Optus general counsel evidence ‘vague’ on cyber attack details, court finds

As such, the Deloitte report will now be handed over to applicants in a class action, made up of some of the millions of Optus customers who had their personal details made public as a result of the attack.

In his judgment, Justice Beach was critical of evidence from Optus general counsel and company secretary Nicholes Kusalic, who reportedly had “almost immediately” formed the view a confidential forensic investigation would be needed to determine the root cause.

In addition to evidence of the scope of Ashurst’s engagement to provide legal advice and the terms of a Deloitte engagement letter, Optus submitted to the court that it relied on Mr Kusalic’s evidence in support of keeping the Deloitte report confidential.

Mr Kusalic assisted in engaging law firm Ashurst, which then engaged Deloitte to conduct the independent investigation.

“An external forensic investigation into the cyber attack would assist me, my team, Ashurst and the counsel retained by it in providing advice on a number of legal and litigation risks arising out of the cyber attack,” Mr Kusalic said in evidence to the Federal Court.

The judgment set out Mr Kusalic was concerned Deloitte was engaged with Ashurst and that he considered it “highly desirable” an external third party carried out the investigation “as he was not sure of the capacity within Optus” to do so itself.

“Now, I should say here, Mr Kusalic’s evidence was all very well, but there were various problematic aspects,” Justice Beach found.

VIEW ALL

One of the major issues was that none of it “sat well” with a media release issued by Optus on 3 October 2022.

In it, quotes were attributed to chief executive Kelly Bayer Rosmarin and had been “carefully drafted” to reflect Optus’ message that the Deloitte report would play a “crucial role in the response to the incident” for customers and it was “determined to find out what went wrong”.

Further, Ms Bayer Rosmarin was quoted as saying: “This review will help ensure we understand how it occurred and how we can expect it from occurring again. It will help inform the response to the incident.”

“This all suggests that the dominant purpose was not a legally privileged purpose,” Justice Beach found.

His opinion was further reinforced by a “marketing document” published on the Optus website in October 2022 explaining it had commissioned an independent review and was “committed to learning, doing better in the future, and sharing lessons”.

“This is hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation purpose,” he found.

Justice Beach was also concerned with Mr Kusalic’s evidence relating to draft and signed board resolutions on 9 and 11 October, respectively, noting it was “not fully consistent” with Optus’ case.

For one thing, the signed circular resolution on 11 October said Deloitte has “commenced aspects of its review”, which meant well before the letter of retainer on 21 October, Deloitte had begun with no direct evidence of it done so under the auspice of Ashurst.

“Clearly, endeavours to cloak the Deloitte review with legal professional privilege were more to the fore in late October 2022 than they were at the start of the month,” Justice Beach said.

Moreover, Justice Beach said that had the dominant purpose been legal professional privilege, Mr Kusalic’s 9 and 11 October resolutions would not have been expressed in the terms they had been.

“Indeed, it is difficult to see how the CEO could have made the statements she did [in the media release] if everyone was singing from the same hymn book as to the dominant legal purpose.

“To some degree, this is speculation, but I have an uncomfortable sense that important aspects of Mr Kusalic’s affidavit concerning the time frame prior to mid-October 2022 has involved an element of reconstruction,” Justice Beach noted in his judgment.

In much of Mr Kusalic’s evidence, Justice Beach found “he was decidedly and no doubt self-advisedly vague”.

Specifically, in his affidavit, Mr Kusalic said “Deloitte has been proposed”, but he failed to include details “as to whom and when”.

He also refers to “how we could best utilise Deloitte’s expertise to assist me and Ashurst”, but Justice Beach said it was clear from the evidence this was “only one of the purposes and functions”.

Relating to Mr Kusalic’s communications with members of the senior management team at Optus, Justice Beach said it was unclear “who precisely had proposed Deloitte and when”.

“Moreover, phrases such as ‘we recommended’ were pregnant with imprecision. In my view, the quality of the evidence given by Mr Kusalic as to these conversations was superficial,” he said.

Another issue was Optus’ failure to provide evidence from Ms Bayer Rosmarin and other board members.

“Clearly, the states of mind of the CEO and board members are, on the evidence, highly relevant, although, of course, they were communicating with Mr Kusalic. Moreover, Mr Kusalic, in his affidavit … identifies other relevant states of mind of non-lawyers.

“Whilst, of course, I have considered Mr Kusalic as being one of the relevant minds, nevertheless, on the totality of the evidence, his state of mind and conduct is only part of the analysis.

“Further, I am fortified in my analysis by the vagueness in how Mr Kusalic expressed himself in his evidence,” Justice Beach said.

This article was originally published on Cyber Daily’s sister brand, Lawyers Weekly.