Open Meeting Law: Can Board Meetings Be Closed to Discuss Cyber-security Matters?

To address the growing threat of cyber-security incidents, MCIT members are assessing their cyber-security preparedness, addressing cyber-security infrastructure needs, and developing data and cyber-security response plans. Governing boards may need to discuss the work being done in this area, but they must also remember to comply with the transparency requirements of the Open Meeting Law. In some circumstances, the board may be able to close a meeting to address cyber-security issues.

Whether a board has legal authorization to close a meeting is highly dependent on the subject matter and particular circumstances at hand. MCIT recommends that members consult with their legal counsel with questions for specific situations.

The Minnesota Open Meeting Law requires that all meetings covered by the law be open to the public (see Minnesota Open Meeting Law for more information). The law permits a governing body to close a meeting to the public only under certain enumerated exceptions, including for labor negotiations, discussions of specified not public data or as otherwise authorized by law.

Issues Related to Security and Emergency Response Procedures

Section 13D.05, subdivision 3(d) of the Open Meeting Law allows a governing body to close a meeting to:

• Receive security briefings and reports
• Discuss issues related to security systems
• Discuss emergency response procedures
• Discuss security deficiencies in or recommendations regarding public services, infrastructure and facilities

Seemingly, these reasons could apply to some cyber-security circumstances. However, meetings may only be closed under this section if disclosure of the information discussed would pose a danger to public safety, or compromise security procedures or responses. For example, it is plausible that a member could close its board meeting to discuss details of the member’s cyber-security procedures if it would compromise the security of the system and the member’s data if the details were made public.

Discussions of financial issues related to security matters and all related financial decisions must occur in an open meeting. For instance, a discussion about approval of an expense related to the member’s cyber-security infrastructure would need to occur in a public meeting.

Members considering closing a meeting under this provision to handle cyber-security matters are encouraged to consult with legal counsel to confirm that the subject matter of the discussion fits under this provision, and what aspects of the discussion, if any, may need to take place in an open meeting.

Before closing any meeting, the governing board must state on the record the specific grounds permitting the meeting to be closed and describe the subject matter to be discussed.1 When this provision applies, the subject matter must refer to the facilities, systems, procedures, services or infrastructures to be considered during the closed meeting.

Section 13D.05, subdivision 3(d) also provides that the closed meeting must be electronically recorded at the expense of the governing body, with recording preserved for at least four years. Note that this is longer than the standard three years required by the Open Meeting Law for recordings of closed meetings.

Whether some or all of the recording can be released upon request will depend on how the data is classified under the Minnesota Government Data Practices Act and who makes the request.

Active Law Enforcement Investigative Data

In the event of a cyber-security incident, there may be additional support for closing a board meeting to give the governing body a status report if law enforcement is currently involved in the investigation.

The Open Meeting Law requires meetings to be closed when active criminal investigative data, as defined by Minnesota Statutes, Section 13.82, subdivision 7, will be discussed.²

• The closed meeting must be electronically recorded at the expense of the governing body.
• The recording must be preserved for at least three years, if not longer, depending on the type of data involved.

Attorney-client Privilege

Members should be cautious about assuming that the meeting can be closed under the attorney-client privilege exception. Attorney-client privilege allows a meeting to be closed if the meeting is to discuss pending or threatened litigation against the public body.³

The courts have held that a meeting may not be closed to seek general legal advice or to discuss litigation the public body assumes may occur.

Again, whether these provisions apply to a particular cyber-security situation is highly fact dependent, and members are strongly encouraged to discuss with their legal counsel prior to closing a meeting under these provisions.

Meetings closed on the basis of attorney-client privilege are not required to be electronically recorded.⁴

Use Caution

The Open Meeting Law typically does not apply to telephone conversations among less than a quorum or to letters or other written communication. However, telephone conversations, email or letters among less than a quorum of the public body used to avoid open meeting requirements or to fashion an agreement in advance of an open meeting may be found to have violated the law.

Generally no open meeting violation occurs when mail—electronic or printed—is used to distribute materials to board members. A problem or violation may arise when the board members respond to the information and begin a discussion of the materials.

The board also may not use a third person (not a board member) to facilitate a consensus among board members. This may include agreeing to the content of a letter or other communication outside of a board meeting.⁵

¹Minn. Stat. § 13D.01, subd. 3

²Minn. Stat. § 13D.05, subd. 2(a)(2)

³Minn. Stat. § 13D.05, subd. 3(b); Prior Lake v. Mader, 642 N.W.2d 729 (Minn. 2002); Brainerd Daily Dispatch v. Dehen, 693 N.W.2d 435 (Minn. App. 2005).

⁴Minn. Stat. § 13D.05, subd. 1(d)

⁵Minn. Dept. of Admin. Opinions 06-017 and 17-005