Data Classification — Why Not All Data Is Created Equal

Every organization has data it can’t afford to lose and data it wouldn’t miss if it vanished tomorrow. The problem is that most organizations treat both piles exactly the same — which means the crown jewels get the same flimsy padlock as the break room lunch menu. Classification is the act of looking at your data, admitting that some of it matters more than the rest, and building your defenses accordingly. It sounds obvious. It almost never gets done right.

The TLDR

Data classification assigns sensitivity labels to information so you can apply the right controls to the right data. Governments use a tiered system (Unclassified through Top Secret). Enterprises build their own (Public through Restricted). Every piece of data gets an owner, a label, and a set of handling rules. When classification works, you spend your security budget on what matters. When it fails — and it fails constantly — you’re either encrypting cafeteria menus or leaving trade secrets on a shared drive with no access controls.

The Reality

Here’s what actually happens in most organizations: everything is either marked “Confidential” or nothing is marked at all. Both are classification failures. If everything is confidential, nothing is — because folks stop treating the label as meaningful. And if nothing is labeled, every file share is a mystery box that could contain anything from a press release to a customer database full of Social Security numbers.

The 2023 Pentagon leak is a masterclass in what happens when classified data escapes its handling requirements. A 21-year-old Air National Guardsman walked top secret intelligence documents out of a SCIF and posted them on Discord. The classification system itself was fine — the documents were properly marked Top Secret. The handling controls failed. One person with access and a phone camera defeated the entire system.

On the commercial side, the Equifax breach in 2017 exposed 147 million people’s data because the company couldn’t distinguish between its most sensitive assets and everything else. Patch management was applied uniformly (which is to say, poorly), and the data that needed the most protection got the same neglect as everything else.

How It Works

Government Classification — The Original Framework

The U.S. government classification system has four levels, defined by Executive Order 13526:

• Unclassified — No damage to national security if disclosed. This is the default. Most government data lives here.
• Confidential — Disclosure could cause “damage” to national security. The lowest classified tier.
• Secret — Disclosure could cause “serious damage” to national security. Think military operational plans, intelligence methods.
• Top Secret — Disclosure could cause “exceptionally grave damage.” Nuclear weapons data, covert agent identities, signals intelligence.

Beyond Top Secret, there are Sensitive Compartmented Information (SCI) and Special Access Programs (SAPs) — not higher classifications, but additional access restrictions layered on top. You can have Top Secret clearance and still not be read into a specific SCI program. Need-to-know is the gatekeeper, not the clearance level itself.

Commercial Classification — Build Your Own

There’s no universal commercial standard, but most frameworks land on four tiers. ISO 27001 Annex A.8 provides the control framework. The typical scheme looks like this:

• Public — Marketing materials, press releases, published financials. No restrictions on disclosure.
• Internal — Company policies, org charts, internal memos. Not harmful if leaked, but not meant for outside consumption.
• Confidential — Customer data, financial records, contracts, HR files. Disclosure would cause real harm — legal liability, competitive disadvantage, regulatory penalties.
• Restricted — Trade secrets, encryption keys, M&A plans, raw PII datasets. The kind of data that triggers breach notification laws and board-level conversations when it walks out the door.

The People Behind the Labels

Classification isn’t just about labels — it’s about accountability. Three roles matter:

Data owners are the business leaders who decide how data gets classified. The VP of Engineering owns the source code. The CFO owns the financial data. They’re accountable for the classification decision and answerable when it goes wrong.

Data custodians are the IT folks who implement the controls. They configure the access permissions, manage the encryption, run the backups. They don’t decide the classification — they enforce it.

Data processors handle data on behalf of someone else. Your cloud provider is a processor. Your payroll company is a processor. They touch the data, but the owner is still on the hook for how it’s classified and protected. GDPR Article 28 makes this relationship contractually explicit.

Labeling and Handling Requirements

Every classification level needs a corresponding set of handling rules. NIST SP 800-60 provides guidance on mapping data types to security categories, while FIPS 199 defines the impact levels (low, moderate, high) that determine what controls are required.

A functional labeling scheme includes:

• Visual marking — headers, footers, watermarks, metadata tags. If someone opens a document, the classification should be visible without hunting for it.
• Storage requirements — Restricted data gets encrypted at rest. Public data doesn’t need it. Internal data might live on a shared drive; Confidential data shouldn’t.
• Transmission rules — Can it be emailed? Does it require encrypted channels? Can it leave the network at all?
• Access controls — Who can read it, who can modify it, who can share it. Role-based access, not individual grants.
• Retention and disposal — How long do you keep it? How do you destroy it when you’re done? Restricted data doesn’t go in the recycling bin.

How It Gets Exploited

Overclassification Fatigue

When organizations create too many classification levels or mark everything at the highest tier, people stop paying attention. This is classification fatigue, and it’s the most common failure mode. If every email is marked “Confidential,” the label becomes invisible. The usual suspects don’t need to break your crypto — they just need your people to stop caring about the labels.

Shadow IT and Unclassified Data Flows

Data classification only works when you control where the data lives. The moment someone copies a Restricted spreadsheet to their personal Google Drive, your classification scheme is a fiction. Shadow IT — unauthorized tools, personal cloud storage, unapproved SaaS apps — is where classification goes to die. MITRE ATT&CK T1567 (Exfiltration Over Web Service) documents how easily data moves from controlled environments to places you can’t see.

No Enforcement Mechanism

A classification policy without DLP (Data Loss Prevention) is a suggestion. If your Restricted data can be attached to an email and sent to a personal address without triggering an alert, you don’t have a classification program — you have a document that says you have one. Auditors love the document. Attackers love the gap.

Misclassification by Default

When people don’t know how to classify something, they either leave it unlabeled (effectively treating it as Public) or slap the default label on it without thinking. Both are wrong. Unlabeled data is invisible to DLP tools. Over-labeled data drowns in noise. Either way, the system fails.

What You Can Do

Start with an inventory. You can’t classify what you haven’t found. Map your data — where it lives, who creates it, who touches it, where it flows. This is unglamorous work and most organizations skip it. That’s why most classification programs fail.

Keep the scheme simple. Four levels is enough. Three is better for smaller organizations. Every additional tier adds complexity that reduces compliance. If the person creating the data can’t remember the levels without checking a reference guide, you have too many.

Assign ownership explicitly. Every data category needs a named owner — not a team, not a department, a person. When nobody owns it, nobody protects it.

Automate labeling where possible. Microsoft Purview, Google DLP, and open-source tools like OpenDLP can scan for sensitive data patterns (credit card numbers, SSNs, medical record identifiers) and apply labels automatically. Humans are bad at consistent labeling. Machines are not.

Enforce with DLP. Classification without enforcement is theater. CISA’s data security guidance emphasizes that technical controls must back up policy decisions. If Restricted data can leave the building without tripping an alarm, your policy is decorative.

Review and reclassify. Data doesn’t stay the same sensitivity forever. Yesterday’s trade secret is tomorrow’s press release. Build regular review cycles into your classification program — annually at minimum, triggered by events (product launches, mergers, regulatory changes) ideally.

Sources & Further Reading

• NIST SP 800-60 Vol. 1 Rev. 1 — Guide for Mapping Types of Information and Information Systems to Security Categories
• FIPS 199 — Standards for Security Categorization of Federal Information
• ISO 27001 Annex A.8 — Asset Management Controls
• MITRE ATT&CK — Exfiltration Over Web Service (T1567)
• ISC2 — CISSP Domain 2: Asset Security
• NIST Cybersecurity Framework — Identify Function