The contractors working on the HealthCare.gov project could have conducted an inventory of the kind of data that the Web applications associated with it would be handling. The inventory would help establish a priority, such as focusing on the Web apps that directly handle personally identifiable information. The BSIMM study found that organizations commonly undertake data classification. For example, organizations may classify according to protection of intellectual property, impact of disclosure or exposure to attack. Once a data classification system is put in place, it should be strictly maintained and reviewed periodically, say security experts.