Understanding Ohio House Bill 96: Key Insights and Implications

Ohio has enacted a new cybersecurity law (House Bill 96) for political subdivisions, including counties, townships, and school districts, effective September 30, 2025. This law mandates the creation of written cybersecurity programs, consistent with best practices like the NIST Cybersecurity Framework and CIS Controls, to protect against cyberattacks. The law also restricts ransom payments in ransomware attacks unless formally approved by the legislative authority. 

Effective Sept. 30, 2025, upon discovering a cybersecurity incident or ransomware incident, political subdivisions must notify Ohio Homeland Security within seven days and the Auditor of State within 30 days. Additionally, counties and cities must adopt a cybersecurity program/policy by Jan. 1, 2026, and all other entities by July 1, 2026.

Key aspects of the new law:

Cybersecurity Programs:

Local governments must develop and implement cybersecurity programs that address various aspects of cyber risk management. 

Best Practices:

These programs should be aligned with established frameworks like the NIST Cybersecurity Framework and the CIS Controls. 

Ransomware Restrictions:

Paying a ransom in response to a ransomware attack is prohibited unless approved by the legislative authority, ensuring public accountability. 

Incident Response:

The law requires local governments to establish procedures for incident response, including containment, communication with law enforcement, and public communication. 

Training Requirements:

Employee training in cybersecurity best practices is mandated, with training frequency and depth tailored to each employee's role. 

Public Accountability:

The law emphasizes transparency and public deliberation when responding to cyber incidents, particularly those involving ransomware payments. 

Why this law is important:

Growing Cyber Threats:

Cyberattacks on local governments are on the rise, with incidents like the Washington Court House ransomware attack demonstrating the vulnerability of many local jurisdictions. 

Protecting Public Services:

Cyberattacks can disrupt essential public services, impacting public safety and constituent data privacy. 

Safeguarding Taxpayer Money:

The law's restrictions on ransom payments aim to prevent the misuse of taxpayer funds in response to cyber extortion. 

In essence, Ohio's new cyber law aims to enhance the cybersecurity posture of local governments, protect public services and funds, and ensure that responses to cyber incidents are handled transparently and responsibly. 

How we can help: Net2 Services has created a framework of policies, procedures, and tools to help your organization secure your networks and data and reach compliant status by the mandated deadline and be audit ready.