Data classification has been painfully and clearly an afterthought for security measures. Historically, data classification was a “no-one-wants-to-do” regulation requirement applicable to only those organizations and industries who were “selected” to be “regulated.” As part of the regulation compliance, those “chosen” organizations had to show proof of data classification either in a direct way, or, data classification was a necessary pre-requisite for carrying out the mandated “data actions” prescribed by various regulations. However, once attackers started using dual attack techniques of threatening the access to data by encryption or locking, with the technique of exfiltrating the data to hold it ransom with a threat of a leak, security and IT teams were caught off guard. While data leak prevention systems were in place from a long ago, the scope and origins were vastly different. In the rush of addressing this issue, security solutions seemed to have missed a step of subdividing those requirements into two separate categories which needs to be clarified for the security practitioners to implement effective and rapid measures.