Follow us

Follow us

0%

Disentangling the purpose of forensic reports in a “rapidly evolving” cyber incident: Medibank privilege decision

Key contacts
7 เม.ย. 2025 Insight
Article - By Christine Wong Brendan Donohue Christina Knezevich Juliette Kaado

Cyber-attacks continue apace, carrying risks of multiple streams of follow-on litigation, including significant class actions and regulatory investigations. Companies are understandably concerned about assessing their potential legal exposure and preparing for actual or reasonably anticipated litigation following a material cyber incident. But are forensic and technical reports which inform the provision of legal advice on these questions protected by legal professional privilege?

The guidance provided in the two Federal Court decisions in this area to date demonstrate the challenges in establishing that privilege applies to these reports where there is a material cyber-attack.

On 4 April 2025, the Federal Court published a 110-page judgment on the application of a consumer class action to access a suite of technical reports from third party cyber and IT experts produced for Medibank following the cyber-attack it suffered in October 2022: see McClure v Medibank Private Limited [2025] FCA 167 (judgment here). Medibank asserted that these materials were privileged and therefore did not need to be discovered.

The Court found that Medibank successfully established privilege over expert reports prepared for advice about notifications required under the Privacy Act, and to respond to an OAIC investigation, as well as emails to legal advisers about the threat actor which assisted advice about legal considerations relating to the payment of a cyber ransom.

However, the Court found that privilege did not apply over three reports authored by Deloitte, being a root cause analysis, post incident review (PIR) and report on compliance with APRA’s Prudential Standard CPS 234. These findings were broadly consistent with an earlier decision of the Federal Court over similar Deloitte reports produced following a cyber-attack. Further, while it was not necessary to decide given the finding that Deloitte’s reports were not privileged, Medibank’s public announcements about the Deloitte external review would have amounted to a waiver of any privilege that may have existed over the PIR. Medibank has applied for leave to appeal the decision.

Key lessons for clients in this context are:

  • Even if a technical provider is providing non privileged input (including under a standing engagement), they can be engaged on a separate stream / scope of work which is privileged.
  • Broad letters of engagement will not be sufficient to “blanket” reports with legal professional privilege. References to “privilege incantations … divorced from the circumstances of the creation of the document are largely meaningless and not determinative”.1
  • Ultimately, the Court will assess the dominant purpose objectively, having regard to all contemporaneous documents, and the chronology of the incident and advice sought. Particular care should be paid to public statements about external reviews being conducted – this may be persuasive evidence of a public stakeholder management purpose being an important one, alongside the legal purpose. It also gives rise to issues with respect to waiver.
  • Where there is a material cyber incident for major companies (with particular regulatory obligations), we consider that there are particular challenges showing that technical reports into root cause analysis and incident reviews are for the dominant purpose of legal advice.
  • Companies should assume that privilege will not apply to all aspects of the incident response. We recommend that companies consider what aspects of a cyber incident response are likely to be privileged, and what are less likely to be, in pre-incident planning to inform how investigations are structured and scoped.  

What evidence was considered by the court?

The application related to expert reports from Deloitte, CyberCX, CrowdStrike and Threat Intelligence and certain communications between lawyers and experts.  

The evidence before the Court was largely documentary, including a detailed chronology prepared by the class action plaintiffs and many internal and external communications. Some of the key dates were as follows:  

  • Between 13 October and 26 October 2022, Medibank entered and exited two trading halts, confirming unusual activity on its network and that a cyber ransom had been demanded.
  • Between 7 and 9 November 2022, Medibank confirmed that it would not pay any cyber ransom, that data of around 9.7 million current and former customers was affected and data had been released on the dark web.
  • Between mid-November and the start of December 2022, plaintiff firms lodged a representative complaint to the OAIC alleging Medibank breached the Privacy Act, the OAIC announced an investigation and APRA expressed concerns about the strength of Medibank’s operational controls.
  • In February and March 2023, consumer and shareholder class actions were commenced against Medibank. Medibank also released information about the circumstances surrounding the cyber incident, the steps it had taken in response (contained the incident, put in place additional security measures, and engaged specialised security firms) and the findings of Deloitte’s external incident review to the market (that Deloitte made recommendations to enhance Medibank’s IT processes and systems and that Medibank has already implemented some and will implement the remaining).
  • In June 2023, APRA announced an increase in Medibank’s capital adequacy requirements due to issues with Medibank’s information security environment.
  • In June 2024, the OAIC commenced civil penalty proceedings against Medibank for breaches of the Privacy Act.

The class action said that privilege did not apply because the communications had a range of non-legal purposes: (1) operational (to ascertain cause and extent of the data breach to contain it and stop future cyber incidents); (2) governance (for the business and Board to discharge oversight functions, including regulatory compliance and consequences for executives); (3) APRA purpose (to address the concerns of APRA and satisfy its requests, to avoid an independent APRA review); (4) updating the ASX; (5) communicating with customers, shareholders and the community generally to assuage concerns by showing that Medibank was looking to learn from the incident.

Medibank relied on affidavits from its Chair, CEO, General Counsel and external lawyers, and said that their intentions and states of mind were relevant to dominant purpose. The Chair and CEO were cross-examined in Court. In assessing their evidence, the Court stated that the Chair and CEO’s respective states of mind were highly relevant “but not solely determinative” as to whether the documents in question were properly privileged.2 The Court’s task was to determine whether the dominant purpose was made out objectively, having regard to the totality of the evidence. Rofe J did not inspect the reports on the basis that they were technical cyber security reports and that, without the circumstances surrounding their creation, would be meaningless and not determinative of whether they were privileged.3

How did the court treat the different reports that were commissioned?

Many companies will consider reports canvassing the areas that Medibank’s experts investigated following a major cyber incident.

The table below summarises the scope of the key reports and the key reasoning.

Report  

Outcome and reasons

Post Incident Review (Deloitte Report dated 4 April 2023)

Medibank’s external lawyers gave evidence that this report was used by them to identify key issues and areas requiring further work to manage and / or mitigate legal risks.4

✖ Not privileged

Medibank said that Deloitte’s engagement translated technical matters (including raw data) into plain English facts, identified what information was accessed and removed enhancements to and recommendations about Medibank’s systems.5 This was for the purpose of Medibank’s advisors providing legal advice on the risk of any ongoing non-compliance with legal obligations, to effectively represent Medibank in potential legal proceedings and to understand potential liability to customers.6 The CEO said a “very much secondary” purpose was providing a means of verifying Medibank’s internal investigation. The Court noted that the technical translation objective seemed to contradict the CEO’s evidence that Medibank’s internal investigation had already provided a reasonable understanding of what had occurred, and that in any event, Deloitte’s external review ultimately went beyond this.7

The class action argued the other purposes included (1) operational; (2) governance; (3) APRA; and (4) ASX / public relations purposes.

The Court held that the legal purpose was “only one of several equally dominant purposes for which the Deloitte Reports were commissioned8 and accepted that in addition to the potential legal purpose, the ASX / public relations purpose and APRA purpose were at least equally dominant (if not more dominant than the legal purpose).9

  • ASX / public relations purpose: Medibank made numerous public references to the commissioning of the Deloitte Reports in its ASX announcements, communications with employees and millions of customers. Each of these statements (1) was approved by the Board or a Medibank executive prior to publication, (2) stated that Medibank (not its lawyers) commissioned the external report and, critically, that the (3) “purpose of the external review was to protect and safeguard customers”.10 No “public mention was ever made” that the purpose of the external review was for the purposes of legal advice.11 This was “contrary to the legal purpose being the dominant purpose”.12 If the Board had really only been concerned with the legal purpose, the review and resulting reports would not have needed to be disclosed publicly.13
     
  • APRA purpose: Medibank gave evidence that a key concern was to avoid the need for APRA to conduct its own review.14APRA (being a regulator which could potentially instigate penalty proceedings) was consulted on the terms of reference for the external review and involved in multiple tri-partite meetings and given direct access to the three Deloitte reports, antithetical to the maintenance of privilege.15
     
  • Role of the Board: The close involvement of the Board was another factor which tended against the dominant legal purpose.16 This included the Board’s desire for an “unvarnished view of what had occurred” and to be seen to be treating the incident seriously, the direct reporting by Deloitte to the Board rather than via their external lawyers and the close attention of the Board and Chair (including pre-Board meetings with the latter).17
     
  • Waiver: Further, if (contrary to the Court's finding) the PIR report was properly privileged, the Court considered that privilege had been waived because the report was referenced in an ASX announcement made by Medibank.18 That 28 April 2023 statement said that Medibank had received Deloitte’s findings from their external review, and that Medibank had already implemented a number of recommendations and would implement the remainder.19

Root Cause Analysis (Deloitte Report dated 10 May 2023)

This report applied a root cause analysis methodology to identify Deloitte’s position on the root cause of the incident.20

 ✖ Not privileged (same reasons as Deloitte PIR report)

External Review – APRA Prudential Standard CPS 234 (Deloitte Report dated 23 June 2023)

This report was Deloitte’s position on areas of non-compliance with APRA’s Prudential Standard CPS 234 which contributed to the breach.21

 ✖ Not privileged (same reasons as Deloitte PIR report)

Two CrowdStrike Reports dated 22 December 2022 and 11 May 2023

The 22 December 2022 report was based on CrowdStrike data from its security software.22 It provided information about the systems accessed by the threat actor and when they were accessed.23

The 11 May 2023 report was prepared in relation to certain Atlassian products which were used in the Medibank IT environment at the time of the cyber incident.24

It provided information about the activities of the threat actor.

✔ Privileged

While the Court did not accept that the initial engagement was for a privileged purpose (it occurred immediately, and prior to lawyers being engaged),25 the relevant question was whether the reports themselves were privileged.26

The Court accepted that both CrowdStrike Reports were created by CrowdStrike in response to a specific request from Medibank’s external solicitors for the dominant purpose of legal advice, including to assist with preparing notifications to the OAIC and customers under the Privacy Act, and for the purpose of anticipated legal proceedings.27

While the CrowdStrike Reports were privileged, non-privileged information which formed a basis for the reports (but was not in the report itself) would still potentially be discoverable.28

Two Threat Intelligence reports dated 4 January 2023 and 23 February 2023

Two reports were created by Threat Intelligence to provide technical cyber security assistance in relation to Medibank’s response to the OAIC investigation commenced on 1 December 2022.29

✔ Privileged

Medibank had a standing engagement with Threat Intelligence to act as its Digital Forensics and Incident Response (DFIR) partner. No claim of privilege was made by Medibank in respect of material the subject of Threat Intelligence’s DFIR standing engagement (this included two reports in which Threat Intelligence investigated the circumstances of the Cyber Incident and conducted dark web monitoring activities to look for data being published on the dark web dated 9 November and 2 December 2022), except for the material that disclosed the substance of other privileged communications.30

However, after the cyber incident, Medibank’s legal advisers separately sought an additional two expert reports from Threat Intelligence so they could advise Medibank in relation to Medibank’s response to the OAIC’s investigation commenced on 1 December 2022 (being the 4 January and 23 February 2023 reports).31

Like the CrowdStrike Reports, the Court accepted that the Threat Intelligence Reports were created by Threat Intelligence because Medibank’s external lawyers required “immediate technical cyber security assistance” in order to advise Medibank in relation to Medibank’s response to the investigation commenced by the OAIC.32 Rofe J stated that the evidence provided to the Court by Medibank went ”beyond mere generalised assertion“ and provided a connection between the Threat Intelligence Reports and the legal advice provided by Medibank’s legal advisers.33

Communications between Medibank’s external legal advisers, CyberCX and Coveware in October 2022 relating to crisis communication strategy34

✔ Privileged

The Court accepted these communications were for the dominant purpose of Medibank’s external solicitors providing legal advice and assistance to Medibank in relation to whether the payment of a ransom by Medibank might contravene laws or give rise to a breach of directors’ duties.35

The emails in issue were sent between CyberCX, Coveware and Medibank‘s legal advisors “during the last three days of the period in the run up to the Board Meeting of 29 October 2022” where legal advice was to be provided on the legality of paying a cyber ransom.36

They related to “information in relation to the identity of the” threat actor,37 and “an update relating to the identity of the” threat actor, and appeared to include screen shots of communications with the threat actor.38 In the context of the Board being briefed on (among other things) the legality of paying a ransom, the Court accepted it was “entirely consistent with the chronology of the rapidly evolving” cyber incident that Medibank’s solicitors would, in the course of preparing legal advice to the Board on that issue, seek information from CyberCX and Coveware.39  

Footnotes

  1. [13].
  2. [23].
  3. [13].
  4. [393].
  5. [374]-[377].
  6. [374]-[377].
  7. [381]-[382].
  8. [323].
  9. [405].
  10. [327].
  11. [332].
  12. [338].
  13. [338].
  14. [344].
  15. [355], [364].
  16. [372].
  17. [372].
  18. [443].
  19. https://www.medibank.com.au/livebetter/newsroom/post/cybercrime-update-deloitte-incident-review
  20. [149].
  21. [149].
  22. [280].
  23. [283]-[286].
  24. [288].
  25. [273].
  26. [278]
  27. 243], [281].
  28. [293].
  29. [308].
  30. [299].
  31. [301].
  32. [315], [319].
  33. [311].
  34. [37].
  35. [226]-[228], [231]-[232], [235]-236].
  36. [218].
  37. [223]
  38. [230], [234]-[235].
  39. [221].

Key contacts

Christine Wong photo

Christine Wong

Partner, Sydney

View profile
Cameron Whittfield photo

Cameron Whittfield

Partner, Melbourne

View profile
Peter Jones photo

Peter Jones

Partner, Sydney

View profile
Merryn Quayle photo

Merryn Quayle

Partner, Melbourne

View profile
Brendan Donohue photo

Brendan Donohue

Senior Associate, Melbourne

View profile

Legal Notice

The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.

© Herbert Smith Freehills 2025

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Subscribe now
Sydney Australia Perth Brisbane Melbourne Technology, Media and Entertainment, and Telecommunications Cyber Risk Advisory Dispute Resolution Cyber Security Technology, Media and Telecoms Corporate Crime and Investigations Christine Wong Cameron Whittfield Peter Jones Merryn Quayle Brendan Donohue