V. Lori Fuller
Elections Section Tel: (919) 716-6800 Fax: (919) 716-6755
|November 8, 2002
|The Honorable Beverly Eaves Perdue
|State of North Carolina
||VIA FACSIMILE (733-6595)
|20401 Mail Service Center
Raleigh, N.C. 27699-0401
Re: Advisory Opinion; Confidentiality of Information to be Presented at the November 13,
2002, Meeting of the Information Protection and Privacy Committee of the Information
Resources Management Commission (“IRMC”); G.S. §§132-6.1(c), 147-33.82, & 147
Dear Lieutenant Governor Perdue:
As Chair of the Information Protection and Privacy Committee (“IPPC”) of the Information Resources Management Commission, you have requested advice from this office on whether members of the IRMC who represent agencies that have not been audited by the State Auditor pursuant to G.S. §147-64.6(c)(18) may be present at a meeting at which the results of the audit of other agencies is reported. In addition, you ask whether the confidentiality of the audited agency’s information technology security features will be waived by the presence of representatives of other agencies or of volunteer committee members who are not IRMC members or their delegates.
The IRMC is responsible for approving the “standards for the State’s information technology security,” and any revisions to those standards. G.S. §147-33.82(e). As set forth below, G.S. §147-64.6(c)(18) permits the Auditor to disclose to a State agency more detailed reports of audits of security practices of information technology systems than are provided to the general public. The IRMC and the IPPC both fall within the definition of a State agency as defined by
G.S. §147-64.4(4). The information provided by the Auditor will assist the members of the IRMC and the IPPC in the performance of their duties.
The Auditor shall, after consultation and in coordination with the State Chief Information Officer, assess, confirm, and report on the security practices of information technology systems. If an agency has adopted standards pursuant to
G.S. 147-33.82(d)(1) or (2), the audit shall be in accordance with those standards.
The Honorable Beverly Perdue November 8, 2002 Page 2
The Auditor’s assessment of information security practices shall include an assessment of network vulnerability. The Auditor may conduct network penetration or any similar procedure as the Auditor may deem necessary. The Auditor may investigate reported information technology security breaches, cyber attacks, and cyber fraud in State government. The Auditor shall issue public reports on the general results of the reviews undertaken pursuant to this subdivision but may provide agencies with detailed reports of the security issues identified pursuant to this subdivision which shall not be disclosed as provided in
The IRMC or its committees may go into closed session in order to receive and discuss reports from the Auditor covered by G.S. §§132-6.1(c) and 147-64.6(c)(18). It is our opinion that members of the IRMC, or their delegates, who are representatives of other agencies may be present at the committee meeting during which information will be reported about audits of the security practices of information technology systems in specific agencies. The presence of these representatives does not waive the confidentiality of the security features of the systems under
G.S. § 132-6.1(c). Of course, each representative must act consistently with the legislative determination embodied in the statutes that details of security features of agency information technology systems should not be disclosed to the general public.
You have also asked for confirmation on whether designated subordinates of ex officio members of the IRMC may participate in closed sessions of the IRMC or its committees and whether a designated subordinate is covered by the same confidentiality laws as the member that they represent. Article XI, Section 4, of the IRMC bylaws provides that “[o]nly members of the IRMC and approved delegates for members may vote.” If the procedures for delegation of duties have been followed, then the designated subordinate of an ex officio member may participate in the full activities of the IRMC and its committees. See opinion of Attorney General to The Honorable James E. Long, Commissioner of Insurance, 55 N.C.A.G. 116 (1986). This includes the right to vote and to participate in closed sessions.
It is important to note that none of these provisions apply to volunteer IPPC members. A volunteer member is not an official member of the IRMC or an official delegate of an IRMC member. Therefore, volunteers are not representatives of a State agency as contemplated in G.S. §147-64.6(c)(18). In order to maintain the confidential status of the information technology security information, it should not be presented to the volunteers. Consequently, they should not attend the closed meeting in question.
The Honorable Beverly Perdue November 8, 2002 Page 3
Please let us know if you have any further questions about this matter.
Ann Reed Senior Deputy Attorney General
Susan K. Nichols Special Deputy Attorney General
V. Lori Fuller Assistant Attorney General
cc: George Bakolia, State Chief Information Officer Ralph Campbell, State Auditor Woody Yates, Executive Director, IRMC