Fiscal impact reports (FIRs) are prepared by the Legislative Finance Committee (LFC) for standing finance
committees of the NM Legislature. The LFC does not assume responsibility for the accuracy of these reports
if they are used for other purposes.
Current FIRs (in HTML & Adobe PDF formats) are a vailable on the NM Legislative Website (legis.state.nm.us).
Adobe PDF versions include all attachments, whereas HTML versions may not. Previously issued FIRs and
attachments may be obtained from the LFC in Suite 101 of the State Capitol Building North.
F I S C A L I M P A C T R E P O R T
SPONSOR Rodella
ORIGINAL DATE
LAST UPDATED
2/19/07
HB 950
SHORT TITLE Public Computer Database Records
SB
ANALYST Ortiz
APPROPRIATION (dollars in thousands)
Appropriation
Recurring
or Non-Rec
Fund
Affected
FY07
FY08
NFI
(Parenthesis ( ) Indicate Expenditure Decreases)
Duplicates SB829
SOURCES OF INFORMATION
LFC Files
Responses Received From
Commission of Public Records
Office of Chief Information Officer (CIO)
Public Education Department (PED)
General Services Department (GSD)
NM Environment Department (NMED)
Higher Education Department (HED)
SUMMARY
Synopsis of Bill
The House Bill 950 enacts a new section which:
restates the existing provision contained in Section14-3-15.1 NMSA 1978 that, unless
otherwise provided by state or federal law, information contained in a computer database is a
public record and is subject to disclosure in a printed or typed format;
provides that the state shall authorize an electronic copy of information in a database that is a
public record on a currently available electronic medium for a person if the person pays a
reasonable fee based upon the costs of materials, making the electronic copy and personnel
time required to research and retrieve the electronic record;
stipulates that, subject to confidentiality provisions of law, the state may permit another
federal, state or local government entity access to all of any portion of a computer database
pg_0002
House Bill 950 – Page
2
created by the state; and
provides that the state, at its option and if it has the capability, may permit access or use of its
computer and network system to search, manipulate or retrieve information from a database
and may charge reasonable fees based upon the costs of materials, personnel time, access
time and the use of the network.
Additionally, the bill amends Section 14-3-15.1 NMSA 1978 to delete existing Subsection C,
which permits the copying of computerized database that is a public record for a person but
which also establishes limitations on the use of the database and provides for payment of a
royalty or other agreed-upon consideration to the state.
The bill further amends the same section by deleting existing Subsection G, which establishes
penalties for the unauthorized use of a database.
FISCAL IMPLICATIONS
The Chief Information Officer lists the following fiscal concerns:
The exact impact on the general fund cannot be quantified as it is based on a number of requests
and the complexity associated with meeting the request as well as additional staff training.
Agencies will accrue significant administrative and staff costs to address changes proposed in
HB 950. The exact amount cannot be quantified because it is based on the number of requests
and their complexity and the additional training that will be required for staff.
The state and its agencies can expect to incur significant costs to remediate its network and
computer systems and restore data if untrusted entities insert malicious code into the state
network and computer systems.
Individuals or organizations requesting databases under the proposed changes can expect to
invest heavily in the programming and technical infrastructure needed to extract data from
databases. Specifically, the requestor will need the exact version of the database management
system and the same technical infrastructure (server hardware and operating system) used to
create the databases. Without these, the data cannot be obtained.
SIGNIFICANT ISSUES
Office of the Chief Information Officer offers provides the following, which are echoed by other
respondents:
.
The Public is entitled to some expectation of privacy with respect to personal data stored
within state computer systems. NMSA 1978 14-3-15.1 currently provides those protections.
.
In 1995, New Mexico passed legislation making it unlawful for any New Mexico's Motor
Vehicle Department (MVD) employee or contractor to disclose personal information about
an individual obtained in connection with the issuance of a driver's license, driver's permit,
vehicle title, or vehicle registration. Section 66-2-7.1 NMSA 1978 authorizes limited
disclosure including disclosure to the individual/owner, the individual's authorized
representative, or for nine purposes specified by law (e.g., law enforcement, legal action,
research, or use by insurance companies and motor vehicle dealers).
.
Section 66-2-7.1 NMSA 1978 prohibits both current and former state employees and
contractors from disclosing motor vehicle data.
pg_0003
House Bill 950 – Page
3
.
HB 950 exposes the state network, agency networks, and agency computer systems to major
security threats by allowing untrusted users into the state network, thereby increasing the
likelihood that malicious code such as Trojan horses and viruses will be inserted. State
agencies, including GSD Information Systems Division, currently spend hundreds of
thousands of dollars on security software each year preventing the security exposures HB
950 will introduce.
.
HB 950 makes no distinction between a “database" and the data/information contained
within a database. A database consists of a schema (table structures), executable code needed
to run the database, and a technical platform (a database management system, operating
system, and server hardware). A requestor will not be able to access data contained within
the database unless they have the same versions of the database management system,
operating system, and server hardware, and create computer programs to extract the data
from the database.
.
State databases contain names, addresses, telephone numbers, driver’s licenses numbers,
social security numbers, and other personally identifiable information of individuals who
interact with state government. A recent NY Times article indicates identity fraud crime is
the nation’s fastest growing crime. U.S. losses from identity fraud crime in 2006 were $49
billion. The most prevalent type of identity theft is referred to as “synthetic" in which
criminals fabricate an identity using the real names, addresses, social security numbers, and
other personal information – exactly the kind of information state databases contain. NMSA
1978 14-3-15.1 currently provides the needed protections to guard against identity theft; this
bill diminishes that protection.
.
Congress enacted the Driver's Privacy Protection Act of 1994 (DPPA), which established a
regulatory scheme to restrict States' abilities to disclose a driver's personal information
without first obtaining a driver's consent. The proposed State statute is silent on obtaining
consent to release personal information.
.
Disclosure of personal information is regulated at the Federal level by the Federal Privacy
Act (45 U.S.C.A. section 552a) and the principles of fair information practices required by
Federal law. The Federal Privacy Act also: prohibits the disclosure of any record by any
means of communication except by prior written consent of the individual to whom the
record pertains (an Opt-out process) except under certain conditions; requires an accounting
of certain disclosures; and, makes it unlawful for a state agency to deny an individual any
right or privilege based on his or her refusal to furnish a social security number. By providing
express consent, individuals for whom personal information has been collected in the process
of obtaining a driver's license or motor vehicle registration give the State their permission to
use that information for other purposes. Express consent may be obtained in writing,
verbally, or through electronic means. Current New Mexico statutes are silent on addressing
these conditions of the Federal Privacy Act, as well as obtaining consent to release personal
information.
PERFORMANCE IMPLICATIONS
The Commission of Public Records (and other agencies) will have to ensure that confidential
information is secure and not made available. The redaction of confidential information could
prove extremely time-consuming and prohibitively expensive and the costs for such redaction are
not covered in the items that can be considered in setting fees. This bill may also require a
review of database security and may require updates to the appropriate systems.
pg_0004
House Bill 950 – Page
4
CONFLICT, DUPLICATION, COMPANIONSHIP, RELATIONSHIP
Duplicates SB829
TECHNICAL ISSUES
On Page 2, Line 13, recommend striking “and if it has the capability". This is too subjective.
Persons requesting to access state computer databases would always assert the existence of a
state capability. Access to state databases poses security issues, confidentiality issues and would
inevitably disrupt the day-to-day activity of state employees. The ability to exercise discretion in
requests to review databases should be based on these considerations, not if it has the capability.
Article 14-3-15.1.B refers to “the commission", which is not defined in the bill. Nor are the
terms “data," “database" or “information".
OTHER SUBSTANTIVE ISSUES
According to PED, this bill appears to eliminate the possibility of the state to exercise proprietary
control over its data; it also permits people in the private sector, including business entities, to
profit from information in governmental databases. This bill could dilute the image of the state.
For example, while current law requires the State Seal to be maintained by the Secretary of State,
under the terms of this bill anyone could request it electronically from a state agency for his or
her use in advertisements or whatever else with impunity. State law does not currently prohibit
the use of the seal.
POSSIBLE QUESTIONS
Should agencies subject to such laws as HIPPA, Sarbanes-Oxley, FERPA, FBI, or other
confidentiality or privacy issues be exempt from this legislation.
ANA/csd