Login
Optus class action secures Deloitte report into data breach
Optus failed to keep a Deloitte report into last year’s major data breach out of the hands of a class action applicant.
Naomi Neilson
In the weeks after the September cyber attack, which exposed the personal details of millions of Australians, Optus engaged Deloitte to conduct an independent external review of its security systems.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
This report and documents related to any instructions provided to Deloitte will now be passed onto a class action after the Federal Court rejected Optus’ claim of legal professional privilege.
“In my view, the claim is not sustainable,” Justice Jonathan Beach said.
“Clearly, they had multiple purposes in procuring the review and report by Deloitte, one of which was a privileged purpose.
“But I am not satisfied that the latter satisfies the requisite dominant purpose test. But if they had satisfied the dominant purpose test, I accept that there has been no waiver of privilege [and Optus’] position on the latter aspect is meritless.”
Optus relied on the state of mind of general counsel and company secretary Nicholes Kusalic, who had considered a high likelihood of a class action and determined there would be a “range of potential regulatory and legal actions” from the outset of the cyber attack.
Mr Kusalic formed the view an investigation would be needed to assess legal risk and considered it “highly desirable” that this be done by an external third party “as he was not sure of the capacity within Optus to carry out such a detailed and complex investigation”.
Ashurst was then retained, and from there, Deloitte was engaged.
While Justice Beach said his evidence was “all very well”, he found Mr Kusalic had a “vagueness in how [he] expressed himself” and identified “various problematic aspects”.
This included it being unclear whether Mr Kusalic was acting “in a general counsel capacity, a company secretary capacity, or some hybrid capacity”, and his involvement in the investigation.
While Optus argued the principal reason for the report was to assist Ashurst in providing it with legal advice, Justice Beach found it was also for the purpose of identifying the root cause of the cyber attack and reviewing Optus’ management of cyber-related risks.
Justice Beach also took issue with Optus’ media release announcing that Deloitte would be conducting the investigation.
Quotes from chief executive Kelly Bayer Rosmarin that “the forensic review would play a crucial role in the response to the incident” and “we are determined to find out [what] went wrong” reinforced Justice Beach’s finding the “dominant purpose was not a legally privileged purpose”.
“In my view, the evidence does not establish that the Deloitte report was for the dominant purpose of Optus obtaining legal advice for use in litigation/regulatory proceedings,” Justice Beach said.
