Nevada has unveiled a comprehensive data classification policy designed to standardize the management of state data privacy, following a significant cyberattack earlier this year that disrupted operations for an extended period.
Establishing Data Sensitivity Categories
The newly announced policy from the Governor’s Technology Office introduces clear categories for data sensitivity. This initiative marks Nevada’s first structured approach to distinguishing between different levels of data privacy, moving beyond simplistic labels like “sensitive” or “personal.” The aim is to ensure that private data is protected differently from public information.
According to the policy release, this framework allows agencies to rely on a shared understanding of data categorization, thereby reducing uncertainties and facilitating smoother data exchanges.
Policy Development and Implementation
Even though the cyberattack that paralyzed state systems occurred in late August, the policy had been in development for some time. It reflects Nevada’s ongoing efforts to unify IT practices across various state agencies. Earlier in the year, guidelines regarding artificial intelligence usage were also introduced.
The policy classifies data into four categories: “public,” “sensitive,” “confidential,” and “restricted.” Agencies are responsible for assigning the correct classification, and when in doubt, data should be placed in the more restrictive category.
Responsibilities and Compliance
Agency leaders hold the responsibility for ensuring adherence to the policy, while data officials at lower levels will assign data classifications. Non-compliance may result in corrective actions or escalation to senior management.
The policy elaborates on the implications of each classification tier. “Public” data is without disclosure restrictions, “sensitive” data is not for proactive distribution yet can be released after review, “confidential” data includes personally identifiable information with potential for substantial harm if disclosed, and “restricted” data involves highly sensitive information like national security data, with severe consequences for unauthorized disclosure.
Further, the policy acknowledges the “mosaic effect,” where data may initially seem harmless but could become sensitive when combined with other datasets.
Future Cybersecurity Initiatives
This policy is intended as the foundation for future cybersecurity enhancements, such as implementing multifactor authentication. These measures aim to bolster Nevada’s digital resilience and support responsible data sharing among agencies.
In response to the cyberattack, state lawmakers have prioritized cybersecurity. Last year, during a special legislative session, the unanimous passage of AB1 established a Security Operations Center to provide cybersecurity services across state agencies. Additionally, a cybersecurity working group was formed to guide future legislative efforts.
