Snapshot
- Optus’ recently failed legal professional privilege bid is the latest in a series of challenges for privilege use, considering its application in the wake of a cyber incident.
- Victim organisations have complex competing interests that increasingly necessitate the engagement of legal practitioners.
- As legal risk associated with IT invariably grows, use of legal professional privilege is to be judicially scrutinised more and more.
In May 2024, the Full Court of the Federal Court of Australia affirmed that Deloitte’s forensic report into the September 2022 cyber attack on Optus was not covered by legal professional privilege. The decision reflects a broader trend, emerging among both courts and regulators, that certain claims of privilege will not be accepted at face value, particularly in the wake of high profile cyber incidents. As cyber attacks and data breaches inevitably proliferate, so too will the involvement of lawyers in the response to such incidents. More recently, we have seen, on a global scale, the impacts of IT failures for all sorts of organisations, even without a bad actor, which can create various legal issues. This article will focus on how legal professional privilege is being used in this context, how practitioners and clients are adapting, and how the courts are responding. Although these trends in privilege use are not confined to high profile IT failures, they are a useful case study.
Legal professional privilege
Under common law and statute, legal professional privilege protects confidential communications between a lawyer and their client from compulsory production in the context of court proceedings. The common law protection extends beyond court proceedings, to certain pre-trial processes and investigative and administrative proceedings.
