Medibank’s claim of legal professional privilege (LPP) over the Deloitte report cannot be maintained because its dominant purpose was not for legal advice, class action counsel Wendy Harris KC told the Federal Court in closing submissions on Monday (3 June).

Harris submitted that Medibank used the Deloitte report as a “tool” to reassure stakeholders and manage reputational risks in the months after the cyber attack stole the details of almost 10 million Australians.

“Fundamentally, Medibank cannot have it both ways.

“Medibank cannot use the fact and the contents of the Deloitte report as a tool for reassuring people, [and] as a tool for managing reputational and other risks, and at the same time say, ‘Oh, but I always intended to keep it secret’,” Harris said.

“The only available inference is the emergency of the time having passed, [and] it no longer being necessary to reassure people … it now very much suits Medibank to keep that report secret.”

Harris added that despite Medibank chair Michael Wilkins’ commitment to transparency, he “very much wants to keep the Deloitte reports a secret and keep them secret from the very … customers of Medibank to whom his statements were calculated to assure”.

Although the report was commissioned by King & Wood Mallesons, the court was told Deloitte communicated directly with Medibank.

VIEW ALL

To support the argument that legal advice was not the dominant purpose, Harris contended Medibank barely made mention of this in the thousands of documents tendered before the court.

Referring specifically to statements Medibank made in press releases and statements on the Australian Securities Exchange (ASX), Harris said there were “never any words” about Medibank asserting confidentiality or LPP over the report.

“The messages in those releases were no accident,” she said.

One of the only mentions was by group general counsel and company secretary Mei Ramsay in her interactions with the regulator, the Australian Prudential Regulation Authority (APRA).

“Even then, she does not identify a legal purpose … she simply asserts Medibank wishes to maintain LPP,” Harris said.

Another aspect of Medibank’s purpose for commissioning the report was its desire to prevent APRA from conducting a second review, which may have been a “launching pad” for enforcement action.

Harris argued that by setting the terms of reference to cover those wanted by APRA, the regulator could refer to the Deloitte report.

However, Harris said that once the regulator was brought “into the Deloitte tent”, regardless of whether LPP could be maintained before this time, it was now “inconsistent” with the current privilege argument.

A report from cyber security firm CrowdStrike is also protected, but Harris argued this engagement “is no more privileged than the last”.

“It may be accepted … [CrowdStrike] provided information to Medibank and possibly even to King & Wood Mallesons, which, within the confines of that communication, had a legal purpose, but we don’t know because there is no evidence of that,” Harris said.

Dr Sue McNicol KC, counsel for Medibank, said any of the additional purposes asserted by the class action applicants were just “add-ons”.

“Let’s call it a legal external review with some ancillary benefits.

“The worst that can be said is it is opportunistic of us to take advantage of the add-on benefits,” McNicol said.

McNicol said the “dominant reason was a legal one”.

Judgment was reserved.

Lawyers Weekly will host its inaugural Partner Summit on Thursday, 20 June 2024, at The Star, Sydney, at which speakers will address the range of opportunities and challenges for partners and partner equivalents, provide tips on how they can better approach their practice and team management, and propel their businesses towards success. Click here to book your tickets – don’t miss out! For more information, including agenda and speakers, click here.