HELENA — Montana state agencies are now required to classify all data they produce or receive into four categories that range from public to top secret, under a policy approved by a little-known panel of technology managers from across state government.
The data classification policy approved in September by the Information Technology Managers Council aims to strengthen cybersecurity protections. Under the policy, all data acquired, created or maintained by a state agency must be classified by the agency head as public, confidential, secret or top secret.
The data is then stored within the agency in an information system with security levels categorized as low, medium or high, depending on the data classification.
“The basis of this policy was to ensure protection of information and citizen data,” said Montana Chief Information Security Officer Lynne Pizzini.
The policy applies to executive branch agencies — except for the university system — and the state judiciary. It has been in the works since January, Pizzini said.
Public-records advocates who learned about the new classification system said they were concerned it could make it easier for state officials to withhold information they don’t want the public to see.
The Montana Constitution determines what information is public and what is not, and creating categories of confidential information appears to be a governmental overreach that could potentially be abused, said attorney Mike Meloy of Helena, a freedom of information specialist.
“You can’t create a classification system administratively which overrides the constitution,” Meloy said. “Every time a government entity adopts a rule that could be construed to keep a document private or confidential, it hurts because governments generally tend to want to keep things secret.”
While many government agencies comply with the spirit of the state Constitution and let the public know what they’re doing, there are others who don’t want information divulged, he said.
“This policy probably creates another method of keeping things secret,” Meloy said.
The classification system does not conflict with public-records laws, Pizzini said.
“We’re still following the records law with public and confidential information, we just have different levels of confidential information,” Pizzini said. “The intention is not to limit the information that the public receives or has access to.”
The Legislative Audit Division, which reviews the operations of state agencies, would be responsible for ensuring that agency heads do not abuse the policy by misclassifying documents, she added.
Under the policy, confidential data is defined as information that could endanger citizens, corporations or business partners if it is disclosed. Examples include identification data in payroll, elections and personnel records, along with state contracts, memorandums of understanding and non-disclosure agreements that contain trade secrets.
Secret data is that which could compromise or endanger the people or assets of the state. Examples include health and financial records, sealed court cases, disaster recovery plan data and information about investigations and audits.
Top secret data is defined as information that could expose the state’s citizens or assets to great risk, such as homeland security information, disaster recovery codes and information about undercover officers or police raids.
“The only thing from the state’s perspective we’ve identified as top secret has to do with the Department of Justice,” Pizzini said.
The policy was introduced in the Information Manager Technology Council’s August meeting and approved by the council in September. Montana Chief Information Officer Ron Baldwin has the final say in establishing any information technology-related policy.
“Everybody is taking this very seriously,” Baldwin said. “Gov. (Steve) Bullock is very focused and intent on making sure the systems are secure and that people’s data is protected.”