Ohio House Bill 96 mandates cybersecurity programs for municipalities, school districts, and other public entities

Alert

On June 30, 2025 Ohio Governor Mike DeWine signed (HB 96) into law. HB 96 outlines that Ohio political subdivisions of all levels need to adopt a cybersecurity program. Counties and cities are expected have a policy in place as of January 1, 2026. All other governing bodies, including school districts, are expected to have policies in place by this summer, July 1, 2026.

Who does the law apply to?

The law applies to any Ohio Political Subdivision meaning any county, township, municipal corporation, school district, or other governing bodies formed under the state.

Overview

Cybersecurity policies:

A legislative authority of a political subdivision shall adopt a cybersecurity program that safeguards the political subdivision’s data, information technology, and information technology resources to ensure availability, confidentiality, and integrity. The program needs to be consistent with generally accepted practices such as the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS) frameworks. The frameworks are encouraged to include the following:

  • Identification of critical functions and risks
  • Threat-detection system
  • Incident response procedures
  • Measures for recovery and ongoing security
  • Security training requirements for all employees based on job duties

Additional notification requirements:

After a cyber security incident or ransomware incident, a legislative authority of a Political Subdivision is required to notify:

  • The Ohio Department of Public Safety (DPS) no later than 7 days after the incident is discovered.
  • The Ohio Auditor of State no later than 30 days after the incident is discovered

Notification to Ohio DPS is intended to allow for political subdivisions to receive rapid response and technical assistance from the Cyber Reserve. A report to the Ohio Auditor of the State (OAOS) is intended to ensure the OAOS has the information needed prior to its next audit. 

Reportable incidents include the loss of data confidentiality, integrity, or availability, that result in operational disruption, business continuity failure, or unauthorized access to an entity’s information system or network. A cybersecurity incident does not include mere threats of disruption as extortion. Events perpetrated in good faith response to a request or lawfully authorized activity does not rise to the level of an incident such as short-term minor system outages due to technical issues or financial fraud or loss such as a social engineering attack, such as payroll redirection or vendor redirection scams, leading to fraudulent or unauthorized payments.

Restriction on ransomware payments:

A political subdivision experiencing a ransomware incident shall not pay or otherwise comply with a ransom demand unless the political subdivision’s legislative authority formally approves the payment or compliance with the ransom demand in a resolution or ordinance that outlines why the payment or compliance is in the best interest of the Subdivision.

Ransomware incidents include a malicious software that was executed through unauthorized access that encrypt, modifies, or disables data and results in demand of payment to restore access or prevent the release of entity data.

If you have any questions about your political subdivision’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches or if you want to learn more about proactive cybers security defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

vestibule29