Mixed results in Medibank class action on privilege claims over investigation reports

Multi-purpose reports remain most challenging for privilege 9 min read

A recent Federal Court decision has further highlighted the challenges of maintaining privilege claims over third-party investigation reports. This is particularly relevant where those reports are—or become—relied on for non-legal purposes, including operational, regulatory and public or investor relations.

Medibank has had mixed results in defending challenges to privilege claims over a series of third-party reports relating to its 2022 major data breach. It successfully defended claims over narrower and more targeted reports and communications with CyberCX, Coveware, CrowdStrike and Threat Intelligence, including, eg, those concerning negotiations with the threat actor.

However, Medibank failed to sustain its claim over three wider-ranging reports prepared by consultant Deloitte, which the court found had multiple purposes, with the legal purpose not being predominant.

While the court's reasoning is consistent with the Full Federal Court's decision in Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 (see our previous Insight), it demonstrates that the challenges of maintaining privilege claims can remain even when detailed witness evidence is carefully prepared to support those claims.

Medibank has sought leave to appeal the court's decision in relation to the reports by Deloitte.

This Insight considers the implications of the decision and outlines practical steps to take when an investigation report is commissioned for a legal purpose.

Key takeaways

• The Federal Court has rejected Medibank's privilege claims over three factual investigation reports prepared by Deloitte following a major data breach, but has accepted communications and reports from cybersecurity firms CrowdStrike and Threat Intelligence as privileged.
• The decision is largely consistent with the Full Federal Court's recent decision on similar privilege claims in the Optus data breach class action, further highlighting the difficulties associated with claiming privilege over investigation reports prepared for multiple purposes, including legal, governance, regulatory compliance and/or operational purposes.
• The legal purpose for preparing a report must predominate other purposes—this is generally assessed at the time the report was commissioned, but later evidence can inform this assessment, particularly where the purpose evolves.
• It is not sufficient merely to assert that a document is privileged or, for that matter, to adduce evidence only from inhouse counsel. Courts will rigorously examine the nature of the document and the surrounding circumstances to determine the document's dominant purpose. In this case, that process involved focused cross-examination of Medibank's CEO and chair.
• The decision also further highlights the risks associated with making public statements about investigation reports, particularly the potential for those statements to highlight a material non-legal purpose of the document or otherwise to waive any legal privilege that attaches to it.

Background

From August to October 2022, Medibank experienced a cyber incident where cyber criminals accessed its IT systems and exfiltrated customer data. In a subsequent class action against Medibank, the applicants sought production of several reports prepared by Deloitte, CrowdStrike and Threat Intelligence, as well as communications involving CyberCX and Coveware. Medibank claimed legal privilege over these documents, contending that were created for the dominant purpose of obtaining legal advice or for use in any litigation relating to the cyber incident.

CyberCX, Coveware, CrowdStrike and Threat Intelligence reports privileged

Justice Rofe held that Medibank's communications with, and reports prepared by, cybersecurity experts CyberCX, Coveware, CrowdStrike and Threat Intelligence were privileged because the evidence established that those firms were engaged by Medibank's lawyers for the dominant purpose of providing technical assistance and advice to enable Medibank's lawyers to provide legal advice, including in relation to legal proceedings. For example, the reports were used for the purposes of briefing counsel, responding to regulatory notices, and preparing Medibank's defence in the proceeding.¹

Importantly, even though the scope of services provided by those firms to Medibank's lawyers was not, in many cases, materially different from the scope of services already being provided to Medibank under previous direct engagements, Justice Rofe held that the relevant consideration is the purpose for which the relevant documents came into existence, and that the scope of services was only one factor to consider. In these cases, the documents being created possessed a dominant legal purpose.²

Deloitte reports not privileged

Justice Rofe decided that the three reports prepared by Deloitte were not privileged because the provision of legal advice was not the dominant purpose for which they were commissioned. Rather, the following purposes were found to be 'at least equally dominant, if not more dominant':³

• Assuaging market and consumer concerns: Medibank made numerous public references to the commissioning of the external review and the appointment of Deloitte, including in ASX announcements and communications with employees, customers and health partners. These statements stated that Medibank, not its lawyers, were responsible for commissioning the report, and that the purpose of the report was to 'protect and safeguard customers'.⁴ These statements were considered strong evidence that one of the dominant purposes of the report was assuaging market and consumer concerns.
• Avoiding independent APRA review: evidence was given that a key concern for Medibank was to avoid the need for the Australian Prudential Regulation Authority (APRA) to conduct its own review of the data breach, which it was highly unlikely to avoid unless Medibank conducted a review in accordance with APRA's requirements. The close communication between APRA and Medibank regarding the scope of the review (which notably did not copy in any of Medibank's lawyers in most instances) and the 'tri-partite' meetings between Medibank, APRA and Deloitte were considered strong evidence that one of the dominant purposes of the report was avoiding an APRA investigation.⁵

The applicants also submitted that the board's oversight role in the production of the reports demonstrated a further governance purpose. While Justice Rofe did not decide that this governance purpose was equally dominant as the legal purpose, her Honour did find that certain factors weighed against the dominant purpose being the legal purpose, including the board's desire for an overview of what had occurred, rather than for unvarnished legal advice, and the direct reporting by Deloitte to the board, rather than via Medibank's lawyers.⁶

Although Justice Rofe found that the Deloitte reports were not privileged from the outset, her Honour decided that Medibank's public statement, which referred to the implementation of one of the Deloitte reports' recommendations, would have waived privilege in the document because Medibank was seeking to take advantage of its implementation of the recommendations resulting from the external incident review to deflect criticism, and enhance or maintain its good standing in the eyes of its shareholders and customers, and its share price. In the circumstances, her Honour observed that Medibank 'cannot at the same time maintain privilege in that part of the report setting out the recommendations to enhance Medibank’s IT processes and systems'.⁷

Consistency with Optus's privilege claims

Justice Rofe's reasoning is largely consistent with the Full Federal Court's recent decision in the Optus data breach class action. In that case, Optus's privilege claim over the Deloitte report failed because it was not created for the dominant purpose of legal advice or litigation, but rather for multiple purposes, including operational, governance, regulatory and public relations purposes.⁸

The failure of the privilege claim in that case was, in large part, because testimonial evidence of Optus's general counsel to the effect that the legal purpose of the investigation report was the dominant purpose was contradicted by Optus's public statements and board materials.

In contrast, in this case, Medibank adduced very detailed and focused testimonial  evidence of the Deloitte reports' legal purpose, including from their CEO and chair. Even adopting that approach, Justice Rofe decided that the testimonial evidence was insufficient to outweigh contemporaneous documentary evidence, including Medibank's repeated public references to the review's purpose being to learn from the incident so as to protect customer data, as well as the close ongoing communication between Deloitte and APRA without Medibank's lawyers. This contextual evidence tended to indicate that, despite the testimony given by various executives, parts of the business were not aligned on the legal purpose being the dominant one, with the board using the reports for a variety of functions. This further highlights that courts will not hesitate to disregard witness testimony where there is contradictory contextual evidence, and underscores the importance of ensuring whole-of-business alignment in treating documents in a practical sense as being for a legal purpose, rather than simply agreeing that they are.

Implications

This decision highlights the challenges in seeking to claim privilege over investigation reports and root cause analyses that follow material events, such as cyber incidents, and demonstrates that oral testimony, including statements of individuals' subjective intentions, will not necessarily be determinative of the question of whether a legal purpose is dominant.

It demonstrates the importance of carefully considering the purpose(s) that the report is intended to serve before it is commissioned. Where it is likely to be used for multiple purposes, separate, dedicated reports may be more appropriate. Where it is intended that the dominant purpose of any report is a legal one, it is critical that the entire business is aligned on that purpose and that no steps are taken, such as making public statements or statements to regulators, that could compromise that alignment by exposing the existence of another non-legal purpose.

As noted above, Medibank has sought leave to appeal the court's decision in relation to the reports by Deloitte.

Practical steps to take

When an investigation report is commissioned for a legal purpose, it is important to:

• Go beyond declarations of privilege: ensure that there is alignment across the business on the dominance of the legal purpose and that the business acts consistently with that alignment, including by:
  • ensuring that the terms of reference and engagement are formulated to confine the scope of the report to legal advice;
  • avoiding or otherwise limiting public statements or statements to regulators that could compromise that alignment, eg by suggesting the existence of material non-legal purposes or by waiving any privilege that subsists in the report; and
  • communicating through appropriate legal channels, including ensuring that internal or external lawyers, rather than the board, have responsibility for oversight of the investigation.
• Consider commissioning separate investigation reports: where a factual investigation is intended to be taken for legal and non-legal purposes, consider commissioning separate legal and non-legal reports. The utility and effect of this approach will depend, at least in part, on the extent to which the content of each report will differ. The courts will be sceptical of so-called privileged reports that cover matters of operational significance that are not also covered in the non-privileged report.