Optus denies attempting to ‘cloak’ report’s findings into cyber attack
Optus is fighting to keep a report into a disastrous cyber attack that struck millions of customers a secret, but denies it’s trying to ‘cloak’ it from the courts.
Business
Don't miss out on the headlines from Business. Followed categories will be added to My News.
Optus is fighting again to keep a report into a disastrous cyber attack that struck millions of customers, a secret.
But the telco has denied it was trying to “cloak” the report from the courts.
In the Federal Court on Tuesday Optus batted away questions about why former CEO Kelly Bayer Rosmarin, or other board members, did not give evidence on the purpose of Deloitte’s report into the 2022 event if it were not to investigate and prevent it from happening again, as they claimed in a public statement at the time.
The company was last year criticised by Federal Court judge Jonathan Beach, who rejected its argument that the report was protected by legal privilege, and ruled it should not be kept out of a Slater and Gordon class action brought in Victoria.
Justice Beach said a public statement published in October 2022, weeks after the attack, posed a “real problem” for the bid to keep the report secret, noting it did not mention that it was recommended by a lawyer or that it was being done for legal purposes.
Optus has appealed against Justice Beach’s decision, and on Tuesday argued most would be “gobsmacked” to find a media release would flag a legal purpose for such a report because of a possible class action or a potential regulator investigation.
“The point is to calm,” barrister for Optus Steven Finch, SC, said.
Mr Finch said it was an “error” to describe efforts to channel material through lawyers as an attempt to “cloak” it.
“(the Deloitte report) was produced pursuant to engagement by Ashurst, which explicitly nominated the dominant purpose as legal advice,” he said.
The court heard a “good place to start might have been to put on evidence from the CEO or board members” to establish that the report had multiple purposes, including legal ones that may have prevented it from being tendered into evidence.
Mr Finch said arguments about the report were heard via an interlocutory application and that there was “evidence about what the CEO said”.
“We say … too much weight has been put on the public statements,” he said.
Mr Finch said Justice Beach challenged Optus general counsel Nicholes Kusalic’s integrity as a solicitor. Justice Beach, in his judgment delivered in November, noted Mr Kusalic gave evidence about the legal purpose of the report but “on critical aspects of his evidence he was decidedly and no doubt self-advisedly vague”.
“Channelling material through lawyers or having lawyers make the retainer, belatedly, cannot cloak material with any privilege that it did not otherwise have,” Justice Beach said in his judgment.
Ms Bayer Rosmarin “recommended” the external Deloitte review be conducted with unanimous support from the board, according to a public statement dated October 3, 2022. She said she was committed to rebuilding trust with customers and that “this important process will assist those efforts”.
Ms Bayer Rosmarin resigned after intense scrutiny about the way she managed the data breach which affected 10 million customers, along with a 14-hour network outage last year.
Appearing for members of the class action led by Peter Robertson, barrister William Edwards, KC, agreed that it was a “problem” Mr Kusalic did not give evidence about what Ms Bayer Rosmarin told him was the purpose of the Deloitte report and noted “Ms Bayer Rosmarin didn’t come along and give evidence”.
A decision about the appeal will be delivered at a later date.
Originally published as Optus denies attempting to ‘cloak’ report’s findings into cyber attack