Don’t leave your business exposed when conducting cyber incident investigations

A recent decision of the Federal Court of Australia involving Medibank is a further reminder to businesses of the need to carefully structure and manage cyber incident investigations in order to attract and maintain the protection of legal professional privilege (LPP). Failure to do so will mean that the results of the investigation can be accessed by third parties, including those pursuing legal claims against the business. This may include findings which reveal cyber security failings which can be used against the business.

In previous articles we highlighted this issue when Optus was required to produce reports setting out the outcome of its investigation of the major cyber breach it suffered in 2022 to the claimants in a class action against Optus. We also noted that new laws providing limited protection to businesses when reporting on cyber incidents to regulators will not prevent third parties from accessing and using that material.

In the recent Medibank case the claimants in a class action against Medibank sought access to various cybersecurity investigation reports and related communications. Medibank argued that they were protected from disclosure by LPP because they were prepared predominantly for the purpose of legal advice or anticipated legal action. The Court refused to uphold this claim over a significant portion of the documents.

In doing so, it highlighted that LPP may not apply or could be lost because:

• the context in which the documents were created showed they were created for multiple purposes;
• disclosure of the documents including to regulators was inconsistent with LPP.

Key takeaways for businesses to ensure that the protection of LPP applies are:

1. Involve your legal advisers/counsel from the beginning.
2. Ensure that investigation documentation reflects the legal purpose of investigations from the outset.
3. Engage third-party experts through lawyers, with clear engagement letters.
4. Avoid statements about, or uses of, the investigation material which dilutes the dominant legal purpose.
5. Take care to ensure that public statements about investigations do not undermine that purpose.
6. Ensure that there are clear and strict protocols to limit access to the documents.
7. Ensure that any disclosures to regulators are in terms that preserve LPP.
8. Share only necessary summaries or findings - not entire reports - where possible.
9. Consider using confidentiality agreements or protocols with regulators.
10. Ensure communications are conducted through legal advisers/counsel.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

DMAW Lawyers has you covered when it comes to identifying your legal obligations, assessing risk and exposure, and putting in place strategies to manage legal risks and meet regulatory obligations, whether that be:

• digital information security obligations and protections in supply chain contracts;
• privacy, data breach assessment, incident response and notification laws;
• on-boarding and off-boarding processes; or
• fit for purpose employment contracts and digital security and AI policies.

Find out more about how our cyber and information security legal experts can assist your business.