A class action lawsuit has been filed against the telecommunications company Optus by former and current customers whose personal information was exposed in a data breach. The lawsuit, representing millions of customers, alleges that Optus failed to protect customer information, breached privacy and telecommunication laws, and did not take proper steps to prevent the unauthorised access to personal data. Last year’s breach affected many Australians. Optus has stated it will defend against the lawsuit, and the breach is under investigation by Australian authorities. However its bid to claim legal privilege over the IR report to stop it from being handed over in the proceedings has been rejected by the courts.
Client legal privilege, also known as legal professional privilege, is a legal concept that protects certain communications and documents from being disclosed or compelled during legal proceedings, investigations, or administrative procedures. This protection encourages open communication between clients and their lawyers, allowing for confidentiality and trust.
Annie Haggar, Principal from Cyber GC, a legal and consulting practice specialising in cybersecurity law and advice for Australian business and government, stated;
“The communications between your executive during a breach and report from your incident responders after a breach are likely to contain a lot of information that could make it hard to defend a law suit – vulnerabilities in your network that you knew about, or actions you didn’t take to protect information. Stuff you don’t want to be made public. One recent example is the DP World case where the Citrixbleed vulnerability was used to attack their systems, which could have been prevented by applying an available patch. This sort of information can be very damning in trying to defend against litigation.”
In the US and other places, seeking to protect an IR report from discovery as part of litigation has been common practice. Optus was among the first in Australia to claim privilege over an IR report and the court’s finding is the first indication of what Australian courts think of the proposal. In this case, they found that the conditions weren’t in place for there to be a ‘dominant purpose of legal advice’ behind the report. The court didn’t rule out privilege applying to future applications, but they would have to satisfy the requirement that it be for ‘the dominant purpose of legal advice’.
What is clear from the judgement is that if you don’t establish the conditions for legal privilege from the very beginning of a breach, its unlikely you can get a court to agree it applies. With more and more breaches resulting in law suits, including class actions, you need to think not only about defending against the cyber breach, but also against the court cases that result.
There are two main types of documents protected by client legal privilege:
Legal Advice Privilege
This covers confidential documents or communications between a client and a lawyer or third party created for the purpose of obtaining legal advice.
This applies to confidential documents or communications created when legal services are related to an ongoing or anticipated legal proceeding.
Privilege can be lost if documents are disclosed to third parties, created for illegal purposes, become public, or if the client acts inconsistently with maintaining confidentiality. This can happen through internal distribution if not carefully controlled, release of information in media statements (like by a CEO), and other ‘casual’ release of information contained in the confidential documents. This can be intentional or accidental. In case of accidental disclosure, immediate steps should be taken to assert privilege and recover the documents.
When responding to subpoenas, all subpoenaed documents must be provided to the court, even if they are privileged. However, privileged documents should be clearly marked and presented separately, and efforts can be made to protect their confidentiality in court.
Another form of privilege is “without prejudice privilege,” which protects communications made during settlement negotiations from being used as evidence in court. It encourages parties to negotiate freely without fear of their words being used against them in litigation. However, it can be waived in certain circumstances.
Client legal privilege is a legal protection that keeps certain communications and documents confidential to encourage open discussions between clients and their lawyers. It’s essential to understand its different forms and how to maintain and assert privilege when needed.
Legal Privilege In the Context of Data Breaches
Legal privilege is important because it helps protect certain information during legal proceedings. If there’s a data breach, and this protected information is exposed, it could be used against the organisation in lawsuits. So, understanding and safeguarding legal privilege is crucial when dealing with data breaches.
Haggar went on to say, “You must consider privilege as part of your IR planning. Calling your lawyer should be at the top of your IR call sheet. You then need to make sure the report is ‘close hold’, and that it is delivered to the legal team to assist them to advise and support the business through the breach, of course working with the CISO and other executive. It can then be released to a small group of people by the legal counsel.
You should then practice your IR plan in wargames and tabletop exercise so your whole team learn how to work together, on responding to an incident, but also protecting you against litigation that may well follow. You can’t guarantee your communications and IR report will be protected by privilege, but you can set yourself up well to make the case that it should. What you can’t do is hope to apply privilege after fact. The courts are unlikely to allow it, and your IR report may be released as part of the litigation.