Nevada Unveils New Statewide Data Classification Policy

Got story updates? Submit your updates here. ›

Nevada has launched a new statewide policy that puts clear labels on how sensitive state data is and how agencies protect it. The policy creates four data classification categories - public, sensitive, confidential, and restricted - to ensure private data is not treated the same as public information. The policy was in the works before a major cyberattack last year that crippled certain state systems for weeks, but it reflects Nevada's efforts to set uniform IT policies across agencies.

Why it matters

The new data classification policy is part of Nevada's broader efforts to improve cybersecurity and digital resilience after a significant cyberattack disrupted state operations. By standardizing how data is categorized and protected, the state aims to reduce uncertainty and enable more responsible data sharing across agencies.

The details

Under the new policy, agencies must classify data as 'public,' 'sensitive,' 'confidential,' or 'restricted' based on the potential risks and harms of disclosure. Public data has no restrictions, while sensitive data is not intended for wide distribution but can be released after review. Confidential data includes personally identifiable information, and restricted data is only available to personnel with specific clearances. Agency leaders are responsible for ensuring compliance, and failure to follow the policy could lead to remediation or escalation.

• In late August 2025, a major cyberattack crippled certain Nevada state systems for weeks.
• In 2023, Nevada rolled out guidance on the use of artificial intelligence across state agencies.
• On February 11, 2026, Nevada's Governor's Technology Office announced the new statewide data classification policy.

What’s next

The new data classification policy will serve as the 'foundation' for future efforts to improve Nevada's overall cybersecurity, such as the implementation of multifactor authentication across state agencies.