Close
Login to MyACC
ACC Members


Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

ACC Member Portal and Web Services are back online
ACC's member portal and web services are available following a scheduled upgrade. However, our team is monitoring and resolving issues promptly. Please be sure to reset your password here.
Thank you for your patience. Please contact our team with any questions.



Don’t leave your business exposed when conducting cyber incident investigations

Medibank exposed

A recent decision of the Federal Court of Australia involving Medibank is a further reminder to businesses of the need to carefully structure and manage cyber incident investigations in order to attract and maintain the protection of legal professional privilege (LPP).  Failure to do so will mean that the results of the investigation can be accessed by third parties, including those pursuing legal claims against the business.  This may include findings which reveal cyber security failings which can be used against the business. 

Previous Optus exposure

In previous articles we highlighted this issue when Optus was required to produce reports setting out the outcome of its investigation of the major cyber breach it suffered in 2022 to the claimants in a class action against Optus.  We also noted that new laws providing limited protection to businesses when reporting on cyber incidents to regulators will not prevent third parties from accessing and using that material [insert links].

Why was Medibank exposed?

In the recent Medibank case the claimants in a class action against Medibank sought access to various cybersecurity investigation reports and related communications.  Medibank argued that they were protected from disclosure by LPP because they were prepared predominantly for the purpose of legal advice or anticipated legal action. The Court refused to uphold this claim over a significant portion of the documents.

In doing so, it highlighted that LPP may not apply or could be lost because:

  • the context in which the documents were created showed they were created for multiple purposes;
  • disclosure of the documents including to regulators was inconsistent with LPP.

How to avoid exposing the investigation

Key takeaways for businesses to ensure that the protection of LPP applies are:

  1. Involve your legal advisers/counsel from the beginning.

  2. Ensure that investigation documentation reflects the legal purpose of investigations from the outset.

  3. Engage third-party experts through lawyers, with clear engagement letters.

  4. Avoid statements about, or uses of, the investigation material which dilutes the dominant legal purpose.

  5. Take care to ensure that public statements about investigations do not undermine that purpose.

  6. Ensure that there are clear and strict protocols to limit access to the documents.

  7. Ensure that any disclosures to regulators are in terms that preserve LPP.

  8. Share only necessary summaries or findings—not entire reports—where possible.

  9. Consider using confidentiality agreements or protocols with regulators.

  10. Ensure communications are conducted through legal advisers/counsel.

ACC
ACC Global Headquarters
1001 G Street NW
Suite 300W
Washington, D.C. 20001 USA

Contact Directory

Explore ACC
Privacy & Other Policies © 1998-2025, Association of Corporate Counsel. All Rights Reserved.