On June 30, 2025, Governor Mike DeWine signed into law (HB 96), a cybersecurity mandate that applies to all political subdivisions in Ohio—including counties, municipalities, townships, and school districts. The law, which takes effect 90 days after enactment – on September 30, 2025 – represents a significant shift in how local governments must approach digital risk management and data protection.
A Legislative Response to Escalating Threats
The passage of HB 96 reflects growing concern over the vulnerability of public sector entities to cyberattacks, particularly ransomware. In recent years, Ohio has witnessed a surge in cyber incidents targeting school systems, county recorders, and municipal utilities. HB 96 codifies a proactive framework for cybersecurity preparedness, modeled on best practices from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS). The framework includes a number of core requirements.
Cybersecurity Program Implementation
Under the new law, every local government must implement a cybersecurity program that ensures the availability, confidentiality, and integrity of its information systems. The program must include:
- Risk Identification: Assessing critical functions and vulnerabilities.
- Impact Identification: Assessing the potential impacts of a cybersecurity breach.
- Threat Detection: Establishing mechanisms to detect and respond to cyber events.
- Incident Response: Creating protocols for containment, communication, and recovery.
- Post-Incident Security: Ensuring infrastructure is secured and repaired after a breach.
- Employee Training: Conducting cybersecurity training tailored to employee roles.
These requirements are codified in Ohio Revised Code § 9.64(B), which mandates that each political subdivision “shall develop adopt a cybersecurity program that safeguards the political subdivision’s data, information technology, and information technology resources to ensure availability, confidentiality, and integrity.”
Ransomware Restrictions
A particularly notable provision, § 9.64(B), prohibits local governments from paying ransoms in the event of a ransomware attack unless the legislative authority (e.g., city council or school board) formally approves the payment via resolution or ordinance. This requirement introduces a layer of public accountability and deliberation before taxpayer funds can be used to satisfy extortion demands.
Incident Reporting
Per § 9.64(D), in the event of a cybersecurity or ransomware incident, the political subdivision must 1) notify the executive director of the division of homeland security within the department of public safety within seven days, and 2) notify the auditor of state within thirty days.
Confidentiality of Cybersecurity Records
Per § 9.64(E) and § 9.64(F), records related to the cybersecurity program and incident reports are not public records, and procurement records identifying cybersecurity-related software, hardware, or services are classified as security records under Ohio law and, therefore, not subject to disclosure pursuant to public records requests.
Implications for School Districts
School districts, often operating with limited IT staff and outdated infrastructure, face unique challenges under HB 96. However, they also stand to benefit from centralized training resources and technical assistance. Boards of education should begin by designating a cybersecurity coordinator, conducting a baseline risk assessment, and reviewing existing policies for alignment with the new statutory requirements.
Conclusion
From a legal standpoint, HB 96 creates a statutory duty of care for local governments in managing cyber risk. Failure to comply could expose entities to audit findings, reputational harm, or increased liability in the event of a breach. Conversely, documented compliance may serve as a mitigating factor in litigation or enforcement actions.
HB 96 marks a significant evolution in the state’s approach to public sector cybersecurity. While the compliance burden is real, so too are the risks of inaction. With thoughtful planning and strategic use of resources, local governments and school districts can meet the challenge and better protect the public trust.
[View source.]
