1.  Any record of a state agency, including the Office, or a local government, including, without limitation, a record obtained from a private entity, which identifies the detection of, the investigation of or a response to a suspected or confirmed threat to or attack on the security of an information system is not a public record and may be disclosed by the Administrator only to another state agency or local government, a cybersecurity incident response team appointed pursuant to NRS 480.928 and appropriate law enforcement or prosecuting authorities and only for the purposes of preparing for and mitigating risks to, and otherwise protecting, the security of information systems or as part of a criminal investigation.

2.  The Office shall not require any private entity to provide any information or data that, in the sole discretion of the private entity, would compromise any information system of the private entity if such information or data were made public.