarnished legal advice;
  • the Board’s close oversight of the external review, including the personal attention and intervention of the Chair of the Board;
  • the direct reporting by Deloitte to the Board rather than via KWM;
  • the pre-Board meeting briefings with the Chair of Medibank; and
  • the Board’s desire to be seen by its stakeholders (shareholders, customers, health partners) to be treating the Cyber Incident seriously.[ix]

Her Honour noted that the scope of the Deloitte review had been expanded over time, and considered that the legal purpose became less dominant as the scope expanded. Overall, Rofe J found that the evidence considered was inconsistent with the dominant purpose of the Deloitte Reports being to enable the external counsel to give legal advice and assistance to Medibank.

Why did the reports of CyberCX, Cloudstrike (and other cybersecurity firms) attract privilege?

CyberCX was initially engaged for operational purposes. However, Medibank’s external counsel sent a second engagement letter to CyberCX relating to assistance with the cyber incident including negotiating with the Threat Actor and the legality of paying a ransom, in light of anti-money laundering laws and other issues. This was reflected in CyberCX’s Statement of Work. CyberCX was also shown to have had limited direct interaction with non-legal Medibank personnel. Its report was found to have been used by external legal counsel to advise the Board.

CrowdStrike assisted Medibank’s IT security team and internal lawyers, and external counsel, pursuant to a series of engagements that were modified and expanded over time.  Justice Rofe stated that whether the two CrowdStrike reports (the Investigation Report and the Atlassian Report) delivered to external counsel are the subject of LPP is ‘by reference to the documents themselves and the purpose for which they came into existence’[x] She considered that their statement of work[xi] and engagement (including a letter of retainer issued directly by Medibank’s external counsel indicating a dominant legal purpose) is but one factor to consider. Similarly she considered that statements within the reports that they had been prepared on the request of external counsel for the dominant purpose of external counsel providing legal advice to Medibank were not solely determinative.[xii]

Ultimately it was found that although CrowdStrike’s initial engagement was for operational purposes and generated non-privileged information, the Investigation Report per se was privileged. The report had been created at the request of a Partner at the external counsel firm, and central to that report was to be an explanation for external counsel, based on CrowdStrike’s earlier data collection work, as to which Medibank systems were accessed by the Threat Actor and when, in order to provide legal advice to Medibank.[xiii]

That same Partner had requested that CrowdStrike undertake a further investigation in relation to Medibank’s Atlassian suite of products in order for external counsel to understand the activities of the Threat Actor and provide legal advice to Medibank. Again, although prior information did not attract privilege, it was found that the dominant purpose of the Atlassian report per se was to provide Medibank with legal advice.

These findings in both the Optus and Medibank matters serve to illustrate the enduring sagacity of the late Honourable Justice Paul Finn’s observation paraphrased as:

(e) The more that a client “filters, adapts or exercises independent judgment” in relation to a non-lawyer’s advice, the less likely privilege can be maintained. Such behaviour will “more readily give rise to an inference that the dominant purpose for the creation of the non-legal advice was a non-privileged purpose[xiv]

Relevance of LPP to OAIC investigations

LPP is of course also relevant to production of materials in the course of investigations by regulators. In December 2024, the OAIC published guidance on making claims for LPP when responding to a compulsory notice issued under the Privacy Act 1988 (Cth) (Privacy Act). [xv] The OAIC’s regulatory powers include document and information gathering powers, notably under ss 26WU and 44 of the Privacy Act. Before they respond, the OAIC expects recipients of compulsory notices (recipients) to make their own assessments of whether LPP applies in the circumstances (including obtaining legal advice where appropriate) and if so, deciding whether the documents or information should be withheld or redacted. Guidance is also given about claiming LPP over oral information.

In order to assess and substantiate recipients’ claims for LPP, the OAIC generally requests that specified particulars be provided voluntarily.  It is important to note that when recipients provide the requested information, the OAIC will not assert that the information provided for the purposes of substantiating the claim amounts to a waiver of the recipient’s LPP claim.[xvi]

The OAIC will determine claims of LPP in accordance with common law considerations including whether the advice given is independent. It states that it will reject a claim of LPP where in its view:

  • the claim for LPP is not recognised under Australian law, for example, it is not a confidential communication made for the dominant purpose of providing or receiving legal advice, or for the dominant purpose of being provided with professional legal services in relation to actual or anticipated legal proceedings
  • where the LPP holder has waived the privilege by acting in a manner that is inconsistent with the maintenance of confidentiality over the material which the privilege is intended to protect, or
  • the LPP claim is otherwise not substantiated or valid (for example, where the OAIC believes that the privilege holder has not adequately substantiated their claim for LPP by providing sufficient information to the OAIC, or the information said to be protected by LPP is a communication made for the purposes of committing fraud or a criminal offence).

Where the OAIC does not accept a claim of LPP, it may make an application to the court seeking a declaration that information or documents over which privilege has been claimed is not subject to LPP. If the OAIC is successful in obtaining that declaration it may seek cost recovery.

When might privilege be at risk?

As indicated above, caselaw in relation to LPP in investigation reports addresses numerous circumstances in which LPP can be jeopardised. Common missteps include:

  1. Commissioning investigation reports through an in-house lawyer who may be considered insufficiently independent to attract LPP. This risk is higher where a lawyer’s legal role is combined with other functions, for example as Chief Risk Officer providing business or strategic advice.
  2. Commissioning investigation reports through a Board member or non-lawyer executive, such as Head of IT, or otherwise giving oversight to a non-lawyer.
  3. Commissioning or creating investigation reports for a mixed purpose rather than for the dominant purpose of legal advice or litigation advice.
  4. Inadvertently waiving LPP that may apply by making disclosures concerning investigation reports in contexts such as press releases and stakeholder communications, media interviews and Board minutes. All these may be reviewed as evidence when dominant purpose is to be determined by the courts or a regulator.

Practical steps

Recommended practical steps businesses can take in order to have the best chances of maintaining privilege over confidential and sensitive materials fall into two main types: preparatory and contemporaneously with a cyber incident.

  1. Have a cyber incident response plan: Those businesses that have an appropriate and up-to-date cyber incident response plan[xvii] and follow it reduce the risk of unwanted disclosure. This is because the plan should specify which functional areas and designated individual roles and persons comprise the response team, and set out their respective responsibilities and the actions they are required or authorised to take.  For example:
  • it may be appropriate to authorise only external counsel or the business’s general counsel (if sufficiently independent) to engage forensic investigators. Where the response team includes both internal and external lawyers, their respective roles and responsibilities should be scoped in detail in the plan.
  • the plan could specify that only the CEO or Chair is authorised to communicate with the media about the incident, in which case the CEO or Chair should be advised by lawyers on matters including potential grounds of any privilege to be claimed so that their statements to the media are consistent. They should also be guided on how to avoid waiving privilege in comments made to the media.

Businesses frequently involved in litigation may already have an LPP protocol as part of their suite of corporate governance resources. Some regulators such as the Australian Tax Office also publish LPP protocols containing useful general guidance. Where such protocols exist, or guidance such as the OAIC’s outlined above has been published, these should inform cyber incident response plans.

  1. Engage external counsel early: Clearly lawyers should be part of the response team as soon as it is convened, for purposes of both incident management and privilege maintenance. Nevertheless, arrangements for legal input will vary according to factors such as the experience and capacity of any in-house lawyers, and whether they also have non-legal functions. Though businesses may have instructed external counsel to assist as part of their cyber incident preparations, unless the external counsel selected have already been retained or instructed when an incident occurs, their assistance in the critical early stages of response may be delayed due to factors such as negotiation over scope or conflict checks.
  2. Identify all purposes for conducting an investigation early and consider separate investigations and reports. As discussed above, a company may identify not only the requirement for legal advice as a purpose for conducting an investigation, but also operational, statutory or reporting requirements, communications requirements and more. Companies should consider adopting a strategy designed to preserve highly confidential material by conducting:
  • non-privileged investigations, usually highly technical and not commissioned by lawyers, on the understanding that these may be subject to disclosure.
  • privileged investigation, usually commissioned by external counsel, asserted to be for the dominant purpose of providing the company with legal advice.
  1. Ensure that the scope and terms of engagement of non-lawyer consultants are set within the confines of legal purpose and clearly state that legal purpose if privilege claims are to be made.
  2. Ensure that lawyers oversee investigations and receive reports, and align internal and external messaging with the legal purpose. Even if clearly labelled as privileged, factors that will weigh against the dominant purpose being found to be a legal purpose include inconsistent actions taken by the business. Similarly any evidence derived from communications to staff or the media that reports may have been commissioned for mixed or other purposes rather than a dominant legal purpose will reduce the chances of successful assertion of privilege.

Conclusion

While there are no guarantees as to whether, in individual cases, privilege will be found, the Optus and Medibank findings finally put to rest any thought that marking documents ‘Privileged’ will ensure their confidentiality. Absent sufficient evidence to support a claim that the dominant purpose for their preparation was legal advice, privilege claims are unlikely to succeed, as her Honour Justice Rofe made clear in McClure v Medibank:

Each of the relevant engagement documents pursuant to which the reports were produced instructed the authors to make reference to the report being prepared for the dominant purposes of legal advice. As such I expect each of the Contested Reports to be peppered with references to privilege incantations, which of themselves, divorced from the circumstances of the creation of the document are largely meaningless and not determinative of whether the particular report is the subject of legal professional privilege.[xviii]

 

[i] Robertson v Singtel Optus Pty Ltd [2023] FCA 1392

[ii] See https://www.deloitte.com/global/en/about/governance/network-brand-alliances.html

[iii] Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58

[iv] See McClure v Medibank ibid. Rofe J subsequently declined to make an order as to costs in this matter: see McClure v Medibank Private Limited (No 2) [2025] FCA 343: ‘this proceeding remains at an early stage. This means that the litigation may take many turns from here’ at [21].

[v] Medibank has sought leave to appeal the decision in respect of the three Deloitte reports.

[vi] The first instance decision in Robertson v Singtel Optus Pty Ltd has been followed in relation to LPP. See Nazir v State of New South Wales [2024] NSWSC 1015 per Davies J at [11]:

In Sparks, in the matter of IG Energy Holdings (Australia) Pty Ltd (Administrators Appointed) [2024] FCA 613 Derrington J set out principles of legal professional privilege, relying on what had been said by Beach J in Robertson v Singtel Optus Pty Ltd [2023] FCA 1392

[vii] See Daniels Corporation International Pty Ltd v Australian Competition and Consumer Commission

[2002] HCA 49 (07 November 2002)

[viii] Robertson v Singtel Optus Pty Ltd at [3]. The principles of LPP as summarised by Beach J in this decision were adopted by Derrington J in Sparks, in the matter of IG Energy Holdings (Australia) Pty Ltd (Administrators Appointed) [2024] FCA 613 (13 June 2024) (Sparks) at [50].

Derrington J also drew a number of points from his Honour’s reasons.

[ix] McClure v Medibank Private op. cit. per Rofe J at [372]

[x] Ibid at [278]

[xi] Ibid at [240]. ‘Pursuant to the CrowdStrike SOW, CrowdStrike was to provide investigation services, analyse data, deploy CrowdStrike tools including the Falcon software, determine compromised or accessed systems, develop a timeline of attacker activity, provide recommendations for containment and recovery actions and produce recommendations for long-term continuous security posture improvement.’

[xii] Ibid at [282]

[xiii] Ibid at [284]

[xiv] Per Derrington J in Sparks op cit (at [50].

[xv] See OAIC Guidance at https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/making-claims-of-legal-professional-privilege

[xvi] See Australian Securities and Investments Commission v Macleod [2024] FCAFC 174 re issues including whether disclosure to a regulator is a waiver of privilege, and whether ‘derivative use’ and/or ‘derivative disclosure’ of a report amounted to a waiver of privilege.

[xvii] Be aware that not all sample response plans, readiness checklists and the like cover the legal aspects of responding in detail and may need to be adapted accordingly. For example it is stated that the Cyber Incident Response Plan (CIRP) Template and the Cyber Incident Response Readiness Checklist (Appendix B) published by the Australian Signals Directorate and Australian Cyber Security Centre at https://www.cyber.gov.au/sites/default/files/2023-03/ACSC%20Cyber%20Incident%20Response%20Plan%20Guidance_A4.pdf are intended to be used as a starting point for organisations to develop their own plan and readiness checklist.

[xviii] McClure v Medibank op cit at [13]

For further information please contact:

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.  Please also note that the law may have changed since the date of this article.