outubro 04 2024

Legal Privilege in Cyber Incidents: Lessons for Hong Kong from Australia’s Optus Cyber Breach

Share

Important lessons for Hong Kong organisations managing cyber accidents may be learned from the noteworthy ruling in a recent Australia case, Singtel Optus Pty Ltd v. Robertson [2024].

For background, from 17-20 September 2022, Optus suffered a cyber-attack (the “Incident”) through an unprotected and publicly exposed API.

The company secretary and general counsel (GC) of Optus found out that up to 9.5 million Optus customers with personal information could potentially be affected by the Incident. Inevitably, it would prompt regulatory investigations as well as legal action.

Optus subsequently engaged external counsel and Ashurst Australia (Ashurst), an external law firm, to advise regarding the incident.

On becoming known to the public, more than one law firm published media releases regarding the investigation, and possibility of legal action against Optus.

Optus later issued its own media release (Media Release) and engaged Deloitte to carry out forensic investigation into the incident.

In his initial judgement, the primary judge Beach J addressed legal issues involved in granting the orders for discovery and inspection in relation to the Deloitte report (Report) over which Optus had asserted legal professional privilege (LPP). The judge rejected Optus’ claim for LPP.

Optus subsequently applied for leave to appeal the decision – but the Full Court of the Federal Court of Australia dismissed the application.

Relevant Legal Principles

Under common law, Optus had to satisfy the dominant purpose test by establishing that “confidential communications [were] made for the dominant purpose of the client obtaining legal advice or for use in litigation or regulatory investigations proceedings”.

It was insufficient for Optus to show that the privileged purpose is a substantial purpose or one of the purposes, but that it must be predominant and is the most influential purpose.

The purpose for the creation of a document is to be determined objectively, taking into account its nature, the evidence and the submissions by the parties. The extent and nature of evidence required to prove that privilege exists depends on the facts and circumstances.

Evidence showing a person’s intention in creating, authorising or procuring the document is not conclusive. In fact, the “character of the documents” will shed light on the purpose of their creation. The privileged purpose must also be the paramount purpose.

It is open to a trial judge to reject or to assign limited weight to assertions of a witness testifying that documents were for a privileged purpose. The mere lack of challenges to evidence of state of mind does not mean the trial judge is obliged to accept such evidence.

Judge Beach concluded that Optus was unable to establish that LPP applied to the Report as it was unable to demonstrate that the dominant purpose test had been satisfied.

Given that Optus was unable to establish that LPP applied to the Report, Optus was also held not to have established that LPP applied to the Deloitte’s instructions and brief. Hence the Full Court rejected Optus’ application for leave to appeal against Judge Beach’s decision.

Key Discussion in Primary Judgment

State of mind:

Optus primarily relied on the GC’s state of mind to support its argument that there was a dominant purpose. The GC anticipated the Incident would lead to regulatory investigations and legal actions, and an external investigation into the Incident was necessary to provide legal advice in relation to the Incident.

However, Judge Beach noted various “problematic aspects” with the GC’s evidence (the “GC’s Evidence”), including:

  1. The GC’s Evidence did not correspond to the Media Release;
  2. There was no direct evidence from the Chief Executive Officer of Optus and other SOPL Board members regarding their purpose;
  3. The statements attributed to the Chief Executive Officer of Optus manifested a dominant purpose other than for the purpose of litigation or legal advice;
  4. The Draft Resolution and Revised Resolution were not entirely consistent with what Optus had put forward;
  5. It was sometimes unclear whether the GC was acting in his capacity as a general counsel, a company secretary or both; and
  6. Some critical areas of the GC’s Evidence were vague.
Deloitte report:

Judge Beach opined the evidence was unable to demonstrate the Report was created for the dominant purpose of obtaining legal advice or for regulatory or litigation proceedings. Judge Beach identified the following purposes of Optus:

  • Obtaining legal advice or for use in regulatory or litigation proceedings;
  • Identifying the causes of the Incident for rectification and management; and
  • Reviewing how Optus managed cyber-risk with reference to its policies.
Media Release:

The general message of the Media Release in relation to the Deloitte review was to identify the root cause of the Incident and remediation steps. It did not mention that the review was made for legal purposes or recommended by lawyers.

The Chief Executive Officer of Optus’s statement of her commitment to rebuild trust with Optus’ customers illustrated that her dominant purpose concerning “the Deloitte review was not a defensive legal or litigation strategy”.

Her statements remarking that “the forensic review would play a crucial role in the response to the incident for Optus, as it works to support customers”, “we are determined to find out what went wrong”, “[t]his review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus…” also suggested that legally privileged purpose was not the dominant purpose.

Draft Board Resolution & Signed Board Resolution:

The draft board resolution indicated that legally privileged purpose was not the dominant purpose of the Deloitte review.

The draft resolution made reference to Singapore Telecommunications Limited (Singtel) (i.e., Optus’ holding company) and stated its proposition to undertake “a broader view of security systems, controls and processes across the Singtel Group”. This suggested that the purpose of the Deloitte review was not only to deal with Optus’ legal issues.

However, the signed resolution differed from the draft in various aspects – for example, reference to Singtel was not present in the final board resolution.

Deloitte’s Retainer Letter (Retainer):

If a dominant purpose could not be demonstrated on or before the 11 October 2022 Board Resolution (the “Resolution”), having the Retainer would not change the analysis of the dominant purpose test.

The signed resolution stated that Deloitte had started its reviews before the Retainer was concluded on 21 October 2022. No evidence indicated the reviews were made under the instruction of Ashurst. Ashurst’s email dated 23 September 2022 also made no reference to any external review by Deloitte.

Judge Beach thus noted that “endeavours to cloak the Deloitte review with LPP were more to the fore in late October 2022 than they were at the start of the month”.

Optus’ website announcement:

On 25 October 2022, Optus published on its website an announcement titled “A letter to our customers”. It stated that “…we have commissioned an independent external review – led by Deloitte – into the cyberattack and how criminals got through our defences this time…We are committed to learning…sharing lessons so all companies and all Australians can benefit from our terrible experience”.

Referring to the content of the letter, Judge Beach opined that its content did not correspond to a report that was made “predominantly for legal advice or a litigation purpose”.

Privilege protocol & general guidance note:

On 25 October 2022, Optus emailed several documents to Deloitte, including a privilege protocol and a general guidance note.

The privilege protocol including statements such as: “The purpose of the Engagement is to enable Ashurst to provide legal advice to Optus so as to fulfil its obligations and protect its rights in responding to the Cybersecurity Incident”; “[d]ocuments which are not relevant to obtaining legal input should not be sent to Ashurst”.

The guidance note, on the other hand, noted that “[i]n the course of your work [on the data breach], you may send or receive documents and be involved in communications that are subject to legal advice privilege”.

Given that the privilege protocol and general guidance note were given to Deloitte after the Resolution, these materials would not have a dominant purpose if such purpose was non-existent on or before the date of the Resolution. Judge Beach also opined that “[c]hannelling materials through lawyers or having lawyers make the retainer, belatedly, cannot cloak material with any privilege that it did not otherwise have”.

Leave to Appeal Application

Treatment of unchallenged evidence:

Optus’ main proposed ground for appeal was that Judge Beach should have found the GC’s evidence conclusive on the issue of dominant purpose. Optus claimed that as the Respondent chose not to cross-examine the GC, his evidence ought to be accepted unless it is inherently incredible or contradicted by facts otherwise established on the evidence.

The Full Court did not accept Optus’ submission, most notably for the following reasons.

Totality of evidence indicates other purposes: The Full Court took the view that the GC’s evidence was only part of Judge Beach’s analysis and Judge Beach was not bound to give overwhelming significance to that.

It also found that where it is clear there existed non-legal purposes, Optus has failed to adduce evidence to show the dominance of the privileged purpose and that the GC’s evidence also did not acknowledge or explain the existence of the non-legal purposes. Coupled with the existence of other evidence such as the signed board resolutions which referred to non-legal purposes, Judge Beach was correct to conclude that the totality of evidence did not indicate that the GC’s evidence should be determinative.

Court not obliged to accept unchallenged evidence: The Full Court found that Judge Beach was not obliged to treat the GC’s evidence as determinative just because he was not cross-examined on such evidence. The absence of cross-examination does not automatically lead to the subject evidence being accepted in full, especially if such evidence is inadequate and that the totality of evidence suggests otherwise.

Time for Assessment of Dominant Purpose

Another ground for appeal was that Judge Beach erred by holding that Optus’ purposes for procuring the Report should be assessed either (i) on 3 October 2022 when the Media Release announced the engagement of Deloitte or (ii) on or prior to 11 October 2022 when the Board passed the resolution for procuring the Deloitte review.

Optus submitted that the correct time of assessment should be either (i) 21 October 2022 when Deloitte’s Retainer was concluded or (ii) 13 July 2023 when Deloitte provided the Report to Optus and Ashurst.

The Full Court considered such allegation to be without substance. It found that the correct time for assessing purposes depends on the particular circumstances of the case, and in the case of the commissioning of a report from a third-party provider the assessment time is the time of commissioning. The Full Court added that it is possible for events subsequent to the time of commissioning to be relevant. It agreed with Judge Beach’s finding that the purpose for the commissioning of the Report was formed between 3-11 October 2022.

In any event, the Full Court found that whether purposes were assessed as per Judge Beach’s judgment or Optus’ suggested dates, no difference would be made to the finding that the Report was not procured for a dominant privileged purpose.

Takeaways

The legal position on legal privilege in Hong Kong is similar to that in Australia. For organisations managing cyber accidents here, the case demonstrates the importance of asserting LPP and provides useful guidance on how to retain privilege.

Key takeaways are:

  1. Legal engagement: external solicitors should be engaged from the outset when a data breach occurs, preferably before the forensic investigation. This ensures that the organisation experiencing the cyber event is able to claim LPP throughout the entire incident response process. Helpfully, in Hong Kong there is a broader test for legal advice privilege in that the “client” is the corporation and internal confidential documents prepared for the dominant purpose of obtaining legal advice is protected by legal advice privilege (see Citic Pacific Limited v. Secretary for Justice & Commissioner of Police [2015] HKEC 1263). It should be noted as well that an organisation will not be able to claim privilege if the incident is handled by an incident response manager (for example, loss adjuster) who is not an external counsel.
  2. Public communication: the organisation should be mindful of what is written in its public statement about the incident and limit the distribution of external forensics reports.
  3. Internal communication: the organisation should be mindful of internal communications about the incident, be they oral or written, as all relevant correspondence might be considered by court in deciding whether the organisation can claim LPP over a particular document. To avail itself of the protections of privilege, the organisation should adopt best practices for communications and documents. In this regard, the role of legal counsel or a breach counsel in managing or “quarterbacking” the investigation is crucial and communications should reflect the centrality of legal counsel in that role. For sensitive communications, the organisation should consider communicating orally with legal counsel (in person or over the phone). In written communications, care needs to be exercised mixing non-legally privileged issues with legally privileged issues.
  4. Data breach response plan: the organisation should develop a data breach response plan to ensure that proper communication channels are established before a data breach occurs. Internal reports following a cyber incident (e.g. Board reports) should reflect the organisation’s perspective as well as what has been decided and why.
  5. Scope of the forensic report: the scope of any forensic investigation report should be confined to identifying facts that will assist in assessing the organisation’s legal obligations arising from the breach. Hence, it is crucial to consult solicitors about what is required from a forensic report and how to ensure the report will have the benefit of privilege.

Serviços e Indústrias Relacionadas

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe