Lawyers for the company, Optus, argued that the report was provided to determine legal risk and therefore protected under Attorney-client privilege. The court disagreed and Optus is appealing the decision. Optus hired Deloitte to conduct an investigation into the breach and provide the analysis. Australia joins Canada and the United States in having legal precedent that Incident Response and breach related documents are not inherently protected by Attorney-client privilege.

Attorney-client privilege in a cyber incident response context is critical to protect sensitive communications and information from being disclosed in potential legal proceedings.

Here's how it typically works:

1. Engagement of Legal Counsel: As soon as a cyber incident is detected, organizations need to engage legal counsel to oversee the response. It is critical that all IR work is done with the knowledge of and at the request of legal counsel. This ensures that communications related to the incident are privileged.
2. Scope of Privilege: The privilege applies to communications between the attorney and the client made for the purpose of seeking or providing legal advice. It also covers documents prepared at the request of the attorney for the purpose of legal advice.
3. Involvement of Third Parties: To maintain privilege, any third parties involved (e.g., cybersecurity firms, forensic investigators) should be engaged by the legal counsel. This way, their communications and findings can also be protected under the privilege as they are considered part of the legal consultation process. A new, specific statement of work should be used for this work. You should not have this work done under an existing statement of work.
4. Documentation: Clearly document the involvement of legal counsel in the incident response. Communications should explicitly state that they are for the purpose of seeking or providing legal advice to reinforce the intent to maintain privilege.
5. Incident Reports and Findings: Any reports or findings prepared by cybersecurity firms should be directed to legal counsel. This helps to ensure that these documents are covered by the privilege.
6. Limitations and Best Practices:
   • Internal Communications: Not all internal communications are privileged. To maximize protection, include legal counsel in relevant discussions and mark communications as privileged and confidential.
   • Training and Awareness: Train employees on the importance of maintaining privilege and the proper protocols to follow during a cyber incident. All members of the cybersecurity team as well as other roles that may be involved in a cybersecurity incident response should be trained on these protocols.
   • Separation of Roles: Clearly define the roles of IT, security teams, and legal counsel to avoid inadvertently waiving the privilege. This should already be part of your Incident Response or Critical Incident Management plan.

Our consultants have extensive experience working with both in-house and external legal counsel, as well as 3^rd party Incident Response consulting firms. Leveraging this experience, we can assist you with ensuring that in the event of a cybersecurity incident your organization’s response will be covered under attorney-client privilege.