Hand over Optus breach report, court says
Optus will be forced to hand over a report into its disastrous 2022 data breach, having argued it should be kept secret.
Optus will be forced to hand over a report into how millions of their customers private data was released amid a 2022 data breach, the Federal Court has ruled.
The telco appealed an earlier decision of judge Jonathan Beach that it must tender the external review conducted by Deloitte, which was advertised as a way of rebuilding trust with customers, into evidence in a class action run by Slater and Gordon although not publicly release it.
Up to 9.5m customers’ private and confidential information was released as a result of a cyber-attack between 17 and 20 September 2022. The breach is now also the subject of two other probes being conducted by the Office of the Australian Information Commissioner and the Australian Communications and Media Authority.
“Despite refusing to accept the umpire’s decision, Optus must now hand over the Deloitte report into how millions of its customers’ private information was accessed as a consequence of the 2022 data breach,” Slater and Gordon class actions practice group leader Ben Hardwick said.
“Optus’s efforts to shield this report is indicative of a company that refuses to accept responsibility for its role in what happened, and the significant impact this data breach has had on millions of its Australian customers,” he said.
Former chief executive Kelly Bayer Rosmarin made public comments in a press release in 2022 after the data breach to say the report was an “important process (that) will assist those efforts”.
As well, the media release said: “We are committed to learning, doing better in the future, and sharing lessons so all companies and all Australians can benefit from our terrible experience.”
A full court, consisting of Federal Court judges Bernard Murphy, Stewart Anderson and Penelope Neskovicin, unanimously upheld justice Beach’s ruling that Optus failed to prove the dominant purpose of the report was for legal advice.
Optus general counsel Nicholes Kusalic’s evidence about why the report was commissioned was “vague”, and if Optus failed to call Ms Bayer Rosmarin to clarify what in her mind was the dominant purpose of the Deloitte report at the time.
“Not only did Optus not put on direct evidence from Ms Bayer Rosmarin or any Board member, Mr Kusalic’s evidence did not even provide hearsay evidence, on the basis of information and belief, as to Ms Bayer Rosmarin’s state of mind, or as to the state of mind of the Board members to the extent that he talked to them,” the judgement read.
“Optus had the burden of establishing that the legal purpose was the dominant purpose for which the Deloitte Report was commissioned and therefore Ms Bayer Rosmarin’s purpose was of considerable importance.
“The applicants’ failure to call her to give evidence was bound to be regarded as significant.”
The same day the cyber attack was announced by Optus on September 22, Mr Kusalic contacted Ashurst. The judgement noted Ashurst was retained “to provide legal advice to Optus in relation to the litigation and regulatory risks Optus faced as a result of the cyber-attack”.
Optus has now failed twice to keep the report out of the proceedings in Victoria, arguing it was protected by legal privilege.
During a hearing earlier in May, Optus claimed most would be “gobsmacked” to find a media release would flag a legal purpose for such a report because of a possible class action or a potential regulator investigation.
“The point is to calm,” barrister for Optus Steven Finch, SC, said.
Ms Bayer Rosmarin resigned after intense scrutiny following a data breach which affected 10 million customers, along with a 14-hour network outage last year.
More Coverage
Add your comment to this story
Pratts battling Real Housewives star over property dispute
The billionaire Pratt family is seeking to remove a caveat reality TV identity Venus Behbahani has over a property in Melbourne’s swanky Toorak, already at the centre of a legal dispute.
ALRC ‘not compromised’ over religious school review
Australian Law Reform Commission president Mordy Bromberg has defended its review of discrimination at religious schools, saying the ALRC was ‘not compromised’ in any way.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout