New Nevada Data Classification Policy Emerges Post-Cyberattack

Nevada’s IT agency has rolled out a new policy aimed at standardizing the privacy of state data, months after a massive cyberattack crippled certain systems for weeks.

The policy announced Wednesday from the Governor’s Technology Office marks the first time the state will have clear-cut categories for data sensitivity. Officials said this will allow agencies to go beyond simply denoting something as “sensitive” or “personal” and will ensure private data is not treated the same as public information.

“Agencies can now rely on a shared baseline for how information is categorized and protected, reducing uncertainty and hesitation when exchanging data,” a release announcing the policy said.

Officials said the policy was in the works long before the cyberattack shut down state systems in late August, but the policy reflects Nevada’s efforts to set uniform IT policies across agencies. In 2023, the state rolled out guidance on the use of artificial intelligence.

Data will now be classified as one of four categories: “public,” “sensitive,” “confidential” or “restricted.” It is up to individual agencies to determine the proper category, and if the classification is unclear, the data must be put in the more restrictive category.

Under Nevada’s public records law, information is by default a public record unless specific confidentiality provisions apply. The policy said it does not change what is considered a public record.

Agency leaders are responsible for ensuring compliance with the policy, while lower-level data officials will determine which classification data falls under. Failure to comply with the policy could lead to remediation mandates or escalation to higher-ups.

The “public” data classification means there are no restrictions or potential harms of disclosure. The “sensitive” tier relates to data not intended for proactive distribution, such as internal agency correspondence, but can still be released following review to ensure it does not include confidential information.

The state said the policy takes into account the “mosaic effect,” where data might appear harmless on its own but can become sensitive if combined with certain other data.

Next, the “confidential” tier includes personally identifiable information and health records. Unauthorized disclosure of these documents might “result in substantial harm,” according to the policy.

“Restricted” data refers to information only available to personnel with specific clearances, such as national security and financial account information. Unauthorized disclosure of this data could threaten public safety or violate federal security rules, according to the policy.

The state said the policy will be the “foundation” for future efforts to improve state cybersecurity, such as multifactor authentication.

“Together, these measures are intended to strengthen Nevada’s overall digital resilience while enabling responsible data sharing across agencies,” a press release said.

Cybersecurity has been a priority for state lawmakers since the cyberattack. During the Legislature’s special session last year, lawmakers unanimously passed AB1, a bill that creates a Security Operations Center that will provide cybersecurity services to state agencies and elected officials. This center would monitor infrastructure, mitigate threats and provide incident responses.

The Legislature also formed a cybersecurity working group in September to inform future legislation.

___

This story was originally published by The Nevada Independent and distributed through a partnership with The Associated Press.