Ezel / AG Opinions / NC
NC NC AG Advisory Opinion (2002-11-08) 2002-11-08

May members of the NC Information Resources Management Commission (and their delegates) attend closed-session committee meetings where the State Auditor reports detailed IT security audit findings about specific State agencies, without waiving the statutory confidentiality of those findings?

Short answer: Yes. Members of the IRMC and the Information Protection and Privacy Committee, whether their own agency was audited or not, may be present in the closed session and the confidentiality of the audited agency's security features is not waived by their presence. The audit reports fall under § 132-6.1(c) and § 147-64.6(c)(18). Ex officio members may send approved subordinate delegates, who get the same confidentiality protections. Volunteer (non-IRMC, non-delegate) committee members are NOT IRMC representatives and should NOT attend the closed session, because their presence would risk breaking the statutory confidentiality.
Currency note: this opinion is from 2002
Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: This is an official North Carolina Attorney General advisory opinion. AG opinions are persuasive authority but not binding precedent like a court ruling. This summary is for informational purposes only and is not legal advice. Consult a licensed North Carolina attorney for advice on your specific situation.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official AG opinion. The original opinion (linked at the bottom of this page) is the authoritative source for any reliance.

Plain-English summary

The Information Resources Management Commission (IRMC) sits at the top of NC's IT security framework. It approves the State's IT security standards under § 147-33.82(e). Its Information Protection and Privacy Committee (IPPC), chaired in 2002 by Lt. Governor Beverly Perdue, deals with the day-to-day rule and policy work. The State Auditor, under § 147-64.6(c)(18), is empowered to assess agency IT security practices (including by simulating intrusions) and to share detailed findings with agencies even though the general public only gets a summary.

The IPPC's November 13, 2002 meeting was going to include a State Auditor briefing on audits of specific agencies' IT security. The Lt. Governor asked the AG three questions:

1. Can IRMC members whose own agencies were not audited be in the closed session?

Yes. The AG held that all IRMC and IPPC members and their delegates are "representatives of a State agency" within § 147-64.6(c)(18). The Auditor may share detailed reports with State agencies; the IRMC and the IPPC are themselves State agencies under § 147-64.4(4); and the members serve the agency's mission of approving the State's IT security standards. The presence of representatives of other agencies in the closed session does not waive § 132-6.1(c) confidentiality, because each representative is bound to use the information consistent with the statutory determination that security details should not be made public.

2. Can designated subordinates of ex officio IRMC members participate in the closed session?

Yes. Article XI, Section 4 of the IRMC bylaws lets approved delegates of members vote, and the AG's prior 1986 opinion to Insurance Commissioner James E. Long (55 N.C.A.G. 116) recognized that subordinates may stand in for ex officio members in the agency's full activities. That includes closed sessions and voting. Delegates inherit the same confidentiality obligations as their members.

3. May volunteer IPPC committee members (non-IRMC members and non-delegates) attend?

No. Volunteers are not "representatives of a State agency" within § 147-64.6(c)(18). Including them in the closed-session briefing would risk breaking statutory confidentiality. To preserve the confidential status of the IT security information, the volunteers must not be present and must not be given the audit details. The committee should hold the closed session without them.

Currency note

This opinion was issued in 2002. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here. The State CIO function and the IRMC structure have been reorganized multiple times since 2002 (the modern Department of Information Technology was created in 2015, and the IRMC's role has been substantially restructured). Both § 132-6.1(c) and § 147-64.6 have been amended. Any current question about closed-session attendance for IT security audit briefings should be resolved by reference to current statutes and current DIT/State Auditor practice.

Background and statutory framework

Why detailed IT security audits get confidential treatment. Sharing the specific vulnerabilities an auditor found at an agency would help an attacker more than it would help anyone else. § 132-6.1(c) and § 147-64.6(c)(18) carve out a narrow confidentiality exception for the detailed report, while keeping high-level summaries public. The public still gets accountability via the summary; the agency gets actionable remediation guidance via the detailed report.

Who counts as a "State agency." § 147-64.4(4) defines State agency broadly, and the AG confirmed that the IRMC and its IPPC fall within that definition. That triggers § 147-64.6(c)(18)'s permission for the Auditor to share detailed audit results with their representatives.

Why presence of multiple State-agency representatives does not waive confidentiality. The statute is targeted at protecting the security details from public disclosure, not from disclosure between government employees with a legitimate need to know. Each State agency representative who hears the briefing remains bound to maintain confidentiality under § 132-6.1(c) and risks individual consequences for unauthorized further disclosure. The shared-knowledge cohort is what the legislature contemplated when it gave the IRMC authority over statewide IT security standards.

Volunteer members as the cutoff. The IPPC routinely uses volunteer subject-matter experts (academic, private-sector, or community) for non-confidential policy work. Those volunteers are not employees of any agency and have no statutory protection within the audit-confidentiality scheme. Letting them sit in on the closed session would create a hard-to-rebut argument that the confidential information had been disclosed outside the statute, potentially blowing § 132-6.1(c) protection for the audit findings going forward.

Ex officio delegation. Many IRMC members hold their seats by virtue of their office (the State CIO, the State Auditor, the Lt. Governor, etc.). The 1986 opinion to Commissioner Long recognized that designated subordinates can act for ex officio members in the agency's full activities. The IRMC bylaws codify the same rule. Delegates step into the member's shoes for participation and confidentiality purposes.

Common questions

Q: Can the IRMC always meet in closed session about IT security audits, or only sometimes?

A: The IRMC may meet in closed session when the discussion topic is itself a covered audit report (under § 132-6.1(c)) or other statutorily confidential matter. The Open Meetings Law generally requires open meetings, with closed-session topics carefully defined. When the meeting moves to the Auditor's detailed briefing, the body should formally enter closed session and limit attendance to authorized State agency representatives.

Q: What happens if a volunteer member accidentally sees the confidential audit data?

A: The volunteer has no authorization to receive it, so distributing or using it could trigger consequences for the State employees who allowed disclosure. The State Auditor's office and the agency that was audited would need to assess whether the breach undermined the protection going forward. The cleanest approach is the one the AG recommended: do not include volunteers in the closed session.

Q: Can a delegate attend without prior approval?

A: No. The IRMC bylaws require delegates to be approved by the appointing member. The AG specifically referenced that if the proper delegation procedures have been followed, the subordinate may participate. Improperly designated subordinates have no participation right.

Q: Does this opinion let the IRMC discuss agency vulnerabilities outside the closed session?

A: No. The opinion concerns presence at the closed session and the effect on confidentiality. It does not authorize broader disclosure. Each representative remains bound by the statutes to keep specific security details confidential.

Citations

Statutes:
- N.C.G.S. § 132-6.1(c) (confidentiality of detailed IT security audit reports)
- N.C.G.S. § 147-33.82 (IRMC IT security standards authority)
- N.C.G.S. § 147-33.82(d)(1), (2) (agency-adopted standards)
- N.C.G.S. § 147-33.82(e) (IRMC approval of standards)
- N.C.G.S. § 147-64.4(4) (definition of "State agency")
- N.C.G.S. § 147-64.6(c)(18) (State Auditor IT security audit authority and confidential reports)

Prior AG opinions:
- 55 N.C.A.G. 116 (1986) (Opinion to Hon. James E. Long, Commissioner of Insurance) (ex officio members may delegate to subordinates)

Source

Original opinion text

November 8, 2002

The Honorable Beverly Eaves Perdue
Lieutenant Governor
State of North Carolina
20401 Mail Service Center
Raleigh, N.C. 27699-0401

VIA FACSIMILE (733-6595)

Re: Advisory Opinion; Confidentiality of Information to be Presented at the November 13, 2002, Meeting of the Information Protection and Privacy Committee of the Information Resources Management Commission ("IRMC"); G.S. §§ 132-6.1(c), 147-33.82, & 147-64.6

Dear Lieutenant Governor Perdue:

As Chair of the Information Protection and Privacy Committee ("IPPC") of the Information Resources Management Commission, you have requested advice from this office on whether members of the IRMC who represent agencies that have not been audited by the State Auditor pursuant to G.S. §147-64.6(c)(18) may be present at a meeting at which the results of the audit of other agencies is reported. In addition, you ask whether the confidentiality of the audited agency's information technology security features will be waived by the presence of representatives of other agencies or of volunteer committee members who are not IRMC members or their delegates.

The IRMC is responsible for approving the "standards for the State's information technology security," and any revisions to those standards. G.S. §147-33.82(e). As set forth below, G.S. §147-64.6(c)(18) permits the Auditor to disclose to a State agency more detailed reports of audits of security practices of information technology systems than are provided to the general public. The IRMC and the IPPC both fall within the definition of a State agency as defined by G.S. §147-64.4(4). The information provided by the Auditor will assist the members of the IRMC and the IPPC in the performance of their duties.

The Auditor shall, after consultation and in coordination with the State Chief Information Officer, assess, confirm, and report on the security practices of information technology systems. If an agency has adopted standards pursuant to G.S. 147-33.82(d)(1) or (2), the audit shall be in accordance with those standards.

The Auditor's assessment of information security practices shall include an assessment of network vulnerability. The Auditor may conduct network penetration or any similar procedure as the Auditor may deem necessary. The Auditor may investigate reported information technology security breaches, cyber attacks, and cyber fraud in State government. The Auditor shall issue public reports on the general results of the reviews undertaken pursuant to this subdivision but may provide agencies with detailed reports of the security issues identified pursuant to this subdivision which shall not be disclosed as provided in G.S. 132-6.1(c).

The IRMC or its committees may go into closed session in order to receive and discuss reports from the Auditor covered by G.S. §§132-6.1(c) and 147-64.6(c)(18). It is our opinion that members of the IRMC, or their delegates, who are representatives of other agencies may be present at the committee meeting during which information will be reported about audits of the security practices of information technology systems in specific agencies. The presence of these representatives does not waive the confidentiality of the security features of the systems under G.S. § 132-6.1(c). Of course, each representative must act consistently with the legislative determination embodied in the statutes that details of security features of agency information technology systems should not be disclosed to the general public.

You have also asked for confirmation on whether designated subordinates of ex officio members of the IRMC may participate in closed sessions of the IRMC or its committees and whether a designated subordinate is covered by the same confidentiality laws as the member that they represent. Article XI, Section 4, of the IRMC bylaws provides that "[o]nly members of the IRMC and approved delegates for members may vote." If the procedures for delegation of duties have been followed, then the designated subordinate of an ex officio member may participate in the full activities of the IRMC and its committees. See opinion of Attorney General to The Honorable James E. Long, Commissioner of Insurance, 55 N.C.A.G. 116 (1986). This includes the right to vote and to participate in closed sessions.

It is important to note that none of these provisions apply to volunteer IPPC members. A volunteer member is not an official member of the IRMC or an official delegate of an IRMC member. Therefore, volunteers are not representatives of a State agency as contemplated in G.S. §147-64.6(c)(18). In order to maintain the confidential status of the information technology security information, it should not be presented to the volunteers. Consequently, they should not attend the closed meeting in question.

Please let us know if you have any further questions about this matter.

Sincerely,

Ann Reed
Senior Deputy Attorney General

Susan K. Nichols
Special Deputy Attorney General

V. Lori Fuller
Assistant Attorney General

cc: George Bakolia, State Chief Information Officer
Ralph Campbell, State Auditor
Woody Yates, Executive Director, IRMC