Share this article on:
The Federal Court has dismissed Optus’ appeal to hold back a Deloitte report into its 2022 cyber attack from class action lawyers.
The Australian Federal Court has ruled that Optus will not be able to keep a report it commissioned from professional services firm Deloitte regarding its 2022 cyber attack out of the hands of lawyers representing a class action against the telco.
Optus had claimed that the report and its contents were protected under legal professional privilege and that it was primarily commissioned to provide legal advice. However, Federal Court judge Justice Jonathan Beach ruled against this claim in November, saying there were “problematic aspects” to the company’s claim.
Justice Beach determined that since the report had been mentioned in an Optus press release and the Optus CEO had said the report would “help inform the response to the incident”, its “dominant purpose was not a legally privileged purpose”.
“This is hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation purpose,” said at the time.
The report must now be shared with law firm Slater and Gordon which is pursuing the class action on behalf of Optus customers impacted by the data breach. It is expected that while the report is not being released to the public, portions of it will likely become public as the class action proceeds.
Ben Hardwick, class actions practice group leader at Slater and Gordon, is pleased by the Federal Court’s decision.
“Despite refusing to accept the umpire’s decision, Optus must now hand over the Deloitte report into how millions of its customers’ private information was accessed as a consequence of the 2022 data breach,” Hardwick told The Australian Financial Review.
“Optus’s efforts to shield this report is indicative of a company that refuses to accept responsibility for its role in what happened, and the significant impact this data breach has had on millions of its Australian customers.”
A spokesperson for Optus told Cyber Daily that it will “respect the court’s decision” and that the company is “considering our position”.
“Our priority is ensuring our customers have ongoing confidence in the integrity of our cyber defence systems,” the spokesperson said.
“In this regard, Optus will consider our next steps which may include seeking confidentiality orders relating to elements of the report that we believe are key to the ongoing protection of our customer data and our systems from cyber criminals.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.