LAS VEGAS (KTNV) — It's been about six months since a cyberattack led to state networks and agencies being down for 28 days.
Since then, state officials have been working on finding ways to strengthen infrastructure and troubleshoot future problems. On Wednesday, the Governor's Technology Office released a new state policy that will standardize how state agencies classify and store data.
"A lot of agencies have their own kind of independent ways of defining their data. What this does is unify the definitions across the board," said Michael Hanna-Butros Meyering, Chief Communication and Policy Officer for the Governor's Technology Office. "This is the first for the executive branch to have a statewide data policy. That way, we're all on the same page."
WATCH: How Nevada Classifies and Protects State Data
This policy will apply to all Executive Branch agencies, departments, divisions, boards, and commissions, State of Nevada assets, state employees, contractors, and vendors who handle state information assets, and all IT systems, applications, and platforms that sore or process state data.
According to the policy, data will be broken down into four categories.
- "Public" - This includes things like press releases, published Nevada Revised Statues, annual agency reports, public meeting agendas, and content approved for state agency websites or social media.
- "Sensitive" - This includes things like draft policies, internal agency correspondence, budget working documents, state vendor information, and non-confidential personnel information.
- "Confidential" - This includes things like Social Security numbers, driver's license numbers, dates of birth, protected health information, credit and debit card numbers, state criminal records, child welfare case files, unemployment claims, and mental health treatment records.
- "Restricted" - This includes things like tax returns, tax records, critical infrastructure security data, cybersecurity incident response data, active threat intelligence, encryption keys, and emergency operations center tactical response plans.
You can read the full policy below.
One question we received from viewers after the cyberattack last year was how will the state protect their personal information moving forward. Hanna-Butros Meyering said this policy will help address that.
"Most breaches aren't like movie hackers. There's a lot of internet memes that are Mission Impossible-like situations. In reality, they're ordinary mistakes that are made easier by inconsistency," he said. "This policy really targets that inconsistency and reduces the chance of accidental exposure."
AUGUST 2025: FBI speaks on increase in cyberattack trends during Nevada's network outage
Over the years, there have been more cyberattacks hitting different states, companies, hospitals, and schools. Hanna-Butros Meyering said their office is always looking for ways to try to stay ahead of the curve and prepare for situations like the cyberattack, which is why they were able to get everything back up in 28 days.
"It's not a question of if, but when, at this point. We just have to be sharp at all times. We have to be really disciplined in our procedures and regulation and policies that we set in place to set us up for success," Hanna-Butros Meyering said. "The reason for this 28-day recovery is because we were so disciplined. We've had the practice and the playbook. We knew what our priorities were for our constituents."
That included getting agencies up and running as fast as possible to continue serving Nevadans.
"We're also Nevadans. When I got home, my neighbor was asking me like, "Hey. Can I set up a DMV appointment?"," he explained. "My work literally impacts my neighbors. It hits home. We really work to make sure everyone is safe, everyone is consuming the services as they need it, and the last thing we want to do is remove that ability for Nevadans."
The new data policy isn't the only security upgrade that is on the way. They are also looking at stronger identity controls, privileged access management, and other data protections like encryption, which are aligned with federal requirements.