Clients have a tendency to assume that any work done by lawyers is privileged.
The recent decision in Medibank Private Limited v McClure [2026] FCAFC 38 (20 March 2026) emphasises the attachment of privilege to work done will depend on what was the dominant purpose of the lawyers’ involvement.
In 2022, Medibank was the target of a cyber-attack in which customer data was accessed and extracted. Medibank’s response involved internal teams, external legal advisers and various technical and communications consultants, being legal, technical, regulatory, operational and reputational simultaneously.
Subsequently, Medibank received ransom demands for the return of the data. An external solicitor was engaged to advise on potential class actions, dealing with regulators and similar issues; Medibank made public announcements in relation to its response, committing itself to transparency and to sharing what it learned during its response to the attack.
The attack gave rise to a class action with the applicants seeking the production of various reports – an application which Medibank resisted on the basis that the reports would reveal communications with lawyers which were for the dominant purpose of obtaining legal advice and legal services or were in anticipation of litigation.
Medibank was unsuccessful in resisting the application to produce, both at first instance and on appeal. In short compass, the reason for this was that the dominant purpose of the work done was found not to be legal services or advice. Instead, both courts regarded the work as part of a broad institutional response to the cyber-attack, which had more than one purpose. The courts accepted that having more than one purpose does not of itself nullify privilege, but that in this case the dominant purpose was not the provision of legal services or advice.
While the decision is not ground-breaking in terms of the law, it is important and instructive in the context of a response to a cyber-attack. Such attacks are now part of the business landscape, and lawyers will almost always be part of any effective response. Clients need to be made aware of the fact that legal work done in the course of responding to a cyber-attack may not attract privilege, and lawyers involved need to turn their mind to this issue. Given that these incidents are always high-pressure, time-poor situations, covering this with clients before any attack occurs, rather than on-the-fly afterwards, is recommended.
Finally, the court in this matter made comments that indicate arguments over privilege in these circumstances might be better resolved without resorting to the courts.
Specifically, the court noted (at 120):
It is appropriate to say something briefly about the course this matter has taken. The application before the primary judge occupied no less than three days of court time, generated a very lengthy judgment, and was followed by a substantial application book and around 100 pages of densely typed written submissions accompanied by very extensive lists of authorities. The present application, in turn, has been argued over two days, with six counsel appearing and large teams of solicitors engaged on both sides. The issues concerning legal professional privilege are undoubtedly important, both for the parties and more generally. But the principles are well-known and firmly established. The scale of the resources deployed in resolving this issue over three documents, at both first instance and on this application, invites reflection as to whether such questions might more often be determined in a way that is more proportionate in cost and expedition, consistently with the overarching purpose reflected in Pt VB of the Federal Court of Australia Act 1976 (Cth).
Prudent practitioners will give both this decision, and these comments, due consideration.
Share this article