No secrets for Optus: Findings on data breach can be revealed

Telco giant Optus has had some very bad days recently. First there was the national network outage on 8 November, which meant millions of Optus customers had no access to the internet and phone. For some it meant 14 stressful hours of being unable to run their businesses, keep in touch with their connection and make calls, even to 000 numbers. From that date, CEO Kelly Bayer Rosmarin was under rapid fire, dodging questions like, why did the outage occur? And how will Optus atone for this? Putting up the white flag of surrender, Bayer Rosmarin bowed out from her role on 20 November, leaving those questions unanswered.

With the vigorous airing of speculation following the CEO’s resignation, another significant strike against Optus on 10 November took second place.

But it has been very much front of mind for the company, and for a law firm planning to lead a class action against Optus for its culpability in the 2022 data breach, a cyberattack that laid bare the personal information of around 10 million Optus customers.

It was on 10 November that the court ruled against Optus’ request to keep a significant report on the 2022 data breach from the public eye. That report had been commissioned by Optus itself, to make a “root-cause analysis” into the massive cyberattack.

Public knowledge from the start

The commissioning of that report was public knowledge from the outset. A media statement was issued on 3 October 2022, about two weeks after the data breach, about the intent of the company to seek an independent external review of its cause.

Three weeks later, on 25 October 2022, a letter about the intent of the review was shared on the Optus website. The letter claimed Optus was “committed to learning, doing better in the future, and sharing lessons so all companies and all Australians can benefit from our terrible experience.”

The timing of these events was a key factor in the 10 November reasons for the decision of Federal Court judge Justice Jonathan Beach: that Optus cannot claim legal professional privilege for the report. This decision means the report cannot be withheld from lawyers Slater & Gordon in their plaintiffs’ class action against Optus for damages arising from the data breach.

If Optus appeals Justice Beach’s decision and is unsuccessful, and Slater & Gordon obtains the report, it will not be publicly released. But it may become a key document in the class action the law firm is leading, and some of the material in the report could become public as a result of the legal proceedings.

A troubling timeline

The report was completed in July 2023.

Optus applied to the court to withhold it from the public eye, claiming legal professional privilege. The general counsel stated in evidence that Optus’ purpose in commissioning the report was internal only: to have an external expert’s opinion on how the data breach had occurred, and the appropriateness and timeliness of the root cause analysis and the steps for remediation made by the Optus internal team. The stated purpose was also to inform Optus’ lawyers in the event they would need to defend the company in legal proceedings or regulatory investigations.

If this was the predominant purpose for bringing the report into existence, the report would be entitled to legal professional privilege, and accordingly not required to be made available to the plaintiffs’ lawyers.

But Optus’ claim failed. And the key factors in the judge’s reasoning were both the public statements it had made about the commissioning of the report, and the timing of those statements.

Professor Peter Leonard explains the implications of the timeline to LSJ. Leonard is principal of Data Synergies, a business law practice that focuses on governance of data, AI and technology. He founded Gilbert + Tobin’s technology practice and headed it for 25 years. He is also a part-time Professor of Practice at UNSW Sydney Business School and a member and immediate past chair of the Law Society of NSW’s Privacy and Data Law Committee.

The judge placed considerable weight on determining the mind of a corporation at the relevant times, Leonard says.

“The data breach was between 17 and 20 September 2022. The general counsel first became aware of the breach on 21 September. The judge accepted the general counsel’s evidence that on that same day the general counsel formed the view that the cyberattack would likely lead to one or more regulatory investigations and litigation, including possible class actions. The next day, 22 September, Optus engaged law firm Ashurst to provide assistance in the response to the data breach.

“So, you can’t imagine a quicker identification of likely legal proceedings, and engagement of a law firm in relation to those likely proceedings. On 17 October, following the Optus Board’s approval of the engagement of Deloitte as external experts, Optus general counsel instructed Ashurst to engage Deloitte, which Ashurst then did.

“It would have been possible to engage Deloitte such that the predominant purpose of Deloitte’s engagement by Ashurst was to assist Ashurst in advising Optus. The evidence of the Optus’ general counsel was consistent with this purpose.

“However, Mr Justice Beach found that the state of mind of Optus, determined most relevantly from public statements of its chief executive and from Board briefing papers, was inconsistent with this version of events.”

In a media statement on 3 October 2022, Optus announced that it had appointed Deloitte to conduct “a forensic assessment of the cyberattack and the circumstances surrounding it.”

Leonard says, “The statement said further that ‘the forensic review would play a crucial role in the response to the incident for Optus’.”

CEO Bayer Rosmarin was then quoted, saying: “This review will help ensure that we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and the risk of cyberattack exists.”

She continued, “I am committed to rebuilding trust with our customers and this important process will assist those efforts.”

Justice Beach noted: “The announcement did not state that the Deloitte review was being recommended by a lawyer or being conducted for legal purposes … none of this bespeaks or manifests a dominant purpose in the nature of a privileged purpose.”

Justice Beach then examined other Optus materials in an effort to determine the mind of Optus, including draft and final Board papers in relation to appointment of Deloitte.

The judge then reviewed the document titled “A letter to our customers”, published by Optus on its website on 25 October, again referring to the engagement of Deloitte. This was the document stated the desire for “all Australians” to benefit from “our terrible experience.”

Leonard highlights Justice Beach’s views that the letter was “’what I would describe as a marketing document’”, and “’hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation report’”.

Polluting the purpose

To determine the dominant purpose of the investigation into the cause of the data breach, Leonard says, one would have to understand the “state of mind” of the company that commissioned it.

“The only evidence that was before the court was a very lengthy affidavit from the general counsel, who is also the company secretary of Optus, and what the judge said is that he had to determine the state of mind of Optus, the company. It’s always challenging to determine the state of mind of a corporation, because it neither has a singular mind nor a physical brain. You need to look not only at what the general counsel thinks, but also at what other executives say.

“It will be very challenging indeed to make out a dominant purpose case,” the judge said in his reasoning, “when [as in the case of Optus] there is no other testimony from executives, a CEO makes statements that on their face appear inconsistent with the purpose of a report being commissioned as a confidential input to aid and inform provision of legal advice to the corporation, and relevant Board papers make scant reference to any legal purpose.”

Leonard adds, “So all of that says, well, it was going to be an uphill struggle for the general counsel on his evidence alone to convince the court that the dominant purpose of the corporation was to get Deloitte to give them the bullets that they might need to fire in the defence of litigation or enforcement proceedings.”

If public relations was a significant factor in the decision to “bring the document into existence,” Leonard says, then it is very hard to make a case for defence of litigation as the primary purpose of the analysis of the cyber attack and subsequent report on it.

He adds, “In a sense the whole PR function around the engagement of Deloitte’s so polluted the purpose of having the report produced that it was impossible, the judge found, to determine that the dominant purpose of the report for Optus was defence of litigation.”

Lessons learnt

There is another lesson to be learnt from the inability of Optus to claim legal professional privilege, Leonard says, and it hinges around the appointment of technical experts in situations like the one Optus faced.

“Optus might have elected to separately engage two technical experts: one expert, directly engaged, to determine the root cause of the issue, and another expert, engaged by the lawyers, to aid and inform the lawyers in conduct of legal actions and regulatory investigations.”

He adds, “In the old days, the view was that if the expert was engaged by the lawyers and not directly by the client, that gave you significant protection against that expert’s report being required to be produced.

“Well, clearly now the court is going to look through that retainer, and make its own careful analysis of the true purpose of preparation of the report.”

Optus’ claim for legal professional privilege, and the outcome, offer a lesson for the future, Leonard says.

“I imagine there’s quite a few companies that have had data breaches that are now reading this judgment very carefully, and revising their briefing packs for their executives and media advisers.”