The United States government classifies sensitive information into four main categories based on the degree of damage that would occur to national security if the information were disclosed in an unauthorized manner. Individuals cleared for a particular classification level may access information at that level and below, provided that they have a specific need to know the particular information in question. The four classification levels used by the U.S. government are:

• Unclassified—Information that has not otherwise been assigned a sensitivity level under the national security classification scheme. Generally speaking, unclassified information is subject to public release under the Freedom of Information Act (FOIA). Under certain circumstances, government agencies may designate unclassified information as Controlled Unclassified Information (CUI). CUI information is exempt from disclosure under FOIA.
• Confidential—Information that, if disclosed, could reasonably be expected to cause damage to national security.
• Secret—Information that, if disclosed, could reasonably be expected to cause serious damage to national security.
• Top Secret—Information that, if disclosed, could reasonably be expected to cause exceptionally grave damage to national security.

Information may change classifications at any time, as circumstances warrant. Information that may have been deemed confidential in 1992 may be considered Secret or even Top Secret today. Likewise, information that was of Top Secret importance in 1939 may no longer be sensitive enough to be classified at all.

The classification schemes used by private organizations vary widely but often share some elements with the government scheme. One commonly used approach to corporate classification has the following classification levels:

• Public—Information that the company freely releases to the public. This category would include information that is published on the organization’s website or distributed in sales materials.
• Internal—Information that is not normally released to the general public but may be disclosed without damaging the company. This may include information about product road maps or pricing that is released to customers but not widely published.
• Sensitive—Information that, if disclosed, could cause serious damage to the firm. This may include new product development plans or internal marketing strategies. Sensitive information is often not released outside the company except under the terms of a formal nondisclosure agreement (NDA).
• Highly sensitive—Information that, if disclosed, would be extremely damaging to the company. This may include customer Social Security numbers, credit card numbers, or other very sensitive information. Highly sensitive information is often encrypted at all times and requires special permission to access.

Information is generally classified if disclosure could harm the controlling organization. Corporations classify information to try to keep a competitive advantage over other companies. A soup company, for example, may want to keep its recipes as trade secrets. A company that tests the strength of materials may want to keep its testing methodology proprietary. Governments want to classify any information that would damage their security, such as troop locations and movement, facility locations, and so on.

Declassification is the process used to move a classified document into the public domain. Every country and organization that classifies documents has a method of declassification. Let’s look at the U.S. model as a baseline.

There are four ways a U.S. government document can become declassified:

• Automatic declassification—Automatic declassification happens with any document over 25 years old. Unless it meets strict criteria, the document is automatically declassified after the department that owns the document reviews it. It is then moved to the publicly accessible shelves of the national archives.
• Systematic declassification—With systematic declassification, any document that is under 25 years old but of significant importance to the historic record of the United States is reviewed for early declassification. Once identified, these documents go through the same procedures as automatically declassified documents.
• Mandatory declassification review—A mandatory declassification review is instigated when an individual attempts to get a document declassified. After the review request has been filed, the owning organization must respond with approval, denial, or the inability to confirm or deny the existence or nonexistence of the document. If the request is denied, the requester can appeal to the interagency security classification appeals board.
• FOIA request—A FOIA request is an attempt by a member of the general public to get a document declassified. The act allows for full or partial disclosure of the document; if the owning organization refuses the request, the decision can be appealed in a judicial review.