Ezel / AG Opinions / AR
AR Opinion No. 2023-027 2023-05-25

Can an Arkansas school board hold a closed meeting to discuss responding to a ransomware attack?

Short answer: No. The Arkansas FOIA permits executive sessions only in four narrow categories (certain personnel matters, state licensing exam preparation, water-utility security, and child-maltreatment investigation procedures). Cybersecurity for school districts is not on that list. Recording the session and releasing it after the emergency does not create a legal pathway. Boards can email cyber-security proposals (information only, no discussion) and refer to exempt records by name without disclosing their substance during the public meeting.
Disclaimer: This is an official Arkansas Attorney General opinion. AG opinions are persuasive authority but not binding precedent. This summary is for informational purposes only and is not legal advice. Consult a licensed Arkansas attorney for advice on your specific situation.

Plain-English summary

The Little Rock School District suffered a ransomware attack in which attackers obtained sensitive employee, patron, and student information (including FERPA-protected records). LRSD's incident-response consultant warned that public discussion of the response would increase risk. State Senator Clarke Tucker asked whether the school board could hold a closed meeting to discuss its response, and whether recording the closed meeting for later release would solve the problem.

The AG said no, and no. Arkansas FOIA requires school board meetings to be open. The statute permits executive sessions in only four narrow categories:
1. Certain personnel matters.
2. Preparing and administering a state licensing exam.
3. Security of public water systems or municipally owned utility systems.
4. Child-maltreatment investigation procedures.

Cybersecurity for school districts is not on that list. The Arkansas Supreme Court has held that exceptions to open-meetings requirements must be explicit; courts will not infer one. Recording the closed session for later public release does not create a new exception either.

Two practical workarounds the AG identified. The opinion is not just a denial. The AG pointed to two ways school boards can protect cyber-security information while still complying with the open-meetings rule:

  1. Email distribution before the meeting. The Arkansas Supreme Court has held that emails among board members do not constitute a "meeting" under FOIA if they (a) distribute information only, (b) do not solicit a response, and (c) are not used to discuss matters or arrive at decisions. So a security consultant can send proposals to board members by email before the public meeting. But the board members themselves must not use email to discuss or decide anything; that crosses into a serial meeting that violates FOIA.

  2. Reference exempt records without reading them aloud. A separate FOIA records exemption (A.C.A. § 6-15-1304) shields school emergency and security plans, school safety plans, risk assessments, security personnel information, and similar records. The exemption survives a public meeting; the board can refer to "Plan A" or "Section 3 of the consultant's report" without disclosing the contents in the public record.

The records exemption explained. A.C.A. § 6-15-1304 exempts from disclosure all records related to "emergency and security plans, school safety plans, procedures, risk assessments, studies, measures, [and] systems," as well as the number of and personal information for any "security personnel." The AG concluded these expansive terms include cybersecurity records. So the substance of cyber-security plans is protected from FOIA disclosure even though meeting discussions about those plans must happen in public.

The deeper takeaway: Arkansas treats school board open-meeting requirements very strictly. Boards facing a cyber-incident need to use the email-distribution and exempt-records pathways instead of hoping for a closed session. If the General Assembly wants to add a cyber-security executive-session category, that requires a statute, not a workaround.

What this means for you

School board members responding to a cyber-incident

Plan around the open-meetings rule, not against it. Workflow that complies:

  1. The IT director or hired consultant emails board members the response options. Subject line: "FOR INFORMATION ONLY, do not reply." The email distributes information; board members do not respond, do not "reply all" with reactions, and do not use email to debate the options.
  2. At the public meeting, the board takes up the question on the agenda. Members refer to the consultant's report and the response options by section number or letter, not by reading the substance into the record. Members can ask questions of the consultant in general terms ("Does Option B reduce exposure? In what time frame?").
  3. The board votes on a course of action without the underlying technical detail being read into the public record.

This works because (a) the records remain exempt under § 6-15-1304, (b) the discussion is in public per FOIA, and (c) the substance of the cyber-security plan is not actually broadcast.

If you cannot avoid disclosing some technical detail to deliberate effectively, prioritize: discuss the high-level direction in public, and have the actual technical implementation handled by staff and the consultant under contract without further board deliberation.

School district attorneys

Advise the board against any closed session for cyber-security regardless of how it is structured. The AG explicitly rejected closed sessions even with later recording. Any post-hoc challenge to a closed cyber-security session will likely succeed under Laman v. McCord and the strict-construction rule.

The legal pathway is the email-distribution rule from the 2019 Arkansas Supreme Court case the AG cited (without naming, but referenced by 2019 Ark. 222, 8–9). Set up board members for compliance:
- Train members never to "reply all" to information-only emails.
- Train members never to use email or text to discuss substantive matters.
- Document that the email is information-only.

Superintendents and IT security officers

The cyber-security records themselves are exempt from FOIA disclosure under § 6-15-1304. So the technical plan, the consultant report, the risk assessment, and the response procedures can be kept confidential. The constraint is only on the meeting format, not on the records.

When you brief the board, prepare a public-meeting version (high-level options, decisions to be made, time frames) and a technical version (kept confidential under § 6-15-1304). The board can vote on the public version and rely on the technical version through the contractual chain.

Municipal clerks and meeting administrators

Help boards with agendas and minutes that protect exempt content. Sample agenda language: "Cyber-Security Response: Authorization for Consultant Action Plan (records exempt under A.C.A. § 6-15-1304)." Minutes can record the vote and the general direction without restating the technical plan.

Journalists covering school board meetings

If a school board attempts a closed cyber-security session, FOIA strongly favors challenging it. The AG opinion squarely says no closed session is allowed. Pull the agenda; if executive session is invoked, ask which of the four statutory categories applies. Cyber-security is not one of them.

The records themselves may be exempt (§ 6-15-1304), so a FOIA request for the consultant report or response plan will likely be denied. But the meeting must be open; the deliberation is reportable.

Common questions

Why is school cyber-security treated differently from utility cyber-security?
The General Assembly enacted an executive-session exception for "the security of public water systems or municipally owned utility systems" in A.C.A. § 25-19-106(c). It did not enact a parallel exception for school districts. The legislative choice is binding regardless of whether it is consistent.

Can a school board be sued for holding an unlawful closed session?
Yes. Arkansas FOIA provides for civil enforcement, including injunctive relief and attorney fees in some cases. Decisions made in an unlawful closed session can be challenged.

What happens to the records of an unlawful closed session?
Records of any meeting (including unlawful closed ones) are subject to FOIA. The records may not become public if they fall under § 6-15-1304 or another exemption, but the failure to hold the meeting in public is a separate violation.

Can the school board create a security committee that meets behind closed doors?
A subordinate committee or advisory body of a public entity is generally also subject to FOIA's open-meetings requirement. Hiring an outside consultant who reports privately to the superintendent is different (the consultant is not the board), but a board-appointed committee that holds deliberative meetings is likely covered.

Can the legislature add a cyber-security executive-session exception?
Yes. The path is a statutory amendment to A.C.A. § 25-19-106(c) adding cyber-security for school districts to the list of permissible executive-session topics. The General Assembly has not done this as of the date of this opinion.

Does the opinion apply to other public entities (cities, counties)?
The reasoning applies to all entities subject to FOIA's open-meetings rule. Cyber-security discussions are not on the executive-session list for any of them. Cities and counties similarly need to use the email-information and records-exemption workarounds.

Background and statutory framework

Arkansas's open-meetings rule (A.C.A. § 25-19-106) makes school board meetings public unless they fall into one of four narrow executive-session categories. The Arkansas Supreme Court has held that these exceptions must be explicit and cannot be inferred (Laman v. McCord, 245 Ark. 401, 1968).

Separately, the Arkansas FOIA records exemption (A.C.A. § 6-15-1304) protects:
- (1) records related to emergency and security plans, school safety plans, procedures, risk assessments, studies, measures, and systems
- (2) the number of and personal information for security personnel

The AG concluded these terms include cybersecurity records, so the substance of cyber-security plans does not lose its exempt status by being discussed in a public meeting. The exemption travels with the record.

The Arkansas Supreme Court's 2019 decision (cited in the opinion as 2019 Ark. 222) held that emails among board members can constitute a "meeting" under FOIA if used to discuss substantive matters. Conversely, email that distributes information only (no response solicited, no discussion, no decision) is not a meeting.

A separate AG opinion, 2020-044, held that A.C.A. § 6-15-1304 (the records exemption) does not by itself create an executive-session exception. The exemption applies to the records, not to the meeting format.

Citations

  • A.C.A. § 25-19-106(c) (executive-session categories)
  • A.C.A. § 6-15-1304 (school emergency and security records exemption)
  • 20 U.S.C. § 1232g (FERPA)
  • Laman v. McCord, 245 Ark. 401, 432 S.W.2d 753 (1968) (open-meetings exceptions must be explicit)
  • 2019 Ark. 222, 578 S.W.3d 276 (email distribution among board members)
  • Ark. Att'y Gen. Op. 2020-044 (records exemption is not an executive-session exception)

Source

Original opinion text

Opinion No. 2023-027
May 25, 2023
The Honorable Clarke Tucker
State Senator
Post Office Box 7268
Little Rock, Arkansas 72217

Dear Senator Tucker:

You requested my opinion regarding the open-meetings requirement in the Arkansas Freedom of Information Act (FOIA). As background for your request, you explain that the Little Rock School District (LRSD) recently was the victim of a cyberattack in which the attackers accessed files "containing information about LRSD employees and patrons, including dates of birth, social security numbers, personal addresses, medical information, and personal banking information." The attackers also obtained "student records, including FERPA protected information." You report that the "release of this information would have put those individuals at risk of having their personal information compromised" and that the cyberattack adversely impacted LRSD's ability to educate its students and maintain its finances in several ways. A consultant hired by LRSD to guide the response to the attack "advised LRSD that public disclosure of information related to the attack would greatly increase the risk the of disclosure of personal information about LRSD's patrons and employees, as well as increase the risk to their ability to maintain normal operations."

You report that "LRSD is working diligently to be better protected the next time threat actors attempt a ransomware attack" and would like my opinion on "the steps a school board may take to minimize the risk to employees and patrons, to deal effectively with the threat actors, and to restore normal operations as quickly as possible." You have asked three questions, which I have combined into the following two:

Question 1: Since there is significant risk regarding the disclosure of sensitive information during a public meeting discussing how to respond to a cyberattack, can a school board meet privately or in executive session to discuss how best to respond to threat actors in a situation of this nature?

Question 2: Would the meeting described in the above question be allowed if the school board recorded the meeting for viewing by the public as soon as the emergency caused by the cyberattack was over?

RESPONSE

The answer to both questions is "no." The FOIA does not allow executive sessions to discuss cyber-security for school districts under any circumstance.

DISCUSSION

The FOIA requires a meeting to be open to the public when three elements are met: (1) the entity holding the meeting is subject to the FOIA; (2) the meeting itself is a "public meeting" under the FOIA; and (3) no exceptions allow the meeting to be closed to the public. As to the first and second elements, all school districts are entities subject to the FOIA, and all their meetings "shall be public meetings."

As to the third element, the FOIA allows only the following four kinds of meetings to be held in executive session: (1) meetings regarding certain personnel matters; (2) meetings to prepare and administer a state licensing exam; (3) meetings regarding the security of public water systems or municipally owned utility systems; and (4) meetings regarding child maltreatment investigation procedures. But the General Assembly has not created an exception, either in the FOIA or another statute, to the open-meetings requirement for discussing the cyber-security of school districts. Exceptions to the open-meetings requirement must be explicit and cannot be inferred.

Although there is no exception allowing school boards to meet in executive sessions to discuss cyber-security, the General Assembly has created a FOIA exemption for certain school records related to cyber-security. This exemption, codified at A.C.A. § 6-15-1304, shields from disclosure all records related to "emergency and security plans, school safety plans, procedures, risk assessments, studies, measures, [and] systems[,]" as well as the number of and personal information for any "security personnel." In my opinion, these expansive terms include records related to cyber-security.

Question 1: Since there is significant risk regarding the disclosure of sensitive information during a public meeting discussing how to respond to a cyberattack, can a school board meet privately or in executive session to discuss how best to respond to threat actors in a situation of this nature?

No. As noted above, a school board cannot hold an executive session to discuss cyber-security for the school district. But there are two ways for school boards to minimize the disclosure of cyber-security information contained in exempt public records used during a public meeting.

First, the information could be emailed to board members. The Arkansas Supreme Court has explained that some emails among board members do not violate the open-meetings requirement of the FOIA. An email among board members is not considered a meeting if the emails: (1) distribute information only, (2) do not solicit a response, and (3) are not used to discuss matters or arrive at decisions. Under this framework, before a public meeting, security consultants can email their proposals to school boards regarding how to respond to cyberattacks. But the board members must not use email to discuss the proposals or reach any decisions.

Second, once the public meeting has started, board members can refer to the proposals they previously reviewed without disclosing the full content of the proposals. A record that is exempt from disclosure does not lose that status just because it is used in a public meeting. So any records or information covered by A.C.A. § 6-15-1304 are still exempt from disclosure if a school board discusses the record or information during a public meeting.

Question 2: Would the meeting described in the above question be allowed if the school board recorded the meeting for viewing by the public as soon as the emergency caused by the cyberattack was over?

No. There is no exception for a school board to hold an executive session to discuss security for the school district, even if that session is recorded and released to the public after the emergency is over.

Assistant Attorney General Jodie Keener prepared this opinion, which I hereby approve.

Sincerely,

TIM GRIFFIN
Attorney General