Clifford Chance

The Australian Federal Court recently handed down its ruling in the Medibank case. Set in the context of third-party forensic reports commissioned post-cyber-attack, the case highlights important lessons on legal privilege and the potential impact on companies' litigation strategies. This article looks at the case and what protections companies should take when commissioning an investigative report following a cyber incident.

Australia

In the cyber-age, companies are acutely aware of the harm that can be caused by a cyber-attack. Aside from the initial damage caused by virtue of the cyber incident itself, a company that falls victim to an attack could potentially face extensive follow-on litigation, consumer class actions and/or regulatory investigations.

Earlier this month, the Federal Court of Australia drew attention to a further risk facing companies that find themselves in this position, when it determined that third-party forensic or technical investigation reports prepared in the wake of a cyber-attack may not be protected by legal professional privilege. The case of McClure v Medibank Private Limited [2025] FCA 167 is the latest in a string of Federal Court decisions (see also: Robertson v Singtel Optus Pty Ltd [2023] FCA 1392 and Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58) centring on the challenges associated with establishing privilege over such third-party reports.

In 2022, Medibank fell victim to a cyber-attack, which resulted in a major data breach. After the event, Medibank instructed third-party forensic and technical reports prepared by Deloitte, CrowdStrike and Threat Intelligence, which included post incident reviews, a root cause analysis, investigations into the activities of the threat actor and technical cyber security assistance.

In a subsequent consumer class action against Medibank, the applicants requested production of these reports, together with Medibank's communications with CyberCX,, Coveware and its external legal advisors,. Medibank claimed that all reports and relevant communications were protected by virtue of legal professional privilege, and so did not fall subject to disclosure. Medibank maintained that the reports were created for the dominant purpose of obtaining legal advice in relation to resulting litigation following the cyber-attack.

The Court found that three expert reports authored by Deloitte (consisting of: a root cause analysis; a post incident review; and a report on compliance) were not privileged. The Court's findings were clear: for legal professional privilege to apply to technical or forensic reports, the provision of legal advice must be the dominant purpose for which the reports are commissioned. It cannot be the case, as the Court found here, that reports prepared for purposes at least equally dominant (such as assuaging market or consumer concerns following a cyber-attack, or seeking to avoid regulatory review for example) are protected by privilege. As a further learning point, the Court also found that even if privilege had applied to the Deloitte documents, Medibank's public announcements of the Deloitte review would have amounted to a waiver over any privilege that had existed.

In contrast, the Court found that reports prepared by CrowdStrike and Threat Intelligence, and communications with CyberCX and Coveware were protected by legal privilege given that they were prepared for the dominant purpose of the provision of legal advice.

Key Takeaway

This case provides an important warning for companies commissioning an investigative report following a cyber incident: carefully consider the purpose of the report and, if a report is likely to cover multiple purposes, there is a risk that the report may not benefit from legal professional privilege protections if the dominant purpose is not the provision of legal advice.

England and Wales

Whilst the Medibank case is not binding on the Courts of England and Wales, the lessons from that case provide useful guidance to companies in England and Wales when engaging third-party experts in internal investigations.

The principle of litigation privilege is well established in England and Wales. For litigation privilege to apply, the material must be a confidential communication between a client and lawyer, or between either of them and a third party (or be a document created by or on behalf of them). Crucially, the document or communication must have been created for the dominant purpose of litigation, which exists or is in reasonable prospect.

There is extensive case law (See, for example, the Court of Appeal in United States of America v Philip Morris Inc and others [2004] EWCA Civ 330) on the definition of 'reasonable prospect', but it is generally accepted that a "mere possibility" of litigation will not suffice, although the prospect of litigation need not be greater than a 50% chance. This protects technical or forensic expert reports prepared in the context of litigation, for example in the context of a consumer action brought in the wake of a cyber-attack.

However, the increasing frequency of cyber-attacks means that, as seen in the Medibank decision, companies may wish to engage in internal fact-finding exercises following a cyber incident, to understand the cause of attacks and assist with prevention in future. Whether communications made in the context of an internal investigation will be protected by privilege is highly fact dependent.

Litigation privilege is unlikely to apply to purely internal investigations.  For technical or forensic reports to be protected by litigation privilege, there must be a real likelihood of adversarial proceedings.

Even then, as in Australia, it needs to be demonstrated that the documents were created for the dominant purpose of that litigation. Alternatively, if lawyers are advising, then legal advice privilege (applying to confidential communications between lawyer and client for the dominant purpose of giving/obtaining legal advice) may be engaged.

Key Takeaway

The practical advice for clients in England and Wales is much the same as in Australia; that is, to maximise protections when commissioning internal fact-finding reports, ensure that investigations are led by lawyers and carefully consider the dominant purpose for which any report is being commissioned.