Body
Nevada’s Governor’s Technology Office on Wednesday rolled out a new statewide data classification policy, creating clear categories for how state agencies should label and protect information months after a cyberattack shut down some systems for weeks. The policy is designed to standardize the state’s approach to information security rather than relying on agencies to decide how to handle data on a case-by-case basis.
Officials said the changes mark the first time Nevada will use “clear-cut categories for data sensitivity,” moving beyond the state’s prior practice of broadly labeling information as “sensitive” or “personal.” They said the categories are meant to prevent different types of information from being treated the same and to support consistent protections across agencies.
In a release announcing the policy, the Governor’s Technology Office said, “Agencies can now rely on a shared baseline for how information is categorized and protected, reducing uncertainty and hesitation when exchanging data.” The release also said the policy was in development before the cyberattack that struck Nevada in late August, but that rollout reflects the state’s broader push to align IT policies across agencies.
Under the policy, data will be classified as one of four categories: “public,” “sensitive,” “confidential” or “restricted.” It is up to individual agencies to determine the proper category, and the policy says that if classification is unclear, agencies must place the data in the more restrictive category.
The policy also explains how Nevada considers the “mosaic effect,” meaning that data that might appear harmless on its own can become sensitive when combined with other information. Officials said that approach is reflected in how categories are defined and applied.
Nevada’s policy ties the categories to privacy and disclosure rules. It states that under Nevada’s public records law, information is by default a public record unless confidentiality provisions apply, and it said the new classification system does not change what qualifies as a public record.
For the categories, the state described “public” data as information with no restrictions. It described “sensitive” data as information not intended for proactive distribution, such as internal agency correspondence, which officials said can still be released following review to ensure it does not include confidential information.
The “confidential” category includes personally identifiable information and health records, and the state said unauthorized disclosure of these documents might “result in substantial harm,” according to the policy. The policy defined “restricted” data as information available only to personnel with specific clearances, including national security and financial account information, and it said unauthorized disclosure could threaten public safety or violate federal security rules.
Officials said the policy will serve as a “foundation” for future cybersecurity improvements, including efforts such as multifactor authentication. The rollout also comes as Nevada lawmakers have been addressing cybersecurity after the August attack: during the Legislature’s special session last year, lawmakers unanimously passed AB1, which creates a Security Operations Center intended to provide monitoring, mitigation and incident response services to state agencies and elected officials.
In addition, the Legislature formed a cybersecurity working group in September to inform future legislation, as Nevada pursues a more uniform approach to protecting state information and supporting responsible data sharing across agencies. In a press release, the Governor’s Technology Office said, “Together, these measures are intended to strengthen Nevada’s overall digital resilience while enabling responsible data sharing across agencies.”