pg_0001

Fiscal impact reports (FIRs) are prepared by the Legislative Finance Committee (LFC) for standing finance

committees of the NM Legislature. The LFC does not assume responsibility for the accuracy of these reports

if they are used for other purposes.

Current FIRs (in HTML & Adobe PDF formats) are a vailable on the NM Legislative Website (legis.state.nm.us).

Adobe PDF versions include all attachments, whereas HTML versions may not. Previously issued FIRs and

attachments may be obtained from the LFC in Suite 101 of the State Capitol Building North.

F I S C A L I M P A C T R E P O R T

SPONSOR Rodella

ORIGINAL DATE

LAST UPDATED

2/19/07

HB 950

SHORT TITLE Public Computer Database Records

ANALYST Ortiz

APPROPRIATION (dollars in thousands)

Appropriation

Recurring

or Non-Rec

Fund

Affected

FY07

FY08

NFI

(Parenthesis ( ) Indicate Expenditure Decreases)

Duplicates SB829

SOURCES OF INFORMATION

LFC Files

Responses Received From

Commission of Public Records

Office of Chief Information Officer (CIO)

Public Education Department (PED)

General Services Department (GSD)

NM Environment Department (NMED)

Higher Education Department (HED)

SUMMARY

Synopsis of Bill

The House Bill 950 enacts a new section which:

•

restates the existing provision contained in Section14-3-15.1 NMSA 1978 that, unless

otherwise provided by state or federal law, information contained in a computer database is a

public record and is subject to disclosure in a printed or typed format;

•

provides that the state shall authorize an electronic copy of information in a database that is a

public record on a currently available electronic medium for a person if the person pays a

reasonable fee based upon the costs of materials, making the electronic copy and personnel

time required to research and retrieve the electronic record;

•

stipulates that, subject to confidentiality provisions of law, the state may permit another

federal, state or local government entity access to all of any portion of a computer database

pg_0002

House Bill 950 – Page

created by the state; and

•

provides that the state, at its option and if it has the capability, may permit access or use of its

computer and network system to search, manipulate or retrieve information from a database

and may charge reasonable fees based upon the costs of materials, personnel time, access

time and the use of the network.

Additionally, the bill amends Section 14-3-15.1 NMSA 1978 to delete existing Subsection C,

which permits the copying of computerized database that is a public record for a person but

which also establishes limitations on the use of the database and provides for payment of a

royalty or other agreed-upon consideration to the state.

The bill further amends the same section by deleting existing Subsection G, which establishes

penalties for the unauthorized use of a database.

FISCAL IMPLICATIONS

The Chief Information Officer lists the following fiscal concerns:

The exact impact on the general fund cannot be quantified as it is based on a number of requests

and the complexity associated with meeting the request as well as additional staff training.

Agencies will accrue significant administrative and staff costs to address changes proposed in

HB 950. The exact amount cannot be quantified because it is based on the number of requests

and their complexity and the additional training that will be required for staff.

The state and its agencies can expect to incur significant costs to remediate its network and

computer systems and restore data if untrusted entities insert malicious code into the state

network and computer systems.

Individuals or organizations requesting databases under the proposed changes can expect to

invest heavily in the programming and technical infrastructure needed to extract data from

databases. Specifically, the requestor will need the exact version of the database management

system and the same technical infrastructure (server hardware and operating system) used to

create the databases. Without these, the data cannot be obtained.

SIGNIFICANT ISSUES

Office of the Chief Information Officer offers provides the following, which are echoed by other

respondents:

The Public is entitled to some expectation of privacy with respect to personal data stored

within state computer systems. NMSA 1978 14-3-15.1 currently provides those protections.

In 1995, New Mexico passed legislation making it unlawful for any New Mexico's Motor

Vehicle Department (MVD) employee or contractor to disclose personal information about

an individual obtained in connection with the issuance of a driver's license, driver's permit,

vehicle title, or vehicle registration. Section 66-2-7.1 NMSA 1978 authorizes limited

disclosure including disclosure to the individual/owner, the individual's authorized

representative, or for nine purposes specified by law (e.g., law enforcement, legal action,

research, or use by insurance companies and motor vehicle dealers).

Section 66-2-7.1 NMSA 1978 prohibits both current and former state employees and

contractors from disclosing motor vehicle data.

pg_0003

House Bill 950 – Page

HB 950 exposes the state network, agency networks, and agency computer systems to major

security threats by allowing untrusted users into the state network, thereby increasing the

likelihood that malicious code such as Trojan horses and viruses will be inserted. State

agencies, including GSD Information Systems Division, currently spend hundreds of

thousands of dollars on security software each year preventing the security exposures HB

950 will introduce.

HB 950 makes no distinction between a “database" and the data/information contained

within a database. A database consists of a schema (table structures), executable code needed

to run the database, and a technical platform (a database management system, operating

system, and server hardware). A requestor will not be able to access data contained within

the database unless they have the same versions of the database management system,

operating system, and server hardware, and create computer programs to extract the data

from the database.

State databases contain names, addresses, telephone numbers, driver’s licenses numbers,

social security numbers, and other personally identifiable information of individuals who

interact with state government. A recent NY Times article indicates identity fraud crime is

the nation’s fastest growing crime. U.S. losses from identity fraud crime in 2006 were $49

billion. The most prevalent type of identity theft is referred to as “synthetic" in which

criminals fabricate an identity using the real names, addresses, social security numbers, and

other personal information – exactly the kind of information state databases contain. NMSA

1978 14-3-15.1 currently provides the needed protections to guard against identity theft; this

bill diminishes that protection.

Congress enacted the Driver's Privacy Protection Act of 1994 (DPPA), which established a

regulatory scheme to restrict States' abilities to disclose a driver's personal information

without first obtaining a driver's consent. The proposed State statute is silent on obtaining

consent to release personal information.

Disclosure of personal information is regulated at the Federal level by the Federal Privacy

Act (45 U.S.C.A. section 552a) and the principles of fair information practices required by

Federal law. The Federal Privacy Act also: prohibits the disclosure of any record by any

means of communication except by prior written consent of the individual to whom the

record pertains (an Opt-out process) except under certain conditions; requires an accounting

of certain disclosures; and, makes it unlawful for a state agency to deny an individual any

right or privilege based on his or her refusal to furnish a social security number. By providing

express consent, individuals for whom personal information has been collected in the process

of obtaining a driver's license or motor vehicle registration give the State their permission to

use that information for other purposes. Express consent may be obtained in writing,

verbally, or through electronic means. Current New Mexico statutes are silent on addressing

these conditions of the Federal Privacy Act, as well as obtaining consent to release personal

information.

PERFORMANCE IMPLICATIONS

The Commission of Public Records (and other agencies) will have to ensure that confidential

information is secure and not made available. The redaction of confidential information could

prove extremely time-consuming and prohibitively expensive and the costs for such redaction are

not covered in the items that can be considered in setting fees. This bill may also require a

review of database security and may require updates to the appropriate systems.

pg_0004

House Bill 950 – Page

CONFLICT, DUPLICATION, COMPANIONSHIP, RELATIONSHIP

Duplicates SB829

TECHNICAL ISSUES

On Page 2, Line 13, recommend striking “and if it has the capability". This is too subjective.

Persons requesting to access state computer databases would always assert the existence of a

state capability. Access to state databases poses security issues, confidentiality issues and would

inevitably disrupt the day-to-day activity of state employees. The ability to exercise discretion in

requests to review databases should be based on these considerations, not if it has the capability.

Article 14-3-15.1.B refers to “the commission", which is not defined in the bill. Nor are the

terms “data," “database" or “information".

OTHER SUBSTANTIVE ISSUES

According to PED, this bill appears to eliminate the possibility of the state to exercise proprietary

control over its data; it also permits people in the private sector, including business entities, to

profit from information in governmental databases. This bill could dilute the image of the state.

For example, while current law requires the State Seal to be maintained by the Secretary of State,

under the terms of this bill anyone could request it electronically from a state agency for his or

her use in advertisements or whatever else with impunity. State law does not currently prohibit

the use of the seal.

POSSIBLE QUESTIONS

Should agencies subject to such laws as HIPPA, Sarbanes-Oxley, FERPA, FBI, or other

confidentiality or privacy issues be exempt from this legislation.

ANA/csd