Alexander Koskey, Madison McMahan, and Matthew White of Baker Donelson write:
A recent decision from the Federal Court of Australia in McClure v. Medibank Private Limited [2025] FCA 167 underscores just how easily privilege can be lost. While McClure was decided under Australian law, the court’s reasoning closely aligns with a series of U.S. cases that have steadily narrowed protections for forensic reports in recent years. The key takeaway from these decisions is clear: privilege doesn’t only depend on who commissioned the report – it hinges on why it was created, how it was used, and who saw it.
Forensic reports often reveal detailed technical findings and expose security vulnerabilities that could significantly influence the outcome of litigation. Protecting these reports under the attorney-client privilege or the work product doctrine isn’t just a best practice – it’s a critical step in managing legal risk after a breach. Left unprotected, a forensic report can serve as a roadmap for plaintiffs, outlining the very vulnerabilities and response gaps they’ll use to build their claims.
McClure v. Medibank
The case stems from a 2022 data breach that impacted millions of Medibank customers and prompted a class action lawsuit alleging failures in cybersecurity safeguards. As part of discovery, plaintiffs sought a range of materials prepared in response to the breach, including forensic reports from Deloitte and other third-party vendors. Medibank resisted production, claiming that the reports were protected by privilege because they were created to support litigation strategy and enable legal advice.
The court agreed in part, upholding privilege over reports commissioned by counsel for threat actor negotiations and legal strategy. However, it ordered the production of three Deloitte reports, finding that they were created for multiple purposes and that obtaining legal advice was not the dominant one.
The court’s analysis focused on several critical facts:
- Public positioning: In press releases and ASX announcements, Medibank described Deloitte’s role as being related to customer protection, governance, and transparency – not legal advice.
- Regulatory messaging: Medibank told regulators that Deloitte was engaged to avoid a separate investigation by the Australian Prudential Regulation Authority (APRA), further supporting a nonlegal purpose.
- Board reporting: Deloitte reported directly to Medibank’s board and executive team, not to external counsel, which suggested the work was for operational oversight rather than legal strategy.
- Public Statements: Medibank publicly referenced and implemented Deloitte’s recommendations, which the court said undercut any claim of confidentiality and waived privilege.
Ultimately, the court concluded that while legal advice was a purpose of the reports, it was not the dominant one required to sustain privilege. An appeal of this decision is likely.
Read more at JDSupra.