From hallandwilcox.com.au: The Federal Court ruled in McClure v Medibank that some reports related to the 2022 cyber attack were protected by legal professional privilege, marking the first instance of such privilege applying to reports produced following a cyber incident in Australia.

However, the court determined that Deloitte’s reports were not privileged since they served other dominant purposes beyond legal advice, including public relations and compliance with regulatory obligations.

The ruling underscores the importance for businesses to ensure that the primary purpose of reports following a cyber breach is to obtain legal advice to claim privilege effectively.