Nevada officials have implemented a modern statewide policy to standardize how state data is classified and protected, following a cyberattack that disrupted state systems for weeks last August.
New Data Classification System
Announced Wednesday by the Governor’s Technology Office, the policy establishes four categories for data sensitivity: “public,” “sensitive,” “confidential,” and “restricted.” This marks the first time Nevada has implemented clear-cut categories for data sensitivity across state agencies.
According to a release, the new system will allow agencies to move beyond simply labeling data as “sensitive” or “personal,” ensuring that private information is not treated the same as public information. “Agencies can now rely on a shared baseline for how information is categorized and protected, reducing uncertainty and hesitation when exchanging data,” the release stated.
Data Categories Defined
The “public” classification applies to data with no restrictions on disclosure, such as press releases and published state laws. “Sensitive” data, like internal agency correspondence, is not for proactive distribution but may be released after review. “Confidential” data includes personally identifiable information and health records, where unauthorized disclosure could “result in substantial harm.” Finally, “restricted” data, such as national security information, is limited to personnel with specific clearances, and unauthorized disclosure could threaten public safety or violate federal rules.
The policy acknowledges the “mosaic effect,” where seemingly harmless data can turn into sensitive when combined with other information. Agency leaders are responsible for policy compliance, even as data officials will determine the appropriate classification. Non-compliance could result in remediation or escalation.
Legislative Response
Cybersecurity has been a priority for Nevada lawmakers since the August cyberattack. Last year, during a special session, they unanimously passed AB1, creating a Security Operations Center to provide cybersecurity services to state agencies and elected officials. A cybersecurity working group was as well formed in September to inform future legislation.
Frequently Asked Questions
What is the purpose of this new policy?
The policy aims to standardize how state data is classified and protected, ensuring private data is not treated the same as public information.
What are the four data classifications?
The four classifications are “public,” “sensitive,” “confidential,” and “restricted.”
What happens if an agency doesn’t comply with the policy?
Failure to comply with the policy could lead to remediation mandates or escalation to higher-ups.
Will this policy impact public access to state records? We see unlikely, as the policy does not change what is considered a public record under Nevada’s public records law.
