In McClure v Medibank Private Limited [2025] FCA 167, the Federal Court of Australia was asked to consider whether certain documents produced by third-party experts in the wake of a data breach incident response were subject to legal professional privilege (LPP).

The applicants commenced class action proceedings against Medibank Private Limited (Medibank) following a data breach incident in 2022, alleging breaches of contractual, equitable and regulatory obligations. The applicants challenged Medibank’s assertion of LPP over a number of third-party documents which it had commissioned as part of its response to the data breach incident.

Medibank argued that the documents were subject to LPP as they were prepared for the ‘dominant purpose’ of obtaining legal advice from Medibank’s legal representatives in relation to matters surrounding the data breach, or for use in litigation proceedings.

In considering Medibank’s claim, the Court reiterated the key principles in assessing whether LPP exists, including that the ‘dominant purpose’ of a document is to be determined objectively, and when considering third-party reports, the relevant period for assessing that purpose will usually be at the time of commissioning the report.

The applicants had challenged Medibank’s privilege claim over correspondence with its cyber security experts and their reports. The Court found that, notwithstanding the services provided by third-party experts were not for a predominant purpose of providing legal advice, a number of the documents were created for the dominant purpose of providing legal advice and were subject to LPP. This included:

• email correspondence between Medibank’s legal representatives and a cyber-security firm which contained information that directly assisted the lawyers in advising Medibank on the legality of paying a cyber ransom;
• forensic reports which investigated the impact of the data breach on Medibank’s IT systems, and were used to provide legal advice on Medibank’s liabilities under the Privacy Act 1998 (Cth) and to the Office of the Australian Information Commissioner (OAIC); and
• forensic reports which provided expert cyber security assistance and were used in legal advice on an ongoing OAIC investigation.

However, the Court found that the Deloitte reports relating to ‘Post Incident Review’, ‘Root Cause Analysis’ and ‘APRA Prudential Standard’ were not subject to LPP as they had been commissioned for the purposes of:

• bolstering public relations and making public assurances to stakeholders;
• cooperating with APRA in order to avoid a prudential review and potential penal action;
• providing the Board of Medibank with an “unvarnished view” of the entire incident; and
• providing legal advice to Medibank.

In reaching this finding the Court observed that:

• disclosing of the reports to APRA and committing to share the results of the review with shareholders was inconsistent with maintaining privilege;
• a lack of oversight from Medibank’s legal representatives during Deloitte’s engagement pointed to the reports not possessing a dominant legal purpose; and
• whilst a legal purpose did exist, the public relations and APRA purposes were equally dominant, if not more dominant than the legal purpose.

This case is another reminder (following on from Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58, which we have previously reported on here and here), that caution should be taken when commissioning third-party reports where multiple purposes for that report may arise.

The decision can be found here.