McClure v Medibank Private Limited

FEDERAL COURT OF AUSTRALIA

McClure v Medibank Private Limited [2025] FCA 167

File number:	VID 64 of 2023
Judgment of:	ROFE J
Date of judgment:	7 March 2025
Catchwords:	LEGAL PROFESSIONAL PRIVILEGE – third-party reports – investigation into cyber-attack – whether multiple purposes – common law principles – whether documents were created for dominant purpose of legal advice LEGAL PROFESSIONAL PRIVILEGE – waiver of privilege – implied waiver – whether voluntary disclosure of reports to the regulator was inconsistent with the maintenance of confidentiality in the reports – whether public statements made were inconsistent with the maintenance of confidentiality in the reports
Legislation:	Corporations Act 2001 (Cth) Evidence Act 1995 (Cth) Privacy Act 1988 (Cth)
Cases cited:	Asahi Holdings (Australia) Pty Ltd v Pacific Equity Partners Pty Ltd (No 4) [2014] FCA 796 Australian Securities and Investments Commission v Australia and New Zealand Banking Group (No 2) [2020] FCA 1013 Australian Securities and Investments Commission v Macleod [2024] FCAFC 174 Australian Securities and Investments Commission v Noumi Ltd [2024] FCA 349 AWB Ltd v Cole (2006) 152 FCR 382 Commissioner of Australian Federal Police v Propend Financial Pty Ltd (1997) 188 CLR 501 Commissioner of Taxation (Cth) v Pratt Holdings Pty Ltd (2005) 225 ALR 266 Commonwealth Director of Public Prosecutions v Citigroup Global Markets Australia Pty Ltd [2021] FCA 511 Director of Public Prosecutions (Cth) v Kinghorn; Kinghorn v Director of Public Prosecutions (Cth) (2020) 102 NSWLR 72 Esso Australia Resources Ltd v Commissioner of Taxation (1999) 201 CLR 49 Expense Reduction Analysts Group Pty Ltd v Armstrong Strategic Management and Marketing Pty Limited (2013) 250 CLR 303 Glencore International AG v Commissioner of Taxation (2019) 265 CLR 646 Goldberg v Ng (1995) 185 CLR 83 Grant v Downs (1976) 135 CLR 674 Kennedy v Wallace (2004) 142 FCR 185 Macquarie Bank Ltd v Arup Pty Ltd [2016] FCAFC 117 Mann v Carnell (1999) 201 CLR 1 Mitsubishi Electric Australia Pty Ltd v Victorian Workcover Authority (2002) 4 VR 332 Osland v Secretary to the Department of Justice (2008) 234 CLR 275 Pratt Holdings Pty Ltd v Commissioner of Taxation (2004) 136 FCR 357 Precision Plastics Pty Limited v Demir (1975) 132 CLR 362 Robertson v Singtel Optus Pty Ltd [2023] FCA 1392 Roberts-Smith v Fairfax Media Publications Pty Limited (No 23) (2021) 417 ALR 221 Singapore Airlines v Sydney Airports Corporation [2004] NSWSC 380 Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 State of New South Wales v Betfair Pty Ltd (2009) 180 FCR 543 TerraCom Ltd v Australian Securities and Investments Commission (2022) 401 ALR 143 TerraCom Ltd v Australian Securities and Investments Commission [2022] FCAFC 151 Turner v Bayer Australia Ltd (No 5) (2023) 70 VR 290
Division:	General Division
Registry:	Victoria
National Practice Area:	Commercial and Corporations
Sub-area:	Regulator and Consumer Protection
Number of paragraphs:	448
Date of last submissions:	19 February 2025
Date of hearing:	20 May 2024, 23 May 2024, 3 June 2024
Counsel for the Applicants:	W A Harris KC, S D Puttick, E Nadon
Solicitor for the Applicants:	Baker McKenzie
Counsel for the Respondent:	S B McNicol KC, J J Rudd
Solicitor for the Respondent:	King & Wood Mallesons

ORDERS

VID 64 of 2023
BETWEEN:	ZOE LEE MCCLURE First Applicant CIHAN SOLBUDAK Second Applicant
AND:	MEDIBANK PRIVATE LIMITED (ACN 080 890 259) Respondent

ORDER MADE BY:	ROFE J
DATE OF ORDER:	7 MARCH 2025

THE COURT ORDERS THAT:

1.Within seven days of the date hereof, the parties file and serve proposed minutes of orders to give effect to these reasons.

2.Until further order, the Court’s reasons for judgment not be disclosed to or published by any person, save to the parties, their legal representatives, and Court staff.

3.Within fourteen days, the parties confer, prepare, and provide to the Chambers of Justice Rofe, proposed redactions to the reasons for judgment. The Court will then prepare a redacted version of the reasons for judgment, which will be made available to the public.

4.In the event the parties are unable to agree to the terms of the proposed minutes of order referred to in order 1 or the proposed redactions referred to in order 3, the areas of disagreement should be set out in mark-up.

5.Liberty to apply.

Note:   Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

ROFE J:

1.               Introduction

1. By an interlocutory application dated 20 December 2023, the applicants, Zoe Lee McClure and Cihan Solbudak, seek orders for the production of various final technical reports provided to the respondent (Medibank), prepared by non-lawyer consultants and certain sample communications between Medibank, its legal advisors and several cybersecurity advisory firms. This privilege dispute has arisen in the context of class action proceedings brought by the applicants against Medibank alleging, amongst other things, breaches of various contractual, equitable and regulatory obligations.

2. Medibank has asserted legal professional privilege in respect of these documents and the material therein, or otherwise claimed that certain documents are attached to another document to which privilege applies.

3. Medibank claims legal professional privilege in the documents on the basis that the production of the documents would reveal communications between Medibank and its lawyers made for the dominant purpose of giving or obtaining legal advice (the advice privilege) or the provision of legal services, including representation in legal proceedings (the litigation privilege).

4. The applicants contest that legal professional privilege applies to these documents and otherwise claim that Medibank waived privilege in respect of three final reports produced by Deloitte Risk Advisory (Deloitte).

5. It is therefore necessary to consider, on a document-by-document basis, whether each document is subject to legal professional privilege.

6. Parts of my reasons are confidential and include redactions because they disclose the contents of documents which Medibank claims are confidential. I will make an order that, subject to further order, the Court’s reasons for judgment of the date of this order be published only to the applicants and Medibank, and be kept confidential (save to the parties, their legal representatives, and Court staff). This is to enable the applicants and Medibank to prepare, within a period of fourteen days, proposed redactions to the Court’s reasons for judgment. The Court will then prepare and publish redacted reasons for judgment, which will then be made available to the public.

   1.1             The cyber incident

7. From about August to October 2022, Medibank experienced a cyber incident in which one or more cyber criminals accessed Medibank’s IT systems using stolen credentials and subsequently exfiltrated customer data (Cyber Incident). I refer to the person or persons responsible for the Cyber Incident as the Threat Actor.

   2.               Documents

8. The applicants seek production of the following documents listed below.

   (a)Three reports from Deloitte:

   (i)report dated 4 April 2023 titled ‘Post Incident Review’ (PIR Report);

   (ii)report dated 10 May 2023 titled ‘Root Cause Analysis’ (RCA Report); and

   (iii)report dated 23 June 2023 titled ‘External Review - APRA Prudential Standard CPS 234’ (CPS 234 Report),

   (together, the Deloitte Reports).

   (b)Two reports from CrowdStrike:

   (i)report dated 12 December 2022 titled ‘Privileged Investigation Report’ (CrowdStrike Investigation Report); and

   (ii)report dated 11 May 2023 titled ‘Privileged Investigation Report – Atlassian Crowd Analysis’ (Atlassian Report),

   (together, the CrowdStrike Reports).

   (c)Two reports from Threat Intelligence:

   (i)report dated 4 January 2023 titled ‘Medibank Digital Forensics and Incident Response Report’; and

   (ii)report dated 23 February 2023 titled ‘Draft Investigation Report – Medibank Sharepoint Investigation’,

   (together, the Threat Intelligence Reports).

9. I refer to the Deloitte Reports, CrowdStrike Reports and Threat Intelligence Reports as the Contested Reports. I refer to the various cybersecurity advisory firms collectively as the Cyber Experts.

10. The applicants seek production of the following communications listed below.

    (a)Various communications from CyberCX and Coveware:

    (i)email from Nick Klein (CyberCX) to Cheng Lim (KWM) ‘re: [EXTERNAL] Re: Medibank | Key ransom issues and action plan’ dated 26 October 2022;

    (ii)email from Nick Klein (CyberCX) to Cheng Lim (KWM) ‘re: [EXTERNAL] Re: Project Opera (privileged and confidential)’ dated 27 October 2022;

    (A)attachment to email from Nick Klein to Cheng Lim titled ‘Case 06064 - Coveware.pdf’ dated 27 October 2022;

    (iii)email from Nick Klein (CyberCX) to Cheng Lim (KWM) ‘re: [EXTERNAL] Fwd: Update on TA comms (privileged and confidential)’ dated 29 October 2022;

    (A)attachment to email from Nick Klein to Cheng Lim titled ‘image001.png’ dated 29 October 2022;

    (B)attachment to email from Nick Klein to Cheng Lim titled ‘Screen Shot 2022-10-28 at 10.17.13 AM.png’ dated 29 October 2022;

    (C)attachment to email from Nick Klein to Cheng Lim titled ‘Screen Shot 2022-10-28 at 10.19.42 AM.png’ dated 29 October 2022;

    (D)attachment to email from Nick Klein to Cheng Lim titled ‘Screen Shot 2022-10-28 at 10.20.03 AM.png’ dated 29 October 2022; and

    (E)attachment to email from Nick Klein to Cheng Lim titled ‘Case 06064 -Coveware.pdf’ dated 29 October 2022,

    (together, the CyberCX and Coveware Communications).

11. I refer to the Contested Reports and CyberCX and Coveware Communications collectively as the Cyber Expert Documents. The respective engagements relating to the production of the Contested Reports are discussed below in section 4.

12. For clarity, Annexure A to these reasons includes the list of documents of which the applicants seek production.

13. I note that I have not inspected the documents. I chose not to inspect the documents on the basis that the documents are technical reports relating to cyber security. Each of the relevant engagement documents pursuant to which the reports were produced instructed the authors to make reference to the report being prepared for the dominant purposes of legal advice. As such I expect each of the Contested Reports to be peppered with references to privilege incantations, which of themselves, divorced from the circumstances of the creation of the document are largely meaningless and not determinative of whether the particular report is the subject of legal professional privilege. As the applicants contend, “labelling communications with epithets denoting privilege does not make it so”.

    3.               Witnesses

14. The applicants read one affidavit from Mr Paul George Forbes dated 21 December 2023. Mr Forbes is a partner at Baker McKenzie, the legal representative of the applicants.

15. The respondent read affidavits from the following witnesses:

    (a)Mr Michael John Wilkins, who made one affidavit on 26 March 2024. Mr Wilkins is a director and the chair of the board of directors of Medibank.

    (b)Mr David Illar Koczkar, who made one affidavit on 26 March 2024. Mr Koczkar is the Chief Executive Officer of Medibank.

    (c)Ms Carolyn Mei Ramsay, who made one affidavit on 26 March 2024. Ms Ramsay is the general counsel and company secretary for Medibank.

    (d)Mr Domenic Mathew Gatto, who made one affidavit on 27 March 2024. Mr Gatto is a partner at King & Wood Mallesons (KWM), the legal representative of Medibank.

16. I granted leave for Mr Wilkins and Mr Koczkar to be cross-examined. The applicants did not seek leave to cross-examine Ms Ramsay or Mr Gatto.

17. The affidavit of Mr Gatto contained little first-hand evidence. Much of the evidence of Mr Gatto was given on the basis of information and belief of other persons.

18. The evidence in this application was extremely document heavy. In addition to the documents annexed to the respondent’s affidavits, the applicants tendered extensive documents. The applicants provided a useful chronology which helped make sense of the documents by providing a road map as to where they might be found in the various tender bundles and annexures.

    3.1             Evidence

19. Medibank has relied upon the purported intentions and respective states of mind of Mr Koczkar, Mr Wilkins and Ms Ramsay to support its contention with respect to dominant purpose.

20. Whilst accepting that there were other purposes for which the Deloitte Reports might be apt, neither Mr Wilkins nor Mr Koczkar strayed from the position that the dominant purpose for which the Deloitte Reports were commissioned was to enable KWM to provide legal advice to Medibank and to assist Medibank in any litigation relating to the Cyber Incident.

21. The evidence of Mr Koczkar and Mr Wilkins at times involved matters of legal characterisation. For example, both witnesses utilised the same legal terms to answer questions in cross-examination and describe the purpose behind several engagements. Portions of the cross-examination which illustrate this are included below.

    MS HARRIS: You referred to committing to share the outcomes of the review, because those – that the primary of the review was as expressed in this document?

    MR WILKINS: No. The primary purpose was to get legal advice …

    MS HARRIS: Now, you have accepted that the legal purpose was not the only purpose of the review; correct?

    MR WILKINS: No, I don’t accept that, but you asked whether there were other areas that were associated with it or could be associated with it. The answer to that is yes, but the primary purpose was for legal advice. …

    MS HARRIS: You weren’t simply concerned to make sure that Mr Gatto and his colleagues had adequate information to allow them to provide Medibank with advice?

    MR WILKINS: That was the primary purpose of the Deloitte commissioning, and understanding what those reports said was important from the board’s perspective to be able to then determine the advice that KWM were providing us.’

22. Mr Koczkar at times also appeared to minimise any non-legal purpose as ancillary, even at one stage describing “[the] other things that would come out of the review [as] secondary … in my submission”.

23. While I accept that Mr Koczkar and Mr Wilkins hold the views that they expressed, ultimately, the correct legal characterisation is a matter for the Court to determine objectively having regard to the totality of the evidence and cross-examination. As the CEO and Chair of Medibank, their respective states of mind will be highly relevant, but not solely determinative, in the inquiry as to whether legal professional privilege subsists. I elaborate on this further below.

24. Mr Gatto and Ms Ramsay were not cross-examined. The applicants submit that, to the extent that Mr Gatto and Ms Ramsay depose to the relevant documents having some legal purpose —that was a significant, and perhaps predominant, purpose to them as lawyers. The applicants submitted that, in that sense, Mr Gatto and Ms Ramsay may have used the Cyber Expert Documents for legal purposes — however, this evidence alone does not establish that any legal purposes predominated overall for Medibank. I accept this submission — the singular perspective of lawyers for whom legal purposes are obviously likely to be significant, does not establish, on its own, that any legal purposes predominated overall for Medibank.

    4.               Relevant facts

    4.1             Standing engagements

25. I note from the outset that Medibank had pre-existing standing engagements with several Cyber Experts and KWM prior to the Cyber Incident. The nature of each standing engagement is outlined below.

    4.1.1Threat Intelligence

26. Medibank had a standing engagement with Threat Intelligence to act as Medibank’s Digital Forensics and Incident Response (DFIR) partner. As part of its standing DFIR engagement, Threat Intelligence conducted an investigation into the circumstances of the Cyber Incident and conducted dark web monitoring activities to look for evidence of customer data being published on the dark web as well as any other information on the dark web about the Cyber Incident.

27. Threat Intelligence provided a “Digital Forensics and Incident Response Report” to Medibank on 2 December 2022. No claim of legal professional privilege has been made by Medibank in respect of this report or relevant material the subject of Threat Intelligence’s standing DFIR engagement, including the work performed pursuant to these two activities described above.

    4.1.2Datacom

28. At the time of the Cyber Incident, Medibank had a standing engagement with Datacom to act as Medibank’s primary third-party technology service provider. Following the Cyber Incident, Datacom continued to assist Medibank with IT services, including liaising with other third parties.

    4.1.3KWM

29. KWM and Medibank’s relationship is a longstanding one, in place since 1981. The relationship is governed by a “master services agreement” which governs the provision of legal services on all matters subject to any specific, bespoke arrangements agreed for a particular matter.

30. As a matter of practice, KWM does not generally enter into separate retainer agreements with long-standing and key clients like Medibank when it commences to act for them in a new matter. With such clients, the firm’s general practice is to have a “master services agreement” which governs the provision of legal services on all matters subject to any specific, bespoke arrangements agreed for a particular matter.

    4.2             Cyber Incident chronology of key events

31. The purpose for which a document was created or commissioned is a matter of law to be determined objectively having regard to the evidence and the nature of the document amongst other things. The Cyber Expert Documents were commissioned, created and delivered at different times. In the case of the Deloitte Reports, some months passed between the initial engagement and delivery of the final reports. I set out below a detailed chronology of key events to provide the context and circumstances surrounding the commissioning and creation of the Cyber Expert Documents which informs my later consideration of whether legal professional privilege subsists in those documents.

    4.2.111 to 13 October 2022

32. On the afternoon of 11 October 2022, Medibank received a security alert. A technical investigation by Medibank’s internal cyber response team regarding this alert commenced. In the early hours of 12 October 2022, the technical team identified evidence of external access to network administrator accounts and suspicious activity.

33. Mr Koczkar deposed that on the morning of 12 October 2022 he was informed of “unusual activity” in Medibank’s IT system. Following this, Mr Koczkar spoke with a number of Medibank’s staff and arranged a meeting with a crisis management team (CMT), consisting of members of the Executive Leadership Team of Medibank and other staff. The Australian Cyber Security Centre advised Medibank that there had been “chatter” on the dark web that Medibank’s IT systems had been breached and that it was likely to be the victim of a ransomware incident.

34. Medibank’s CMT team convened on three occasions on 12 October 2022. Mr Koczkar gave evidence that, on that day, he liaised with numerous personnel at Medibank, including its External Affairs team and separately, the Commonwealth Department of Home Affairs.

35. In one of the CMT meetings on 12 October 2022, Mr Koczkar directed Ms Ramsay to advise on and manage all formal communications to the various regulators, such as the Australian Prudential Regulation Authority and the Office of the Australian Information Commissioner, in relation to the Cyber Incident including making or facilitating any legally required notifications. Ms Ramsay engaged her internal legal team at Medibank to assist her in the immediate actions required to respond to the Cyber Incident. On that same day, Ms Ramsay also engaged Medibank’s external lawyers, KWM, to provide legal advice to Medibank in respect of the Cyber Incident.

1. Also on 12 October 2022, Medibank’s primary IT service-provider, Datacom, inquired with CrowdStrike about what assistance CrowdStrike could offer Medibank in response to the Cyber Incident. By 4pm that same day, CrowdStrike had been engaged by Medibank to assist with identification, counter response and to provide incident response, investigation and containment services. These services were provided pursuant to a statement of work dated 12 October 2022 and subsequently modified and extended on 21 October 2022 and 7 November 2022. The statement of work (CrowdStrike SOW) stated:

   The Services (defined below) are performed for Customer, at the direction of Customer’s [Medibank’s] In-House Counsel (“Counsel”). Crowdstrike will perform the Services in connection with Counsel’s provision of legal advice to Customer. All communications and documents exchanged between Crowdstrike and Counsel or Customer pursuant to this SOW are intended to support Counsel’s rendering of informed legal advice to Customer. Crowdstrike understands and acknowledges that its work and communications pursuant to this SOW are intended to support Counsel’s legal strategies concerning Customer. Crowdstrike acknowledges that the Services and the engagement artifacts or reports described below, or portions thereof, are or may be protected from disclosure by the attorney-client privilege, attorney work product doctrine, or both. Accordingly, Crowdstrike shall treat the communications and reports exchanged between Crowdstrike and Counsel or Customer pursuant to this SOW in a manner consistent with the maintenance of any such privilege or protection, including without limitation labeling any written communications and documents as “Confidential: Attorney Work Product and Attorney-Client Privileged Communication.”

2. On the same day, Medibank’s External Affairs team engaged CyberCX to assist with its crisis communications strategy (Cyber Crisis Comms). CyberCX were recommended by Mr Alex Loizou (Medibank’s Senior Executive Chief Information Security Officer) in an email of 12 October 2022 to Ms Emily Ritchie (formerly Medibank’s Senior Executive, External Affairs Policy, Advocacy & Reputation). Ms Ritchie then contacted Mr Alastair MacGibbon (Chief Strategy Officer of CyberCX). Medibank does not claim privilege in relation to this portion of CyberCX’s engagement.

3. At approximately 6pm on 12 October 2022, members of Medibank’s internal legal team met via Microsoft Teams with external lawyers from KWM to receive advice in relation to the Cyber Incident. KWM’s engagement by Medibank was pursuant to the pre-existing master services agreement, discussed above. The scope of this engagement was for KWM to provide all legal advice required by Medibank in relation to the Cyber Incident.   

4. By the end of 12 October 2022, Medibank’s internal IT security team informed Mr Koczkar that there appeared to have been a cyber breach, and at that stage there was no evidence that any sensitive data, including customer data, had been accessed.

5. On either late 12 October 2022 or early 13 October 2022, Mr Wilkins and Mr Koczkar invoked Medibank’s Cyber Response Board Committee (CRC). The CRC was a standing committee of Medibank’s Board that had been established since before the Cyber Incident to oversee Medibank’s response to cyber events and make decisions on behalf of the Board. The members of the CRC included Mr David Fagan (a non-executive director of Medibank), Mr Wilkins and Mr Koczkar. The first meeting of the CRC occurred on the morning of 13 October 2022.

6. During the morning of 13 October 2022, Mr Cheng Lim (partner at KWM) was instructed to open “Project Opera” in respect of the Cyber Incident.

7. On 13 October 2022, Medibank published an ASX announcement informing the public that it had been impacted by the Cyber Incident and its securities were placed in a trading halt on the ASX. Also on that day, Medibank also notified the OAIC and APRA of the Cyber Incident. In the days that followed, Medibank published various media releases and further ASX announcements. These media releases and ASX announcements are detailed further below. This trading halt continued until the commencement of normal trading on 17 October 2022.  

8. Mr Koczkar’s evidence was that when Medibank went into a trading halt on 13 October, he was aware of the prospect of a shareholder class action against Medibank. This was because he was aware that significant ASX announcements by publicly listed companies, including trading halts, can generate interest by shareholder class action law firms. That risk remained in his mind each time that new information became known about the Cyber Incident. Mr Kockzar was also concerned about regulatory risk, in particular, in relation to the OAIC and APRA.

9. Mr Wilkins’ evidence was that in the initial days and weeks following the identification of the Cyber Incident, Medibank undertook its own internal investigations in an attempt to stop the attack and understand what had occurred so that it could make appropriate notifications and disclosures to stakeholders including customers, shareholders, regulators, law enforcement and various government agencies.

10. Mr Koczkar’s evidence was that immediately upon becoming aware of the Cyber Incident, Medibank commenced an internal investigation by its IT security team. This was to determine what had occurred (including what were the attack paths used by the Threat Actor, how the Threat Actor had infiltrated Medibank’s IT systems, whether and what data had been accessed, and whether the attack had been stopped) as well as to ensure that the Threat Actor was evicted from Medibank’s IT system and that the IT environment was secured. This investigation was overseen and managed by the ELT. This investigation also involved securing Medibank’s IT environment and determining what had to be changed operationally to ensure that similar cyber-attacks would be prevented in the future.

    4.2.214 to 31 October 2022

11. On 14 and 15 October 2022, someone purporting to be the Threat Actor communicated via email to Ms Ritchie, and then Mr Loizou advising that they had proof of involvement in the data breach and seeking to commence negotiations with “authorized personnel” within Medibank.

12. On 16 October 2022, CrowdStrike provided an incident response project status update entitled “Bluemarsupial” which identified the earliest evidence of Threat Actor activity as late August 2022, and more recently as 12 October 2022, and gave an update as to the ongoing deployment of the ‘Falcon’ software.

13. On 17 and 18 October 2022, the Threat Actor advised via Medibank’s website chat support interface that they had information about ‘the incident’ and provided an email address for further communication.

14. At around 8.37 am on 19 October 2022, the Threat Actor contacted several executive staff from Medibank, including Mr Koczkar, via WhatsApp to negotiate a ransom payment and provided material indicating that they had exfiltrated data from Medibank’s systems. The data sent to Medibank staff included a list termed “naughty” which included persons who were claimed to be “high profile” and claimed to identify health treatment data, such as for drug abuse and mental health, with the apparent purpose of extorting a ransom from Medibank. Prior to this contact from the Threat Actor, Medibank’s IT security team was of the view that it did not appear that the Threat Actor had deployed ransomware or accessed customer data.

15. Following receipt of the message from the Threat Actor, Mr Koczkar attended a CMT meeting at 9.30 am and informed the attendees of the message that he had received. Mr Wilkins’ evidence was that the realisation that customer data may have been accessed and exfiltrated was a turning point in his mind as to the seriousness of the Cyber Incident and the potential for legal exposure. From this point, Mr Koczkar said he knew that the Cyber Incident had the potential to be an even more significant issue than it already was.

16. On 19 October 2022, Medibank entered a further ASX trading halt and released another ASX announcement informing the public of the ransom request, noting (among other matters) that its investigations were ongoing and that it would continue to provide regular updates. This trading halt lasted until 21 October 2022, at which time Medibank’s securities were suspended from quotation. This suspension from quotation lasted until immediately following an ASX announcement on 26 October 2022.

17. Also on 19 October 2022, Medibank staff met with staff from CrowdStrike, Datacom and Threat Intelligence to discuss the Cyber Incident, provide updates on key action items and create further action items if necessary. Ms Ramsay and Mr Lim met with representatives of CyberCX, Mr John Macpherson (director at Ashurst Risk Advisory) and other Medibank representatives in relation to the scope of the KWM CyberCX engagement. CyberCX provided a proposed scope of work to KWM on 20 October 2022.

18. By late morning on 19 October 2022, Medibank was corresponding with the Threat Actor via Coveware. Communications with the Threat Actor via Coveware continued until 1 December 2022.

19. Also on 19 October 2022, Mr Gatto was advised by Ms Nicola Charlston (partner at KWM) partner, that Medibank required legal advice in his areas of expertise: risks of possible class actions from customers and shareholders, and Medibank’s engagement with the OAIC, APRA and the Australian Federal Police.

20. During the evening of 19 October 2022, Ms Charlston, and Mr Lim had a telephone call with Ms Ramsay and Mr Ashley Spencer (at that time Medibank’s Senior Executive – Legal (Strategy & Enabling Functions)).

21. Another ASX release was published by Medibank on 20 October 2022, noting that the trading halt continued until further notice. Mr Gatto, Mr Lim and Ms Charlston provided legal advice to Ms Ramsay in relation to the ASX release. As with the earlier releases, the release noted Medibank’s commitment to “transparency about what we know, and how that could impact our customers, our people, and the broader community”. Mr Koczkar was quoted as saying:

    We will learn from this incident and will share our learnings with others.

    Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.

22. A draft board paper entitled “Medibank Private Limited – Board Committee – Risk Assessment: Cyber Incident Containment Options – 16th October 2022 – for Noting” (16 October 2022 Draft Paper) was circulated on 21 October 2022 which provided an outline of an expected “path forward” contemplated by the Medibank Executive Leadership Team. This included three separate phases, a “sprint phase”, “marathon phase”, “the new normal phase”. The anticipated steps under each phase are reproduced below:

    [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •[REDACTED]

    •[REDACTED]

    [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    [REDACTED]

    [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    [REDACTED]

23. The draft Board paper also noted the various measures which were taken by Medibank in response to the Cyber Incident at that time. These relevantly included the following:

    [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

    •  [REDACTED]

24. On 20 October 2022, Medibank received a letter from the OAIC making preliminary inquiries about the Cyber Incident under s 42(2) of the Privacy Act 1988 (Cth). On that same day, KWM retained senior counsel to advise Medibank in relation to the Cyber Incident and ransom request.

25. Ms Ramsay’s evidence was that, between 21 and 25 October 2022, she began to shift her focus from the actions taken in the immediate response to the Cyber Incident, to focussing on managing legal risks and potential legal exposures associated with the Cyber Incident in the medium to long term. Ms Ramsay began to consider potential options for an external post incident review of the Cyber Incident, to enable both internal and external lawyers for Medibank to understand precisely what had occurred, in order to provide legal advice to Medibank and prepare for the investigations and legal proceedings that appeared to her at that time very likely to eventuate. Ms Ramsay considered that any post incident review would have to be undertaken by an external party because of the limited capacity of the internal IT security team (as they were fully occupied with efforts to contain the Cyber Incident), and the potential bias (perceived or actual) if the internal IT security team were to conduct a review themselves.

26. On 24 October 2022, Mr Gatto had a video call with Mr Guy Smith (at the time, Medibank’s Head of Disputes) and Mr Spencer to discuss risks associated with anticipated legal proceedings and steps to be undertaken to prepare for that litigation.

27. On 25 October 2022, Medibank released a further ASX announcement confirming that Medibank customer data (in addition to that of ahm Health Insurance and international student customers’ personal data) had been exfiltrated, and that the Cyber Incident was the subject of criminal investigation by the AFP. In addition to supporting the AFP criminal investigation, the release noted that Medibank “continues to work with specialised cyber security firms, the Australian Cyber Security Centre and government stakeholders” and stating that “Medibank will continue to provide regular, transparent updates”.

28. From around 25 October 2022, newspaper articles published by the Australian Financial Review and the Sydney Morning Herald in relation to the Cyber Incident, raised the prospect of potential class action legal proceedings being investigated. By this time, Mr Wilkins considered that there was a real prospect that Medibank would face legal proceedings in the form of regulatory actions and/or actions by customers or shareholders. He considered it essential for the Board to understand Medibank’s potential legal exposure flowing from the Cyber Incident.

29. By 25 October 2022, Ms Ramsay considered that Medibank should arrange for the conduct of an external review, where the purpose was to verify, from a suitably qualified person external to Medibank, the facts of the Cyber Incident in order to obtain legal advice and prepare for legal proceedings. Ms Ramsay explained that this was because the legal teams needed to know what happened in order to provide legal advice to the Board on potential legal risks and prepare for the likely legal proceedings.

30. On 26 October 2022, CrowdStrike provided a further incident response status update for the “Bluemarsupial” project which summarised ongoing systems analysis and investigations and Falcon software deployment. At this point, CrowdStrike did not identify any evidence of ongoing activity by the Threat Actor.

31. Medibank issued a further ASX release on 26 October 2022 which provided an event update in relation to the Cyber Incident, a first quarter performance and an update to FY23 outlook. That day, Medibank’s trading suspension from the ASX was lifted.

32. On 26 October 2022, KWM briefed senior counsel to advise Medibank in relation to the legality of paying a ransom in respect of the Cyber Incident. There were at least two calls that day with senior counsel and KWM lawyers including Mr James Russell (partner at KWM) and Ms Charlston and Medibank lawyers including Ms Melissa Monks (Senior Executive – Compliance, Privacy and Regulatory Affairs at Medibank), Ms Ramsay and Mr Spencer. There was a further call with senior counsel on 27 October 2022 which included Mr Lim, Ms Charlston, Ms McCormack, Ms Ramsay and Mr Spencer.

33. The relevant advice about the legality of paying the ransom was provided to Medibank’s Board on 29 October 2022. Around that time KWM executed the CyberCX Statement of Work, which is extracted below at [208].

34. On 29 October 2022, the Board met at 4 pm via Zoom to receive an event update and update from external advisors. The minutes for the meeting record that the Board noted the paper entitled “Board Briefing-Cybercrime – Ransom framework” dated 28 October 2022 and attached appendices and the paper entitled “Board Briefing – Cybercrime – Ransom framework – Supplemental Paper” dated 29 October 2022 and attached appendices. The Board minutes also record that the meeting was attended by Ms Ramsay and five other Medibank management personnel, three partners from KWM, and representatives from CyberCX, Coveware and Ashurst Risk Advisory. According to Mr Gatto (as informed by Mr Lim) the KWM advice discussed at this Board meeting related to the payment of a ransom and directors’ and officers’ duties.

    4.2.31 November 2022 to 31 December 2022

35. Mr Koczkar deposed that by, at the latest, 1 November 2022, Ms Ramsay informed him that she was considering that the Board should commission an external review into what had occurred in the Cyber Incident, so that the legal team including KWM could understand in a non-technical manner what had occurred and provide legal advice to Medibank in relation to it. Mr Koczkar and Mr Gatto both deposed that, at that time, the reports that had been prepared by Medibank and the various cyber experts on the Cyber Incident were quite technical in nature and difficult to understand for people not trained in IT. Such reports included logs which were in raw form and not able to be interpreted without technical assistance.

36. Ms Ramsay also considered it important for Medibank’s internal and external legal teams to obtain an understanding of what happened in a non-technical form, which could be digested and understood by them so that they could provide legal advice.

37. With respect to the idea of engaging an external review of the Cyber Incident, Mr Koczkar’s evidence was:

    I knew that the Board needed to understand Medibank’s legal position. By this time, I thought that it was appropriate that the Board be given an external perspective on what had happened in order to get advice on Medibank’s potential legal exposure. For example, at this time [Medibank] could not confirm that the Cyber [Incident] had not involved someone internally or contracted by our business, so while I considered our internal investigation had already given us a reasonable understanding of what had occurred, we could not discount anything. Having someone external come in and review what had happened and explain this to Medibank’s lawyers provided the best method for the Board to understand what the Cyber [Incident] meant legally for Medibank. In this regard, I note that while I was aware an external review would serve a purpose of assisting us to understand what had happened, in the sense of providing a means of verifying our internal investigation, that purpose was very much secondary to the primary purpose of ensuring the Board could receive advice on Medibank’s legal position based on an external review of what had occurred. In particular, as I note above, by this time I felt I already had a reasonable understanding of what had occurred based on Medibank's internal investigation. Finally, I was also very particular that it had to be a Board-led external review, not management-led.

38. On 4 November 2022, the Board met to consider, among other matters, an update on the response to the Cyber Incident, including the potential release of an ASX announcement. At this meeting, the Board made an “in-principle decision” that Medibank would not pay the ransom. The minutes of the meeting show that in addition to the Board and Ms Ramsay, five members of management were present for the Cyber Incident Update during which the Board considered whether to pay the ransom. According to Ms Ramsay, it was the view of the Board as expressed in Board meetings at which she was present — and with which she agreed —that external experts (i.e. non-Medibank personnel) should conduct an external review, so the legal team would have the benefit of an assessment of the facts by persons unconnected with the circumstances of the Cyber Incident.

1. According to Mr Wilkins, between 4 and 6 November 2022, the Board decided that it would instruct KWM to commission an external review by external experts discussed above at [70]–[72]. Mr Wilkins’ evidence was that the purpose of the external review was clear to him: the Board needed advice on Medibank’s legal exposure which was based on a complete understanding of what had happened. It was important to Mr Wilkins that the review be conducted by an external party.

2. Mr Wilkins stated that the purpose of the external review was:

   … to assess any potential legal exposure arising from the [Cyber Incident] and inform our response (including defences) to the legal proceedings which I thought at the time were highly likely to eventuate. In my mind, the purpose of the external review was clear: the Board needed advice on Medibank's legal exposure which was based on a complete understanding of what had happened.

   It mattered to me that the review be done by an external party. The Board had already received information from Medibank’s IT security team about the cyber event based on their internal investigations, but I considered that the Board needed an external perspective of what had taken place within the organisation and any legal risks arising from it. For this reason, it was decided that the Board, not Medibank's Executive Leadership Team (i.e. representatives of management at the executive level) (ELT), would instruct KWM to commission the external review, so that the Board had oversight of the process. The Board needed an unfiltered external review that reconstructed from the ground up what had happened in order to understand whether Medibank was legally exposed and the nature of any potential exposure.

   If the Board had just needed to know what had happened for operational purposes, it would not have decided to instruct KWM to commission an external review of the kind we did. It would only have continued with Medibank's internal investigation, and then potentially looked to have someone validate or provide assurance around the veracity of that investigation. But because the Board wanted legal advice about its legal exposure, Medibank decided to proceed with an external review which would reconstruct what had happened for the purpose of lawyers giving advice to us on legal exposure.

3. On Sunday, 6 November 2022, the CRC held a meeting which was also attended by five members of management and Ms Ramsay. During that meeting, Ms Ramsay informed the CRC that the Board was comfortable with a proposed announcement to the ASX which announced that: Medibank would not pay the ransom; provided details concerning what data Medibank believed at the time had been exfiltrated by the Threat Actor; and announced that Medibank would commission an external review of the Cyber Incident. The minutes of the CRC meeting record that the draft ASX announcement “incorporated all the feedback received from the Directors”, and that all Board members had advised that they were comfortable with the content of the draft announcement. Neither the draft announcement nor (the unredacted part of) the minutes made any reference to the external review having any legal purpose. The ASX announcement was approved by the CRC on 7 November 2022 and released to the ASX that same day (7 November 2022 ASX Announcement).

4. The 7 November 2022 ASX Announcement stated:

   Medibank has today announced that no ransom payment will be made to the criminal responsible for this data theft.

   Mr Koczkar said: “Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

   “It is for these reasons we have decided we will not pay a ransom for this event,” he said.

   This decision is consistent with the position of the Australian Government. …

   “Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers,” [Mr Koczkar] said. …

   As we have worked through this cybercrime, Medibank has committed to being transparent as events unfold and more is understood, including how that could impact our customers, our people, and the broader community. …

   External review

   In addition to its ongoing forensic investigations, Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers.

   Medibank will announce more details of this review in the near future. …

   Medibank commits to sharing the key outcomes of the review, where appropriate, having regard to interests of its customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

   (Emphasis added.)

5. The external review named in the 7 November 2022 ASX Announcement was the review ultimately carried out by Deloitte, and which resulted in the three reports: the PIR, RCA and CPS 234 Reports. At the time of the announcement, the identity of who would conduct the external review was not determined.

6. As to the 7 November 2022 ASX Announcement, Mr Wilkins’ evidence was:

   I recall it was important to me that we got the message out that we were taking appropriate steps to understand what had occurred so that we could remedy any issues that may be revealed to us and share those issues within the constraints of any legal advice taken by us.

   I did not at any time intend to release the reports of the proposed external review into the public domain, as I thought that to do so could expose Medibank legally, and provide details of Medibank’s IT systems that I did not think should be in the public domain (including due to the potential IT security risk that this could create for Medibank). …

   However, if there were key findings that could be shared in a way that would not impact on Medibank’s legal position or Medibank’s claims for LPP, or present an IT security risk, or compromise the Australian Federal Police’s ongoing investigation, then that was something that the Board was open to sharing. That is what was meant when the Board said in the announcement that Medibank would share the key outcomes “where appropriate”.

7. In cross-examination, Mr Koczkar agreed that Medibank was trying to be as transparent as possible, however, he noted the reason for the “where appropriate” was “because we had no intention of sharing the – that external review in full”. He agreed that he intended to share the key outcomes of the external report and also agreed that there was no reference to the external review being commissioned for any legal purpose.

8. Regarding the 7 November 2022 ASX Announcement, Mr Koczkar deposed that at the time of the announcement, Medibank was still determining who was going to conduct the external review. Medibank was also still developing what the terms of reference would be for the external review. With respect to the intended purpose of the external review, Mr Koczkar gave evidence that:

   Since the Cyber [Incident] had occurred, Medibank had been trying to be as transparent as possible with stakeholders, within reason, and the Board also wanted to share what it could with the community to avoid this happening to anyone else. At the same time, the words “where appropriate” were included in the ASX announcement because the Board was not going to share any of the key outcomes with anyone if doing that would increase the risk of a claim against Medibank, reduce Medibank’s ability to defend a legal proceeding, or give any other cybercriminals a roadmap to Medibank’s IT systems for that matter. In particular, the words “where appropriate” were included because, in my view, the Board had no intention (nor made any decision) to waive [legal professional privilege] in respect of the external review.

   At that time, I did not consider it appropriate to include in the ASX announcement the fact that the external review was being obtained for legal advice, because in my experience that would only serve to make investors concerned and suspicious. I know from my experience of approximately 30 years of working in corporations with lawyers that I should not publicly reference legal advice. For these reasons, I did not think that the ASX announcement should expressly state that the external review was being engaged for legal purposes.

9. Mr Koczkar’s evidence was that he was aware of the fact that APRA would likely require an external review into the Cyber Incident to support its regulatory oversight. As such, and in discussions with Mr Wilkins, Mr Koczkar was keen to ensure that Medibank’s decision to conduct the external review was communicated to APRA and that APRA was consulted on its terms and scope so that it may satisfy any requirements APRA had, and ideally avoid the need for APRA to also conduct a separate review which would put an additional burden on Medibank’s resources. Ms Ramsay deposed to a similar view, subject only to the qualification that the outcomes would be shared with APRA to the extent that doing so would not waive privilege.

10. Ms Ramsay provided advice on the form of the ASX announcement. In relation to the statement that Medibank would share key outcomes of the review “where appropriate”, Ms Ramsay’s evidence was that she considered it important to convey that it may not be appropriate to share all outcomes, which would include making any public statement that would undermine Medibank’s claims for privilege in communications relating to the external review. Ms Ramsay considered that including details of the external review in the ASX announcement was consistent with the philosophy adopted by Medibank in relation to the Cyber Incident that Medibank would be as transparent as possible “within appropriate reason and bounds”.

11. By about 10 November 2022, Mr Gatto had formed the view that KWM would need to engage:

    (a)one or more third-party cyber experts with relevant experience and expertise who could conduct an investigation, review the relevant information and reports prepared to date, and provide a report to KWM which would explain, in terms the legal team could understand, what had happened, the cause of the Cyber Incident and whether Medibank had and was continuing to comply with its obligations under the Privacy Act;

    (b)third-party experts to provide ongoing assistance to KWM on specific and technical cyber security issues relating to the Cyber Incident; and

    (c)a third-party expert with specific expertise and experience in the application of the standards in Australian Privacy Principle 11.1 and Prudential Standard CPS 234.

12. In an 8 November 2022 email from Ms Kylie Bishop (Medibank’s Group Executive People, Culture & Sustainability), a draft “Cyber Incident Program Office” document was attached which set out a Governance flow diagram. In this diagram, “Incident Investigation” and “External Review” were grouped together and pictured as being under the supervision of the Board Sub Committee and the ELT Sub Committee, which included Mr Koczkar, Ms Ramsay and Mr Mark Rogers (Medibank’s Group Executive, Chief Financial Officer and Strategy), with no mention of KWM. The purpose given for the external review was to “conduct an external and independent review and share findings and lessons with stakeholders”.

13. On 10 November 2022, Mr Wilkins and Mr Koczkar received legal advice from Ms Ramsay and KWM in relation to the form of the external review and the terms of reference.

14. Ms Ramsay gave evidence, on information and belief from Mr Rogers, that he and Ms Karen Phillips (Senior Executive – Internal Audit) met with potential candidates to conduct the external review to assess their capacity and technical capability to conduct the proposed review on or about 12 November 2022. Mr Rogers and Ms Phillips are not lawyers nor part of Medibank’s legal team.

15. In an 11 November 2022 email from Ms Phillips to Mr Rogers, headed “Cyber Incident – Review and Internal Audit”, Ms Phillips referred to an earlier phone call with Mr Rogers and noted:

    Deloitte

    •  Has confirmed they are happy to work with us to get us into a position to announce a relationship at the AGM, noting they would need to be across the wording to be used. KWH [sic] has already reached out independently and Deloitte Partners have connected to ensure Firm alignment

    •  Meeting being arranged for over the weekend for Deloitte to share insights on potential scope, leveraging Optus, Energy Australia, other work. Would you like to join?...

    KPMG…

    As discussed, the high level objective of this first piece of work is to assess why were we exposed (how did we get here) and what do we have planned to remediate? The scope that sits below this will need to be fleshed using the expertise of the provider.

    (Emphasis in original.)

16. Following their meetings, on either 13 or 14 November 2022, Mr Rogers and Ms Phillips recommended that Deloitte be appointed to undertake the external review. Mr Koczkar was aware that Ms Phillips and Mr Rogers met with potential candidates to assess their capacity to undertake the external review.

17. On or about 14 November 2022, Ms Ramsay instructed KWM to prepare draft terms of reference for an external review to be conducted by Deloitte, and a draft engagement letter to retain Deloitte to conduct the external review. Mr Gatto had a telephone discussion with Mr Ian Blatchford of Deloitte in the evening of 14 November 2022, and later that evening provided him with a draft engagement letter including the draft terms of reference.

18. On 15 November 2022, Ms Phillips informed APRA that “as you were already aware, King & wood Mallesons (KWM) has been engaged to act on our behalf and appoint an external provider to perform a review in relation to the recent cyber incident”. Ms Phillips noted that after consideration of a number of advisers, Deloitte had been chosen as preferred external review provider. Medibank provided APRA with the draft terms of reference and a proposed governance structure for engaging Deloitte to conduct the external review. Ms Phillips concluded “[p]rior to us making any announcement at our AGM, we welcome any queries or comments APRA may have in relation to our proposed course, in particular our preferred external provider, the high level governance structure we will have in place, and the draft terms of reference”.

19. Medibank’s dealings with APRA are discussed further at 4.3 under the heading “APRA involvement”. However, it is of note that APRA had “no objection” to the use of Deloitte. Mr Bruce Young (at the time, General Manager Operational Resilience at APRA) set out in an email APRA’s “suggested amendments/additions to your original scope paragraph” and requested a copy of the final scope prior to completion. APRA’s suggested additions included:

    ·A timeline/sequence of events;

    ·What specifically was the root cause, series of weaknesses, and/or control deficiencies which facilitated the breach, and was there anything that could have alerted Medibank to the control weakness and/or breach prior;

    ·Identify the areas of non-compliance to APRA’s Prudential Standard CPS 234, which contributed to the breach; and

    ·Did Medibank effectively respond to the incident from the point when it became known?   

20. In her response email to Mr Young of 15 November 2022, Ms Phillips thanked APRA for its suggestions and confirmed that “they will either be considered as part of the detailed scope and approach of this external review, or we have already considered them to be potential future external reviews/internal audits’. Ultimately, the APRA suggestions were not incorporated into the final engagement letter for Deloitte.

21. On 15 November 2022, a virtual Board meeting was held, the minutes of which noted that the Board resolved to approve the appointment of Deloitte to conduct the external review of the Cyber Incident. That same day, Ms Ramsay contacted Mr Gatto seeking legal advice in relation to the engagement of Deloitte and referring to the Deloitte review in the speeches of Mr Koczkar and Mr Wilkins at the Annual General Meeting the following day.

22. Later on 15 November 2022, Mr Gatto says that he “issued” the engagement letter to Deloitte (Deloitte Engagement Letter) to conduct the “first review”. This particular choice of wording suggests that it was not Mr Gatto who drafted the terms of the engagement letter. The engagement letter read:

    1 Medibank has engaged King & Wood Mallesons (KWM) to provide confidential legal advice and assistance to it about the legal risks and potential exposures associated with the recent cyber incident.

    2 The scope of our advice includes whether, in relation to the recent cyber incident, Medibank or its directors, officers or employees may have, amongst other things, complied with (and continue to comply with) the provisions of the Privacy Act 1988 (Cth) or other Australian privacy laws, breached any contractual or equitable obligations (including obligations of confidence), engaged in misleading or deceptive conduct or breach of disclosure obligations, and/or been negligent in the design or implementation of its IT systems and processes.

    3 In addition, at least two class actions against Medibank are being actively investigated by plaintiff law firms (with one class action reportedly expected to be commenced within a week), and the Office of the Australian Information Commissioner has commenced inquiries in relation to the cyber incident. The Australian Federal Police is also conducting an investigation. Accordingly, it is presently anticipated that one or more class actions or regulatory investigations / prosecutions will be commenced against Medibank or others in relation to the incident. We are providing legal advice and assistance to Medibank in relation to these matters.

    4 In order for us to provide the legal advice and assistance to Medibank as outlined above, we require Deloitte to provide expert forensic assistance and cyber expertise to us, and we hereby retain you for this purpose.

    5 In relation to this retainer, Deloitte is engaged for the dominant purpose of providing assistance to KWM to enable us to provide legal advice and assistance in relation to cyber incident to Medibank.

    6 We will be in contact with you separately to discuss the assistance you are to provide to us in more detail, including your proposal to scope and resource the matter (including timing and costs estimates), and the terms and conditions of your engagement.

    7 In the meantime, we confirm that the terms of reference for Deloitte’s retainer are to investigate and prepare a report on the following matters:

    •  How were Medibank’s IT systems accessed and information removed?

    •  What information was accessed? What information was removed?

    •  Will the enhancements to Medibank’s IT systems and processes implemented since the incident mitigate the risk of a reoccurrence of the same sort of incident?

    •  Are there any recommendations for further enhancements to Medibank’s systems and processes?

    8 These terms of reference may need to be adjusted during the course of your engagement. If this is required, we will discuss it with you and confirm any changes in writing.

    Communications protocol

    9 Because your engagement is being undertaken for the dominant purpose of assisting us to provide legal advice to our client, legal professional privilege will attach to confidential communications engaged in during the course of, or documents created for the purposes of, your engagement.

    10 It is important that you keep confidential information regarding the assistance you are providing in connection with this engagement and that legal professional privilege be maintained in any documents and communications that form part of your engagement.

1. Mr Gatto’s evidence as to the Deloitte Engagement Letter was as follows:

   KWM required Deloitte to investigate the relevant matters for the following reasons:

   (a) with respect to the first dot point under paragraph 7 of Deloitte's engagement letter, I considered that it was important that KWM obtain a fulsome understanding, in plain English, of what occurred during the Cyber Event, to be able to advise Medibank in relation to the legal issues it was confronting and to be able to effectively represent Medibank in the Anticipated Legal Proceedings;

   (b) with respect to the second dot point under paragraph 7 of Deloitte's engagement letter, I considered this important to understanding the extent of Medibank's potential legal exposure to affected customers and expected that it would be important to Medibank's defence to the Anticipated Legal Proceedings; and

   (c) with respect to the third and fourth dot points under paragraph 7 of Deloitte's engagement letter, I considered that it was relevant for KWM to understand these matters to advise Medibank in relation to the risk of any ongoing and continuing non-compliance with Medibank's legal obligations post the Cyber Event. I also considered, based on my experience advising clients in respect of their engagements with and formal actions taken by regulators (including APRA), that the third and fourth dot points would likely be relevant to advising Medibank in relation to its engagement with the OAIC and APRA and the prospects of one or both of these regulators taking formal action against Medibank, because regulators, in my experience, usually consider it relevant to their decisions as to what investigatory and enforcement action they will take whether there is a material risk of the same or similar thing happening again and whether steps have been taken to mitigate that risk.

2. Early in the morning of 16 November 2022, Ms Phillips received an internal email (the sender is not identified) which stated:

   … for what it is worth, I suspect the risk of raising this is that it opens up a can of worms of APRA’s involvement/concerns/capital overlay which probably outweighs any cudos we would get (personally I would use the APRA angle when (if) we release any findings.

3. On 16 November 2022, Medibank’s AGM was held, during which Mr Wilkins and Mr Koczkar relevantly stated the following:

   MR WILKINS:     In addition to our ongoing investigations and engagement with the Federal Police and Australian Cyber Security Centre, we have commissioned an external review, to be undertaken by Deloitte. This review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers. The appointment has been made in consultation with APRA.

   We will share the key outcomes of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation. We are also committed to sharing, where it is safe to do so, what we have learnt from our experience, so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future. …

   MR KOCZKAR: As Mike has announced, the external review to be conducted by Deloitte, in addition to our ongoing investigation, will help us further strengthen our ability to safeguard our customers.

4. On 16 November 2022, after the AGM, Mr Koczkar sent an email to all employees of Medibank:

   Hi everyone, …

   In addition, we announced that we have commissioned an external review, to be undertaken by Deloitte. This review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers. We will share the key outcomes of the review, where appropriate, to you, to our customers and our stakeholders.

5. As at the time of the 16 November 2022 AGM, there was no talk of three separate reports, rather just an “external” review involving investigation and the preparation of a report. Only Mr Gatto in his affidavit refers to the external review as “the first review”.

6. After receiving a request from Mr Blatchford to discuss the scope of the review in more detail, Mr Gatto, Mr Lim and Ms Phillips met with Mr Blatchford and others from Deloitte to discuss the external review on 17 November 2022.

7. On 18 November 2022, KWM engaged CrowdStrike directly. Prior to this, CrowdStrike had been engaged by Medibank directly to provide, amongst other things, investigation services and reports as required.  The CrowdStrike engagement is discussed further at section 7.2 below.

8. On 23 November 2022, Mr Koczkar emailed an unidentified customer:

   We have commissioned Deloitte to complete an external review of the cybercrime and the findings of this review will be taken into consideration by the Board when determining any bonus payments at the end of the 2023 financial year. We will do everything we can to ensure that we learn from this crime and our focus remains on the needs of our customers first and foremost.

9. In late November 2022 to early December 2022, Mr Gatto spoke with Mr Blatchford and Mr Evan Carvouni (both partners at Deloitte) in relation to whether Deloitte had the requisite expertise to undertake a second review focussed on identifying the root cause of the Cyber Incident and a third review focussed on assessing Medibank’s compliance with APP 11.1 and/or CPS 234. Following further consultation with Ms Ramsay and Mr Spencer, Mr Gatto spoke to Mr Carvouni in relation to KWM engaging Deloitte to undertake two further reviews in respect of the root cause of the Cyber Incident and about the scope of these reviews and Medibank’s compliance with CPS 234. 

10. On 1 December 2022, the ELT held a meeting. Also on 1 December 2022, the OAIC had announced the commencement of a formal investigation into Medibank in respect of the Cyber Incident, on the Commissioner’s own-initiative under s 40(2) of the Privacy Act and also served Medibank with a notice to produce documents pursuant to s 44 of the Privacy Act.  

11. Medibank published an article on the ‘Features’ section of its website on 1 December 2022 entitled ‘A letter to our customers’ that Mr Koczkar approved. The letter was also published in media publications around Australia, and relevantly stated:

    We’re working alongside the best cyber security experts to ensure our systems are better protected. We’ve improved our capability to block overseas and untrusted network access, and added advanced threat monitoring. We are also supporting the Australian Federal Police, who are actively monitoring the internet and known criminal online sites to identify those who are buying or selling stolen information. …

    We’ve commissioned Deloitte to carry out an external review of recent events. This review will help inform the changes we make as a company and, where we can, we will openly share its findings with the broader community. It’s not just data that’s affected. It’s people. People we care for, and whose health and wellbeing remains our absolute focus. …

12. Ms Ramsay’s evidence was that throughout December 2022, KWM advised Medibank in relation to the scope of the reviews to be undertaken by Deloitte for the purpose of preparing the RCA Report and the CPS 234 Report. Deloitte commenced work on the PIR Report on or about 2 December 2022.

13. The Board meeting held on 14 December 2022, was attended by two staff from Deloitte, Mr Gatto, Mr Lim and Ms Charlston from KWM, and Ms Phillips, Mr Rogers, Ms Ramsay and a number of people from Medibank’s management. All were present for the Cyber Incident update given at the meeting. Ms Ramsay informed the meeting that she had instructed KWM to engage Deloitte to undertake the reviews the subject of the RCA and CPS 234 Reports.

14. On 14 December 2022, Mr Koczkar sent an email to an unidentified Medibank customer, copied to Mr Wilkins, which stated:

    We have commissioned Deloitte to complete an external review of the cybercrime in addition to our ongoing investigation and the criminal investigation being undertaken by the Australian Federal Police. We will do everything we can to ensure that we learn from this crime and our focus remains on the needs of our customers first and foremost. …

15. On 15 December 2022, in email sent by Becky Hyde (Senior Executive Corporate & Overseas Business at Medibank) responding to a question asked by Rio Tinto: ‘will Medibank be undertaking a cyber security review of their service providers/vendors (e.g. Doctors on Demand)?’. Ms Hyde responded:

    [Redacted] Deloitte. This review will ensure that we learn from this cyber attack and continue to strengthen our ability to safeguard our customers. We will share the key outcomes of the review, where appropriate, having regard to the interests of our customers and stakeholders [redacted], Australian Federal Police [Redated]. We are also committed to sharing, where it is safe to do so, what we have learnt from our experience, so that Australian businesses and the broader community can be better placed to navigate any similar challenges in the future. The learnings from this will be extended to Medibank’s enterprise-wide partners and if required we will make updates to our assessments to ensure they meet Medibank requirements.

16. Sometime after the OAIC launched its investigation, Mr Gatto was of the view that KWM required immediate technical cyber security assistance in order to advise in relation to its response to the OAIC investigation. In mid to late December 2022, Mr Gatto recommended to the Medibank legal team that KWM engage Threat Intelligence (Medibank’s standing DFIR partner as at the date of the Cyber Incident, who assisted the Medibank IT security team respond to the Cyber Incident) to provide KWM with ongoing cyber security expert consultancy services in relation to various matters arising from the Cyber Incident, in order for KWM to provide ongoing legal advice and legal assistance to Medibank. KWM entered into a separate engagement with Threat Intelligence on or around 22 December 2022.

    4.2.4January 2023 to June 2023

17. Medibank customer support staff also informed Medibank customers directly of the external review being undertaken by Deloitte in response to queries for financial compensation in relation to the Cyber Incident. In an email dated 4 January 2023, a Medibank customer support staff member stated in response to a customer email:

    Since the cyberattack, we have prioritised preventing further unauthorised entry to our IT network and are continuing to monitor for any further suspicious activity. This has included bolstering existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties. We have not seen any suspicious activity since 12 October.

    In addition to this, we have also commissioned an external review, to be undertaken by Deloitte. This review will ensure that we learn from this cybercrime and continue to strengthen our ability to safeguard our customers. We will share the key outcomes of the review, where appropriate with our customers and stakeholders.

18. On 11 January 2023, KWM issued a letter of engagement for the RCA Report to Deloitte, and a separate letter of engagement to Deloitte in respect of the CPS 234 Report.

19. Ms Ramsay’s evidence was that Deloitte commenced the RCA Report review in around mid to late January 2023, and the CPS 234 Report on around 30 January 2023.

20. Another Board meeting was held on 9 February 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, three KWM partners and around 14 Medibank management staff, many of whom were not lawyers. The agenda for the meeting lists as item 1.1 the “Cyber Incident Update” which included a “Deloitte review update”.

21. Medibank released its 2023 half year results on 23 February 2023, together with an investor presentation about the results the same day. Both publications referred to the ongoing external review being conducted by Deloitte.

22. Another Board meeting was held on 11 April 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, two KWM partners, including Mr Gatto, and around eight Medibank management staff, most of which were not lawyers. The agenda for the meeting shows as item 1.2 the “Deloitte Report”. The minutes record Mr Blatchford and Mr Carvouni speaking about the “Deloitte Report” and answering questions from the Board. A copy of this report, the PIR Report, was provided to APRA on 12 April 2023.

23. Another Board meeting was held on 16 May 2023. Prior to the meeting, a copy of the RCA Report was provided to the Board on 10 May 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, two KWM partners and Ms Phillips, Mr Rogers, Mr Loizou and Mr Greg Gokavi-Whaley (Medibank’s Chief Risk Officer and Senior Executive). The minutes for the meeting shows as item 1, the “Deloitte Root Cause Analysis Report”. Mr Blatchford and Mr Carvouni are recorded as speaking about this Report and answering questions from the Board.

24. On 17 May 2023, Ms Ramsay received from Mr Gatto a further and final version of the RCA Report which had been amended following the 16 May Board meeting.

25. On 23 June 2023, KWM provided a copy of Deloitte’s CPS 234 Report to the Board of Medibank under the cover of a letter of the same date. The letter stated:

    Pursuant to those engagements, we now enclose for your information a copy of the Deloitte ‘APRA Prudential Standard CPS 234’ report. We are currently considering this report for the purposes of providing legal advice to Medibank.

    Please note that this letter and the attached report are confidential and subject to Medibank’s legal professional privilege.

26. A Directors’ meeting was held on 26 June 2023. In addition to the Board and Ms Ramsay, this meeting was attended by three people from Deloitte, including Mr Carvouni, two KWM partners including Mr Gatto, and a large cast of Medibank management staff, including Ms Phillips and Mr Rogers, most of whom were not lawyers. The minutes for 26 June 2023 meeting recorded:

    APRA MEETING UPDATE (No. 1)

    The Chair provided an update on the meeting he and the CEO attended with APRA on the afternoon of Friday 23 June 2023, noting the APRA attendees were Suzanne Smith (Member) and Sean Carmody (Executive Director). The Chair advised that APRA had indicated that it may soon be in a position to advise the Board of APRA’s response to Medibank’s October 2022 cyber incident, and that APRA’s position may include a potential APRA Supervisory Adjustment with no quantum specified. The Chair noted that APRA had requested another meeting with the Chair and CEO in the late afternoon of Monday 26 June 2023.

    …

    CYBER INCIDENT UPDATE

    1.1Deloitte Report

    The Board noted the letter from King & Wood Mallesons (KWM) addressed to Medibank and the Board dated 23 June 2023 in which KWM referred to their engagement by Medibank to provide legal advice and legal assistance in relation to last year’s cyber incident, and KWM’s subsequent engagement of Deloitte to provide expert assistance for that purpose, as detailed in KWM’s letter to Deloitte dated 11 January 2023 and Deloitte’s letter to KWM dated 12 January 2023. Pursuant to those engagements, KWM noted that it had provided to Medibank and the Board for its information a copy of the Deloitte ‘APRA Prudential Standard CPS 234’ report (Report). KWM further noted that it was currently considering the Report for the purposes of providing legal advice to Medibank, and that KWM’s letter and the Report are confidential and subject to Medibank’s legal professional privilege.

    Mr Carvouni and Mr Lee spoke to the Report and answered questions from the Board.

27. A Board of Directors’ Meeting was held on 27 June 2023. In addition to the Board and Ms Ramsay, this meeting was attended by two people from Deloitte, two KWM partners including Mr Gatto, and a number of Medibank management staff, including Ms Phillips and Mr Rogers, most of which were not lawyers. The agenda for 27 June 2023 recorded both KWM and Deloitte as the ‘presenter’ of the ‘Deloitte Report’.

28. The papers for the 27 June 2023 meeting included Mr Koczkar’s CEO report, dated 27 June 2023. Item 2 of the CEO Report is titled ‘[REDACTED]’ and includes the following dot point:

    [REDACTED]

    4.3             APRA involvement

29. As the extent of involvement of APRA assumed some prominence in the question of whether legal professional privilege subsisted in the Deloitte Reports, I have set out the chronology of APRA’s involvement separately below.

30. Medibank first notified APRA of the Cyber Incident on 13 October 2022. Medibank Board briefing papers from 14 December 2022 record that Medibank had held twice weekly meetings with APRA since 21 October 2022 to provide updates about Medibank’s response, impacts and business continuity plans.

31. On the morning of 15 November 2022, Ms Phillips sent Mr John Huijsen (General Manager Insurance, Insurance Division of APRA) an email headed “External Review”, referring to their conversation late the day before, and advised APRA that:

    (a)KWM had been engaged to act on Medibank’s behalf and appoint an external provider to perform a review into the Cyber Incident;

    (b)After consideration of a number of advisers, Deloitte had been chosen to conduct that review;

    (c)Medibank intended to announce the appointment of Deloitte at the AGM the next day; and

    (d)Ms Phillips, as Senior Executive Internal Audit, would lead the review from the Medibank side.

32. Ms Phillips’ 15 November 2022 email to APRA noted:

    The draft terms of reference for this engagement includes the investigation and preparation of a report on the following matters:

    1. How were Medibank’s IT systems accessed and information removed?

    2. What information was accessed? What information was removed?

    3. Will the enhancements to Medibank’s IT systems and processes implemented since the incident prevent a reoccurrence of the same sort of incident?

    4. Are there any recommendations for further enhancements to Medibank’s systems and processes?  

    Prior to us making any announcement at the AGM, we welcome any queries or comments APRA may have in relation to our proposed course, in particular our preferred external provider, the high level of governance structure we will have in place, and the draft terms of reference.

33. Later that morning, Mr Young and Ms Phillips had a telephone conversation. In the afternoon 15 November 2022, Mr Young emailed Ms Phillips in response, and confirmed APRA had no objection to Deloitte’s appointment and “no further comment on the governance arrangements”. APRA then provided some comments on the draft terms of reference. In particular, APRA suggested the following words italicised below be added to the terms of reference set out in Ms Phillips’ email:

    1. How were Medibank’s IT systems accessed and information removed, together with a timeline/sequence of events; What specifically was the root cause, series of weaknesses, and/or control deficiencies which facilitated the breach, and was there anything that could have alerted Medibank to the control weakness and/or breach prior”

    2. What information was accessed? What information was removed? Identify the areas of non-compliance to APRA’s Prudential Standard CPS 234, which contributed to the breach

    3. Will the enhancements to Medibank’s IT systems and processes implemented since the incident prevent a reoccurrence of the same sort of incident? Did Medibank effectively respond to the incident from the point when it became known?

    4. Are there any recommendations for further enhancements to Medibank’s systems and processes?   

34. In the evening of 15 November 2022, after the letter of engagement had been sent to Deloitte, Ms Phillips replied to Mr Young and confirmed that APRA’s suggested amendments/additions would either be considered as part of the detailed scope and approach of the external review (which Deloitte had already been engaged to undertake) or had already been considered for inclusion in potential future external reviews or internal audits. Ms Phillips noted that Medibank intended to announce its preferred external provider (Deloitte) at the AGM the next day, and asked Mr Young whether APRA would be comfortable with Medibank mentioning it had consulted with APRA on the appointment of Deloitte. Mr Young responded by email later that evening, stating that APRA was comfortable with Medibank mentioning it had been consulted, and seeking clarification as to whether there was a chance that any of the scope items that may fall into the category of potential future reviews would not be undertaken.

1. In TerraCom Ltd v Australian Securities and Investments Commission (2022) 401 ALR 143, an independent investigation into allegations made by a former employee and which had also attracted the attention of the Australian Securities and Investments Commission led to the commissioning of a privileged report from PricewaterhouseCoopers Consulting (Australia) Pty Ltd (PwC). TerraCom had made announcements to the ASX that it had commissioned this report, including by various ASX announcements and in an open letter to shareholders. TerraCom announced that it had commissioned the investigation and, later, that it had found no evidence of wrongdoing. Justice Stewart found that privilege in the report had been waived, with this finding affirmed by the Full Court on appeal: TerraCom Ltd v Australian Securities and Investments Commission [2022] FCAFC 151.

2. In TerraCom, at [61]–[64], his Honour observed:

   In my view, reliance by TerraCom on the finding in the PwC report of no wrongdoing by its CEO and CFO is inconsistent with the maintenance of the privilege that otherwise attaches to the report. TerraCom was taking advantage of that finding to deflect criticism of its officers, and itself, the effectiveness of the deflection being heightened by characterising the investigation that led to the report as an independent forensic investigation. That was to employ the findings of PwC for a forensic or commercial advantage — forensic in the sense of seeking to deflect the attention of any regulator in an investigation and commercial in the sense of maintaining the company’s commercial good standing and its share price. It cannot at the same time claim that the report is privileged. That is to seek to approbate and to reprobate.

   …

   TerraCom submits that the disclosure of the contents of the report is so minor as to be de minimus, but I do not accept that. TerraCom said that the independent investigation concluded that the allegations against, at least, its CEO and CFO were unfounded. Regardless of what other conclusions the report expressed, that is a critical finding of vital relevance to TerraCom, which is no doubt why TerraCom repeated it publicly on a number of occasions. It is not de minimus at all.

   In that regard, the voluntary disclosure of the gist or conclusion of legal advice amounts to waiver in respect of the whole of the advice to which reference is made including the reasons for the conclusion … It has long been established that the disclosure in a summary way of only a conclusion expressed in legal advice can result in a waiver of the advice …

   (Citations omitted.)

3. The Full Court recently considered the principles relevant to the waiver of legal professional privilege in Australian Securities and Investments Commission v Macleod [2024] FCAFC 174 at [129]–[140] (per Burley, Anderson and Meagher JJ).

4. The Full Court in Macleod noted at [138] the observations of the High Court in Expense Reduction Analysts Group Pty Ltd v Armstrong Strategic Management and Marketing Pty Limited (2013) 250 CLR 303 that waiver in its strict legal connotation is an intentional act done with knowledge whereby a person abandons a right or privilege by acting in a manner inconsistent with that right or privilege. The High Court went on:

   [30]… In most cases concerning waiver, the area of dispute is whether it is to be implied. In some cases, waiver will be imputed by the law [Goldberg v Ng (1995) 185 CLR 83 at 95-96] with the consequence that a privilege is lost, even though that consequence was not intended by the party losing the privilege. The courts will impute an intention where the actions of a party are plainly inconsistent with the maintenance of the confidentiality which the privilege is intended to protect [Mann v Carnell (1999) 201 CLR 1 at 13 [29]].

   [31]In Craine v Colonial Mutual Fire Insurance Co Ltd [(1920) 28 CLR 305 at 326], it was explained that “‘[w]aiver’ is a doctrine of some arbitrariness introduced by the law to prevent a man in certain circumstances from taking up two inconsistent positions ... It is a conclusion of law when the necessary facts are established. It looks, however, chiefly to the conduct and position of the person who is said to have waived, in order to see whether he has ‘approbated’ so as to prevent him from ‘reprobating’”. In Mann v Carnell [(1999) 201 CLR 1 at 13 [29]], it was said that it is considerations of fairness which inform the court’s view about an inconsistency which may be seen between the conduct of a party and the maintenance of confidentiality, though “not some overriding principle of fairness operating at large.”

   (Footnotes inserted.)

5. Implied waiver of privilege “reflects a judgement that the conduct of the party entitled to the privilege is inconsistent with the maintenance of the confidentiality which the privilege is intended to protect”: Osland v Secretary to the Department of Justice (2008) 234 CLR 275 at [45] (per Gleeson CJ, Gummow, Heydon and Kiefel JJ).

6. As Beach J observed in Robertson at [196], implied waiver is a fact-based enquiry as to whether by conduct the privilege holder has directly or indirectly put the contents of an otherwise privileged document in issue. That enquiry entails an evaluative decision based on consideration of the whole of the circumstances of the particular case, including the context and circumstances in which disclosure or use is made. The circumstances may include the nature of the matter in respect of which the privileged document was used, the evident purpose of such disclosure or use that is made and the legal and practical consequences of limited, rather than complete, disclosure.

7. In Australian Securities and Investments Commission v Australia and New Zealand Banking Group (No 2) [2020] FCA 1013, Allsop CJ surmised at [31] a touchstone test of whether a waiver of privilege has occurred:

   … there is a waiver if one states: ‘I have legal advice. Its substance is.’ But there is no waiver if a party says what he or she believes and legal advice may be seen to be relevant to it…

8. The onus lies on the person asserting waiver to establish that there has in fact been waiver of any privilege found to exist: State of New South Wales v Betfair Pty Ltd (2009) 180 FCR 543 at [54] (per Kenny, Stone and Middleton JJ).

   8.2             Submissions

9. The applicants contend that inconsistency arises through Medibank’s disclosure of the three Deloitte Reports to the regulator, APRA for its own advantage — to reduce the likelihood of a second external review. They submit that the inconsistency is even more stark in this case where the privilege holder shares privileged material with a regulator that can bring penalty proceedings against the privilege holder with respect to the very subject matter of the disclosed material.

10. The applicants contend that waiver arises even where, as in Goldberg v Ng (1995) 185 CLR 83, disclosure was on the express basis of confidence.

11. The applicants further submit that Medibank’s public statements are of a different quality to those considered by the Full Court in Singtel Optus. Here, Medibank made the 28 April 2023 ASX Announcement after it had received the PIR Report. As such, there was no ambiguity as to what Medibank was referring.

    8.3             Consideration

    8.3.1Provision of Deloitte Reports to APRA

12. The applicants also relied on the finding of an implied waiver in Australian Securities and Investments Commission v Noumi Ltd [2024] FCA 349. There, a PwC report was prepared and provided to ASIC in the circumstance that Noumi had been attempting to cooperate with ASIC’s investigation regarding “unsaleable inventory”. Noumi entered into a “Voluntary Confidential Legal Professional Privilege Disclosure Agreement” (defined as a VDA) with the regulator under which Noumi disclosed various documents (purportedly) covered by privilege at common law, including the PwC report.

13. The Full Court in Macleod recently overturned the finding of an implied waiver on the basis of a “derivative” use of the report by ASIC. The primary judge considered that the PwC report could be used by ASIC to identify witnesses, to examine the topics to be explored with them, the questions to be asked and so on. The Full Court considered that the reference to “derivative use” was a reference to how the contents of the PwC report may be used by ASIC, finding at [147] that such derivative use of information did not amount to a disclosure of that information. To the extent that it might have been, ASIC was prevented by clause 4.1 of the VDA from doing so.

14. The Full Court in Macleod observed at [150] that an information asymmetry between parties does not of itself amount to unfairness in this context. The unfairness that informs inconsistency is forensic unfairness as between the privilege holder and the privilege challenger: Macquarie Bank Ltd v Arup Pty Ltd [2016] FCAFC 117 at [29] (per Middleton, Robertson and Gleeson JJ). The Full Court in Macleod continued at [150]–[151]:

    Unlike the position on the facts in Goldberg, here, no disclosure was made by Noumi to gain an advantage over the opposing party in related litigation. Indeed at [212] the primary judge explicitly found that there was no such motive in subjective terms. Nor is one apparent in objective terms. Mere relevance of the withheld material does not by itself establish an inconsistency necessary to give rise to an implied waiver; Kinghorn at [151].

    To the extent that investigations and admissible evidence obtained informed the formulation by ASIC of a case against Mr Macleod, he was entitled to access such material as might be deployed against him in the case in the course of normal pre-trial processes. Whether unfairness is considered at the time of the disclosure of the privileged material (here, on 19 October 2020) or at the time the claim for privilege is made by Noumi (13 September 2023), it may be assumed that ASIC and Noumi were aware that such pre-trial processes would make information of the kind considered above available to Mr Macleod.

15. Mere relevance of the withheld material does not by itself establish an inconsistency necessary to give rise to a waiver: Director of Public Prosecutions (Cth) v Kinghorn; Kinghorn v Director of Public Prosecutions (Cth) (2020) 102 NSWLR 72 at [151] (per Bathurst CJ, Fullerton and Beech-Jones JJ).

16. The facts of this case are very different to those in Macleod. The details of APRA’s involvement are discussed above. The following matters are of particular relevance.

17. APRA had been involved since Medibank first notified it of the Cyber Incident on day one, 12 October 2022. From 21 October to mid December 2022, APRA personnel attended twice weekly meetings with Medibank at which they were kept abreast of the developments relating to the Cyber Incident.

18. It was the evidence of both the Chair and CEO that it was a key concern of Medibank to avoid a second external review undertaken by its regulator. As Mr Koczkar observed “it would be expedient if the one review could satisfy [APRA’s] requirements as well”. It was intended from the outset that APRA would be given a copy of the external review (ultimately three reports) for the purposes of carrying out its regulator obligations, which included its enforcement role.

19. Medibank included APRA in the external review process from the first stage. The contact between Medibank and APRA was at the top level of both entities, involving the CEO and Chair of Medibank and Ms Smith and Mr Carmody at APRA. It notified APRA of its intention to commission the external review before Deloitte was engaged. Medibank sought, and received, APRA’s comments on draft scope of the external review, and the proposed external reviewer. APRA personnel attended tri-partite meetings with Medibank and Deloitte, with no lawyers present during the course of the external review.

20. Medibank and APRA issued mutual press releases as to their open and cooperative ongoing relationship. The closeness of the relationship was exemplified by the APRA’s role in the scoping of the external review, their attendance at the tri-partite meetings whilst the review progressed, and APRA’s receipt of all three reports on completion of the external review.

21. APRA’s involvement in setting the scope of the external review and meeting with the Deloitte team conducting the external review took place well before the privilege protocol retrospectively sought to superimpose legal professional privilege before the reports were provided to APRA.

22. In the 28 November 2022 APRA Release, APRA outlined that it has informed the scope of the external review and APRA will have information regarding the findings of the report and consider whether further regulatory action would be required. Medibank’s 28 November 2022 ASX Announcement affirmed that the findings of the review would be shared.

23. The contemporaneous documents which reflect Medibank and APRA’s engagement with respect to the external review and the provision of the Deloitte Reports to APRA were not formalised into a VDA, like in Macleod, but were provided pursuant to a written protocol. This protocol was addressed in the 15 February 2023 Letter from Mr Huijsen to Medibank, as extracted above at [157]. This protocol also refers to discussions between Medibank and APRA on 21 December 2022.

24. APRA expressly indicated via public statements that the information in the Deloitte Reports may be used for APRA to undertake further regulatory action. In Macleod, ASIC indicated similarly that information within the report would be applied for a ‘derivative use’ to prosecute Mr Macleod.   

25. There was nothing in the protocol (nor could there be) to stop APRA using the information and intelligence gained through its interactions with Deloitte and the Deloitte Reports themselves for its own regulatory purposes — purposes which were in direct tension with Medibank’s interests in protecting its legal position.

26. Given APRA’s involvement from the very beginning of the Cyber Incident and Medibank’s early intention to keep APRA informed of the substance of the Deloitte Reports, it is evident that whatever information within the Deloitte Reports relevant for ARPA’s purposes was always intended to be shared with it. Rather than supporting a waiver, I consider that this is consistent with my earlier conclusion as to why legal professional privilege does not subsist in Deloitte Reports.

27. In this sense, any “derivative use” of the information in the Deloitte Reports cannot be made out, as in this case, APRA’s involvement in the commission of the Deloitte Reports and their respective scopes, evidences the fact that these reports were never created or commissioned to be used for a dominant legal purpose from their very inception.

    8.3.2Waiver via public statements

28. The applicants submit that by the 28 April 2023 ASX Announcement (and all other such public statements), Medibank voluntarily disclosed the “gist or conclusion[s]” of the Deloitte Reports and what it was doing with them. It did so, if nothing else, because of the obvious forensic advantage to deflect regulatory action, and the obvious commercial advantage to assuage customer concerns that Medibank was, in its own words, “enhanc[ing] [its] systems and processes to provide [its] customers with the security they expect and deserve”.

29. The applicants contend that the inconsistency lies in Medibank’s use of the Deloitte Reports for the ASX/PR purpose — from before their commissioning, during the review process and after completion of the Deloitte Reports — in purporting to provide comfort to its shareholders and customers that it would do the following: learn from this Cyber Incident and strengthen its ability to safeguard customers, and share the learnings. When, in fact, Medibank had no intention of sharing any of the outcomes, and now asserts that the dominant purpose for which the Deloitte Reports were commissioned was for the purpose of providing legal advice and litigation assistance, not the protection of its customers. The applicants submit that there is an inherent inconsistency in seeking to rely on the commissioning of the Deloitte Reports in the midst of a public relations crisis and seeking to rely on privilege in trying to resist production of the Deloitte Reports.

30. Similar submissions to those made by the applicants in this case were made by the applicants in Robertson. They alleged inconsistency in Optus relying upon the Deloitte report whilst it was in the midst of a public relations crisis and then seeking to rely on privilege in trying to resist any inspection of the report itself. Justice Beach rejected the applicant’s waiver argument in Robertson, concluding at [195] that none of the public statements put the contents of the otherwise privileged report in issue.

31. The applicants seek to distinguish Robertson, on the basis that the relevant statements were made before the completed Deloitte report had been received by Optus. Here, the 28 April 2023 ASX Announcement expressly confirms that Medibank “has now been provided with Deloitte’s findings from [the external incident] review” and continues “Deloitte has made recommendations to enhance Medibank’s IT processes and systems. A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken …”. The Chair is then quoted as saying “the Board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further. Following on from the discussion of the Deloitte report’s recommendations, the recommendations spoken of by Mr Wilkins must be the Deloitte recommendations.

32. Only one report had been delivered to Medibank by 28 April 2023, the PIR Report.

33. In my view, by making this reference to the Deloitte PIR Report, Medibank was seeking to take advantage of its implementation of the recommendations resulting from the external incident review conducted by Deloitte to deflect criticism and enhance or maintain its good standing in the eyes of its shareholders and customers and its share price. It cannot at the same time maintain privilege in that part of the report setting out the recommendations to enhance Medibank’s IT processes and systems. I consider that by making the statements in the 28 April 2023 ASX Announcement, Medibank has waived privilege in that part of the PIR Report relating to the recommendations to enhance Medibank’s IT processes and systems.

34. The statements in the 28 April 2023 ASX Announcement were not casually made, they were consciously and deliberately made following consideration by at least the Board, by way of a formal ASX announcement.

    9.               Conclusion

35. For the reasons set out above I consider that legal professional privilege does not subsist in the three Deloitte Reports (Documents 15, 16 and 17 listed in Annexure A). I consider that the Cyber CX and Coveware Communications (Documents 1, 2, 3, 4, 5, 6, 7, 8 and 9) listed in Annexure A), CrowdStrike Reports (Documents 10 and 11 listed in Annexure A), the Threat Intelligence Reports (Documents 12 and 13 listed in Annexure A) are privileged.

36. At this stage, I will make orders that within seven days of the date hereof the parties file and serve proposed minutes of orders to give effect to these reasons.

I certify that the preceding four hundred and forty-eight (448) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Rofe.

Associate:

Dated:       7 March 2025

ANNEXURE A

No.	Description of document	Date of document
CyberCX and Coveware
1	Email from Nick Klein (CyberCX) to Cheng Lim (KWM) re: [EXTERNAL] Re: Medibank I Key ransom issues and action plan	26 October 2022
2	Email from Nick Klein (CyberCX) to Cheng Lim (KWM) re: [EXTERNAL] Re: Project Opera (privileged and confidential)	27 October 2022
3	Attachment to email from Nick Klein to Cheng Lim titled “Case 06064 - Coveware.pdf”	27 October 2022
4	Email from Nick Klein (CyberCX) to Cheng Lim (KWM) re: [EXTERNAL] Fwd: Update on TA comms (privileged and confidential)	29 October 2022
5	Attachment to email from Nick Klein to Cheng Lim titled “image001.png”	29 October 2022
6	Attachment to email from Nick Klein to Cheng Lim titled “Screen Shot 2022-10-28 at 10.17.13 AM.png”	29 October 2022
7	Attachment to email from Nick Klein to Cheng Lim titled “Screen Shot 2022-10-28 at 10.19.42 AM.png”	29 October 2022
8	Attachment to email from Nick Klein to Cheng Lim titled “Screen Shot 2022-10-28 at 10.20.03 AM.png”	29 October 2022
9	Attachment to email from Nick Klein to Cheng Lim titled “Case 06064 - Coveware.pdf”	29 October 2022
CrowdStrike
10	Report from CrowdStrike dated 12 December 2022 titled “Privileged Investigation Report”	22 December 2022
11	Report from CrowdStrike dated 11 May 2023 titled “Privileged Investigation Report - Atlassian Crowd Analysis”	11 May 2023
Threat Intelligence
12	Report from Threat Intelligence dated 4 January 2023 titled “Medibank Digital Forensics and Incident Response Report”	4 January 2023
13	Report from Threat Intelligence dated 23 February 2023 titled “Draft Investigation Report - Medibank Sharepoint Investigation”	23 February 2023
Datacom
14	Email from Jonathan Prideaux of KWM to (among others) Con Xenos of Datacom and Melissa Monks of Medibank re: “[EXTERNAL] RE: Information Request”	14 January 2023
Deloitte
15	Report from Deloitte dated 4 April 2023 titled “Post Incident Review”	4 April 2023
16	Report from Deloitte dated 10 May 2023 titled “Root Cause Analysis”	10 May 2023
17	Report from Deloitte dated 23 June 2023 titled “External Review - APRA Prudential Standard CPS 234”	23 June 2023