Ohio Law Imposes New Cybersecurity Requirements For Local Government

The worlds of local government and cybersecurity have officially collided. Recently implemented Ohio House Bill 96 requires every county, township, municipality and school district to adopt a formal cybersecurity program. As daunting as it sounds, don’t worry, it’s not quite the level of a cyber apocalypse. However, it is a sign that cybersecurity is constantly changing, and the days of “set-it-and-forget-it” IT security are a thing of the past.  

What Does The Law Mean For Local Governments?

House Bill 96, now codified in Ohio Revised Code § 9.64, quietly slipped into law as part of the 2025 state budget. It established new requirements for certain government run entities that impose additional obligations and requirements in relation to cybersecurity and data privacy. In short, every “political subdivision” (i.e., local government entity or school district) must:

• Implement a Cybersecurity Program – Each political subdivision must “develop and adopt a cybersecurity program that safeguards the political subdivision’s data, information technology, and information technology resources to ensure availability, confidentiality, and integrity”.  The program must be consistent with generally accepted best practices, such as the NIST Cybersecurity Framework or the CIS Controls. The legislative authority of each political subdivision is responsible for formally adopting the cybersecurity program. This means that city council or a comparable legislative body should take the initiative to get ahead of the state’s new requirements, or risk falling behind. Once adopted, the program should extend to all entities operating within the political subdivision, including systems managed by other office holders.

Among other things, the program must incorporate the following core tenets:

• Risk Identification – The program must identify the critical functions and cybersecurity risks of the political subdivision.
• Impact Assessment – A political subdivision must assess cyber risks and identify potential impacts of a cybersecurity breach.
• Training – Employees will be expected to complete mandatory annual cybersecurity training.
• Threat Detection – The program must specify mechanisms to detect threats and cybersecurity events.
• Infrastructure Repair and Maintenance – The program should plan for recovery and continuity of operations and systems.
• Incident Response – And the subdivision should establish incident response procedures, including procedures for communication, incident analysis, containment and repair of infrastructure impacted by a cybersecurity incident.[1]

• Adhere to Incident Reporting Requirements – In the event of a cybersecurity or ransomware incident, a political subdivision must:
  • Report the incident to the Ohio Department of Public Safety (Division of Homeland Security - Ohio Cyber Integration Center) within 7 days of discovering the incident.
  • Report the incident to the Ohio Auditor of State within 30 days of discovering the incident.
  • Adhere to Ransom-Payment Restrictions – If a subdivision experiences a ransomware incident, it may not pay or comply with a ransom demand unless its legislative body (i.e., city council or school board) passes a formal resolution or ordinance stating the payment is in the best interest of the subdivision. The resolution must justify why payment is in the best interest of the jurisdiction pursuant to Ohio Revised Code § 9.64(B).
  • Impose Employee Training and Minimum Controls – The law also requires political subdivisions to ensure employees receive cybersecurity awareness training. The good news is that the State is offering some great free resources to help entities get started. These free resources, offered through CyberOhio, can be found here.
• Maintain Confidentiality of Cybersecurity Records – Records relating to the cybersecurity program, incident reports and cybersecurity-related procurement are to be treated as “security records” and are exempt from public-records disclosure under Ohio law.

The new law applies to all data managed by political subdivisions, regardless of type or classification. This would include confidential information, personally identifiable information, sensitive personal information, public and non-confidential data, state-controlled or shared data. The law does not assign different levels of control for each data category, however more sensitive data, such as Social Security Numbers or Driver’s Licenses, may require stronger safeguards consistent with the NIST Cybersecurity Framework and CIS Controls.

What Should Local Governments Do From A Legal Standpoint?

From a legal and compliance perspective, Ohio Revised Code § 9.64 creates a statutory duty of care for local governments in managing cyber risk. Non-compliance may expose a political subdivision to audit requirements, increased liability (including potential tort claims and exposure to class action lawsuits stemming from a data breach) or reputational risk. A well-documented cybersecurity program and incident response plan will serve as a mitigation tool in the instance of legal or regulatory scrutiny.

From a practical standpoint, a political subdivision should consider taking the following actions:

• Take an Inventory – Identification of systems, data and IT-infrastructure supporting critical services is an important first step in understanding the framework from which the political subdivision is working within.
• Conduct a Risk Assessment – Conducting a risk assessment will identify threats and vulnerabilities within a given system. A risk assessment will also help gage the potential impact of different types of security incidents.
• Implement or Review a Compliance Program – Adopting new and reviewing old policies, procedures, monitoring, detection, response and recovery controls aligned with NIST or CIS frameworks.
• Implement an Incident Response Plan – Putting an incident response plan in place that defines roles, responsibilities, communication channels, procedures for containment, remediation and restoration is the cornerstone of a cybersecurity program.
• Conduct Training Sessions – Requiring all employees to complete annual cybersecurity awareness training and periodic refreshers is a key component of complying with the new law.
• Addressing Governance Procedures regarding Ransom Payments – Taking preliminary measures within a political subdivision’s legislative body to ensure the body understands the ransom-payment restriction requirement and instituting procedures for a resolution-approval process will help address the time-sensitive nature of a typical ransom incident.
• Instituting Reporting Protocols – Establishing internal procedures for notifying appropriate state officials, such as the Ohio State Auditor and the Ohio Department of Public Safety, within required timeframes should be a top priority.
• Maintaining Documentation – Ensuring that proper record keeping procedures are in place to document all policies, procedures and other measures taken by a political subdivision to comply with the law is key to showing a good-faith effort to meet the statute’s obligations.
• Reviewing Current Vendor Policies – Assessing the current state of affairs with cybersecurity vendors and IT providers is a good idea to proactively loop in those trusted advisors to the change in state law. A Business Associate Agreement might be necessary to ensure compliance with all laws is met and exceeded.

At the end of the day, proactive measures are the first and best line of defense against threat actors—which is why they are strongly suggested by statute.

What to Expect Next

The law is currently in effect, but regulatory oversight and scrutiny is forthcoming. The Ohio Auditor of State has indicated (through webinars presented by CyberOhio) that county and city governments should have a program in place by January 1, 2026. For all other entities—including school districts, the deadline will be July 1, 2026.

The Ohio Auditor of State’s office will be tasked with enforcing  Ohio Revised Code §9.64, where the office will conduct routine audit cycles to check whether a political subdivision has built and maintained a cybersecurity program meeting the law’s core components and reporting requirements. An audit is not meant to be punitive, rather the Auditor may provide a corrective action plan that makes sense for a political subdivision based on its size and risk exposure. The Ohio Auditor of State is currently developing detailed compliance procedures which are anticipated to be released prior to the January 1, 2026 expected implementation date.

How Can Dinsmore Help?

The changes and mandatory implementation of a cybersecurity program as a result of Ohio House Bill 96 are sure to create compliance and implementation questions that are complex and difficult to navigate. Dinsmore’s cybersecurity team has experience building out comprehensive and tailored cybersecurity programs and data privacy policies specific to each entity’s needs. Dinsmore offers guidance to help businesses understand their obligations, ensure compliance and make informed decisions. We have a wealth of experience representing some of the largest municipalities in the state with respect to cybersecurity matters and help implement these changes confidently and effectively. Should you have any questions, please do not hesitate to contact our offices.

---

Resources for article:

• https://www.ohioschoolboards.org/blogs/legal-ledger/new-cybersecurity-requirements-school-districts-ohios-budget-bill
• https://player.cloudinary.com/embed/?cloud_name=stateofohio&secure_distribution=dam.assets.ohio.gov&private_cdn=true&public_id=cyber.ohio.gov%2FMicrosoftTeams-video_1&profile=cld-default
• https://cyber.ohio.gov/priorities/assisting-local-government-entities/ohio-hb-96-new-cybersecurity-requirements-for-public-entities
• https://homelandsecurity.ohio.gov/ohio-cyber-integration-center/reporting-guidance
• https://ohioauditor.gov/fraud/cybersecurity-policy.html
• https://dam.assets.ohio.gov/image/upload/cyber.ohio.gov/New_Cyber_Law_Presentation.pdf
• https://www.saltycloud.com/blog/ohio-orc-9-64-political-subdivision-cybersecurity/
• https://www.brickergraydon.com/insights/publications/ohio-house-bill-96-ushers-in-new-era-of-cybersecurity-compliance-for-local-governments-and-school-districts
• https://codes.ohio.gov/ohio-revised-code/section-9.64