From www.claytonutz.com: Justice Rofe’s decision in McClure v Medibank Private Limited ruled that Medibank could not claim legal professional privilege over Deloitte Reports related to a 2022 ransomware attack because their primary purposes were operational and public relations rather than legal advice.

The court found that communications regarding the breach involved significant engagement with regulatory bodies like APRA, which contradicted the assertion of privilege.

This case highlights the need for companies to implement strategic protocols for maintaining legal privilege during cyber incidents and the importance of legal oversight in communications and report commissioning.