Why it’s important to understand legal privilege after a breach

A recent court ruling in Australia concerning the primary purpose of a forensics report following a cyberattack serves as a crucial reminder about legal privilege for Canada’s cyber insurance market.

In a Nov. 10 decision, the Federal Court of Australia dismissed telecommunications company Optus’ claim of legal privilege over a Deloitte forensics report related to a September 2022 cyberattack and data breach.

Justice Jonathan Bench rejected Optus’ argument that the “dominant purpose” of the forensic report was to prepare for anticipated litigation. Instead, the court determined the report served multiple purposes and was therefore not entitled to legal privilege.

This ruling, based on common law and dominant purpose principles shared with Canada, underscores the need for timely legal involvement in potential litigation scenarios.

“It’s important to have a strategy in the event of a cybersecurity incident that involves PHI or PII,” Neal Jardine, global cyber risk intelligence and claims director with BOXX Insurance, told Canadian Underwriter in an interview. He was referring to protected health information (PHI) and personal identifiable information (PII).

“Engage legal counsel early and clearly outline the forensic team they will be working with to ensure that the dominant purpose of any forensic report prepared is geared towards anticipated litigation.”

Jardine stressed the significance of documenting the rationale behind involving legal counsel, and emphasized the need for a clear distinction. For example, in smaller incidents such as a $50,000 social engineering event, legal counsel may not be necessary to protect a forensic report but may be involved for other reasons. However, when large amounts of sensitive information are at risk, such as PII or PHI, legal counsel becomes imperative.

“We talk a lot in Canada about the reason for breach coaches and when legal counsel is appropriate; this case is a good example of how legal counsel used in the right way can protect the client and potentially reduce the exposure of any anticipated litigation,” Jardine said.

The Australian case involved the exposure of PII for approximately 10 million customers. Despite Optus’ argument that the report aimed to assess legal risks, the court disagreed, pointing out that Optus did not clearly state any legal recommendation for the review in its public announcements.

Jardine urged companies to establish a paper trail, pointing to the need to justify legal counsel involvement from the outset. He further emphasized the importance of separating forensic activities conducted in anticipation of litigation from those aimed at system recovery. Drawing on the Optus case, where the company failed to make this distinction, Jardine recommended having separate teams for forensics and IT recovery to maintain legal privilege without hindering the restoration process.

”The Optus case serves as a valuable lesson for the Canadian industry, emphasizing the need for a well-defined strategy, early legal involvement, and a clear understanding of the dominant purpose behind forensic reports in the context of potential litigation,” Jardine concluded.

Feature image by iStock.com/deepblue4you