Nassau County may have illegally declared a state of emergency for cybersecurity — a declaration that was not even known until revealed by the county's legal counsel.
Deputy County Attorney Gregory Kalnitsky confirmed the existence of a state of emergency in a letter to the Herald. It was a response to a request from a reporter for more information on a cybersecurity contract approved by the county legislature's rules committee on Dec. 5. The Herald as sought basic information about the agreement, including who the contract is with, and how much it will cost taxpayers.
"The county executive and Nassau County Legislature enacted a local state of emergency with respect to the county of Nassau's cybersecurity and information technology assets," Kalnitsky wrote.
State law generally requires a government body like a county legislature to announce the need of an executive session during the public meeting, provide a specific reason for such a session, and then hold a public vote on whether to allow such a session to take place. While New York state laws are a bit broad on what can be discussed in executive session, the law generally prohibits any action by formal vote that would spend public dollars.
Nassau lawmakers voted unanimously to enter into executive session on Dec. 5 to discuss "E-137-22" which was listed in the agenda as a shared servies agreement between the county's information and technology department and an unnamed vendor. After an hour of deliberation behind closed doors, the legislature reconvened without publicly discussing the contract or any state of emergency declaration.
One county source who declined to be identified because of the legal nature of executive sessions confirmed that an emergency declaration was made during the Dec. 5 executive session.
No documents were filed with the county clerk regarding the state of emergency for cybersecurity, according to the source.
Chris Boyle, the spokesman for County Executive Bruce Blakeman, has not responded to requests for comment. County officials in the past said they would not reveal any details about its new cybersecurity plan — including the vendor's name or cost — over claims it would make the county vulnerable to attack. Anxiety has been high in recent months after Suffolk County's computer systems were hacked.
"It is a clear violation of the Open Meetings Law to appropriate public funds in a close door private meeting, if that is what occured," wrote Paul Wolf, president of the New York Coalition for Open Government in an email to the Herald.
"Any vote to spend taxpayer dollars, even in an emergency situation, should occur in public," Wolf added.
Shoshanah Bewlay, executive director of the state's Committee on Open Government — a state-sponsored watchdog on government transparency — said specific details of the contract — if made public — could provide hackers with information to mount a cyberattack. However, more broad details about the agreement — like cost — don't enjoy that level of shielding, and should be made available to the public under state law.
“While a portion of the contract may be exempt from disclosure for one or more statutory reasons, in my opinion, certain portions of the record should be made available,” said Bewlay, who can only operate in an advisory capacity, and cannot force Nassau County to comply.