Securing legal professional privilege after a cyber breach
Last year, Optus failed to keep a Deloitte report into a major data breach away from a class action applicant. Here, an award-winning general counsel outlines how businesses can avoid the same fate.
Editor’s note: This story originally appeared on Lawyers Weekly’s sister brand, Cyber Daily.
When there is litigation, both parties must turn over the information they believe is relevant to the case during the discovery process.
However, according to Haggar, business owners are not required to hand over information that is subject to legal professional privilege.
Her comments precede her panel session at the Australian Cyber Security Summit 2024, where she will detail how businesses could prepare themselves for the aftermath of a cyber security incident.
Legal professional privilege is a common law that refers to the protection of confidential information between a legal professional and a client “made for the dominant purpose of the lawyer providing legal advice or professional legal services to the client, or for use in current or anticipated litigation”, according to the NSW Information and Privacy Commission.
After suffering a cyber attack in September 2023, Optus engaged Deloitte to conduct an independent external review of its security systems. In November 2023, an Optus class action gained access to the forensic investigation report after the Federal Court of Australia rejected Optus’ claim of legal professional privilege.
“The legal professional privilege is communications between a lawyer and their client as well as legal advice or information collected for the purposes of providing legal advice,” Haggar told Cyber Daily.
“If an incident response report was requested by lawyers for the purposes of them understanding the security breaches so that they can advise their client, there is potential for that report to be protected from disclosure underneath the discovery process because it’s been caught by legal professional privilege.”
However, while this is well established in the US, this is not the case in Australia as domestic companies have only recently been slapped with litigation following a cyber security breach, Haggar pointed out.
Indeed, prior to the Optus case, courts in Australia have not had to address the issue of whether legal professional privilege applies to an incident response report, she added.
“We will have to wait until the next case that tries to claim privilege over an incident response report to see whether a different process might allow privilege to be obtained,” Haggar said.
The path to privilege
Haggar outlined steps businesses could take to successfully secure legal professional privilege, including ensuring that they appoint external lawyers on retainer (if they do not already have an in-house legal team).
This means that the incident responders would report to legal counsel, and they would collaborate to respond to the breach.
Then, Haggar stressed, it is important that the legal counsel formally request the incident response report to be prepared to support their investigation.
“When a business experiences a breach, its cyber team can call in the incident response team,” she said.
“But the formal engagement of the incident responders happens once the legal team sends the formal letter.”
The next step is for incident responders to prepare the report for and deliver it to the general counsel and legal team so that they can advise their organisation on the legal ramifications of the breach.
“The general counsel can then disclose the report to other people in the organisation who need to know,” Haggar said.
“But it shouldn’t be made available to the executive or the security teams without it coming under control from the legal counsel.”
Careful communication
Haggar advised business owners to proceed with caution when determining how much of their incident report should be made public.
“It must remain a confidential document if it’s going to be protected,” she said.
“For example, the Optus CEO spoke to the media about the findings of their report, which was one of the reasons why the judge said privilege couldn’t apply. Any privilege that might have applied had been waived by speaking about it publicly.”
What companies can gain from privilege
Obtaining legal professional privilege on a report ensures that any details about how the breach occurred and the effectiveness of the actions taken subsequently are not available to the initiators of the litigation.
“This can’t support their arguments that you might not have prepared the organisation appropriately for a cyber breach. It helps reduce the amount of information that can be used against you after a breach,” Haggar said.
To gain insights from Annie Haggar on legal and regulatory considerations after a cyber security incident, come along to the Australian Cyber Security Summit 2024.
It will be held on Thursday, 20 June, at the National Convention Centre, Canberra.
Click here to book your tickets and don’t miss out!
For more information, including agenda and speakers, click here.
This summit is produced by Captivate Events. If you need help planning your next event, email director Jim Hall at