ASIC’s Cybersecurity and Privileged Documents Test Case

Australian Securities and Investments Commision v RI Advice Group Pty Ltd [2020] FCA 1277

Cybersecurity continues to be an area of focus for businesses and organizations. In June 2020, the federal government announced a $1.35 billion investment into protecting Australian businesses from foreign and domestic cybercrimes and cyber threats. Following this announcement, Prime Minister Scott Morrison emphasised the need for all Australians to remain aware and vigilant in mitigating the ongoing risks of cybersecurity.  

Sectors such as the financial services industry have specifically been made vulnerable to cybersecurity threats to breaches of personal and confidential information, exemplified by RI Advice Group Pty Ltd (RI) and an incident in April 2020 which involved its breaches of confidentiality by an external cyber agent. The breaches saw this cyber agent gaining hours of access to an employee’s computer, compromising the personal details of many of the company’s clients. 

The Australian Securities and Investments Commission (ASIC) was quick to respond, commencing proceedings against RI with the goal of penalising the company for not taking appropriate action in mitigating the risks of such breaches. In September this year, the Federal Court of Australia made orders which brought to spotlight two key insights: 

  1. ASIC remains proactive in enforcing obligations by companies to act diligently in preventing cybercrimes and cyber threats. 

  1. ASIC can act on their power to request and receive privileged information from companies for the purposes of enforcing the abovementioned obligations. 

Under section 33 of the Australian Securities and Investments Commission Act 2001 (Cth), ASIC has a wide-reaching power to provide notice to a company to produce documents relating to “affairs” of the company. Non-compliance of this request may result in imprisonment of the responsible person/s for which notice was provided per section 63 of the same Act. 

In the Federal Court’s case, RI argued that certain information – a document named the Third File Review – requested by ASIC was privileged pursuant to section 18 of the Evidence Act 1995 (Cth) which provides as follows: 

118 Legal advice 

Evidence is not to be adduced if, on objection by a client, the court finds that adducing the evidence would result in disclosure of: 

a) a confidential communication made between the client and a lawyer; or 

b) a confidential communication made between 2 or more lawyers acting for the client; or 

c) the contents of a confidential document (whether delivered or not) prepared by the client, lawyer or another person; 

for the dominant purpose of the lawyer, or one or more of the lawyers, providing legal advice to the client. 

O’Callaghan J reasoned that whether the Third File Review was admissible as evidence in court was subject almost entirely to the Evidence Act and considerations of legal principles established in relevant case law. These principles were relied upon by his honour: 

  1. The court is entitled more readily to infer that the information a document contains is required for multiple purposes where there is no direct evidence of a dominant purpose1.

a) This principle is especially relevant where a document requested contains legal advice from a lawyer or legal representative and there is dispute as to the document’s dominant purpose as such.  

  1. A party claiming privilege must do so by admissible direct evidence, not hearsay2

  1. A company’s claim for privilege would generally have to have been made or supported by evidence on oath3

Overall, this case is an example of the power which ASIC wields in maintaining accountability throughout Australian business sectors in the face of increasing cyber threats. Given ASIC was successful in arguing the admissibility of “privileged” evidence provided by RI, the potential for future companies and corporations to disclose similar information is present. 

Companies should continue to comply with ASIC Cybersecurity directions and relevant legislation to prevent the threats of cybercrime and the risks of legal liability. If your company requires advice in how best to maintain its required legal compliance, please contact our experienced team today. 

This article was written by Kerry Copley 

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on email
Email it to your friend