By Lauren M. Drabic*
As a latest example of its shift in enforcement priorities, according to an internal memo obtained by Bloomberg Law, the Equal Employment Opportunity Commission (“EEOC”) has directed its investigators to close all pending charges alleging disparate impact discrimination by September 30, 2025. This directive comes in response to President Trump’s April 23, 2025, Executive Order entitled “Restoring Equality of Opportunity and Meritocracy,” which directed all federal agencies to “deprioritize enforcement of all statutes and regulations to the extent they include disparate-impact liability.”
Unlike claims of disparate treatment, which involve allegations that an employer intentionally discriminated against an employee because of his or her race, sex, age, national origin, disability, or other protected characteristic, intent is irrelevant disparate impact claims. Instead, disparate impact claims challenge employment practices that appear neutral on their face, but that nonetheless adversely impact - i.e., disproportionately harm - individuals in a protected class. Under this theory, employers may be liable for discrimination if a facially neutral practice causes a significant, adverse effect on a protected group, unless the policy or practice is job-related and essential to business operations. Historically, employees have successfully challenged practices including pre-employment testing, height and weight requirements, physical strength tests, criminal background checks, and educational requirements when those practices did not relate to the requirements of the job and had no business necessity.
The current administration has targeted disparate impact liability as a hindrance on the ability of employers to make hiring and other employment decisions based on merit. As a result, of the EEOC’s directive, the agency will close out all charges of disparate impact discrimination by September 30, 2025. However, this will not fully extinguish these claims. Instead, individuals who have filed charges alleging only disparate impact discrimination will receive a Notice of Right to Sue letter, which will allow them to pursue their claims in court within a specified timeframe. This could lead to a short-term influx of disparate impact claims in federal court. For charges alleging both disparate impact and disparate treatment, the EEOC will proceed with its investigation but focus exclusively on the disparate treatment claims.
The EEOC’s memo marks the latest example of the current administration’s shift in priorities and the ever-changing landscape of Title VII (Z&R has highlighted other recent examples here and here). However, it does not change the state of the law. Disparate impact discrimination remains unlawful under both Title VII and Ohio’s anti-discrimination statutes. Z&R will continue to monitor developments and stands ready to assist employers with strategic guidance on all matters related to Title VII.
*Lauren M. Drabic is an OSBA-certified specialist in labor and employment law and has extensive experience representing employers in discrimination, harassment, and other workplace enforcement matters. If you have questions about the changes occurring under Title VII, contact Lauren M. Drabic (lmd@zrlaw.com) by email or at 216.696.4441.
Monday, September 29, 2025
Monday, September 15, 2025
Patch Now; New Cybersecurity Compliance Deadlines Are About to Take Effect for Ohio’s Political Subdivisions
By Ami J. Patel and Dylan C. Brown*
On June 30, 2025, Ohio Governor Mike DeWine signed House Bill 96, a wide-ranging measure that touches multiple areas of state law. One part of that bill—codified at Ohio Rev. Code § 9.64—creates multiple cybersecurity mandates for Ohio’s political subdivisions. For purposes of the new requirements, a political subdivision includes any county, township, municipal corporation, or other local government entity smaller than the state itself.
Taking primary effect on September 30, 2025, Section 9.64 imposes three major obligations on every political subdivision: (1) mandatory incident notifications; (2) restrictions on ransomware payments, and; (3) the adoption of a cybersecurity program. This alert highlights those requirements and what they mean for political subdivisions. If preparation has not yet begun, political subdivisions should act quickly—the deadlines are firm, and the obligations are substantial.
Beginning September 30, 2025, Section 9.64 requires the reporting of any “cyber security incident,” defined to include: (a) a substantial loss of confidentiality, integrity, or availability of a political subdivision’s information system or network; (b) a serious impact on the safety and resiliency of operational systems and processes; (c) a disruption of the ability to conduct operations or deliver services; or (d) unauthorized access to systems or non public information caused by a compromise of a cloud/managed service or a supply-chain compromise. On discovery of a cybersecurity incident, a political subdivision must notify Ohio Homeland Security’s Executive Director through the Ohio Cyber Integration Center (OCIC) as soon as possible but no later than seven (7) days, and must notify the Auditor of State as soon as possible but no later than thirty (30) days.
While OCIC’s online intake is evolving, the Auditor of State now provides a Cyber security Reporting Form that requests, at minimum:
A link to the Ohio Auditor’s form can be found here. The OCIC will likely upload its report forms once developed here. The OCIC can be reached regarding cyber security-incident reporting at 614-387-1089 or OCIC@dps.ohio.gov, and the Auditor of State can be reached at 866-FRAUD-OH or cyber@ohioauditor.gov.
Ransomware attacks continue to grow more common and costly. While Ohio officials have generally discouraged ransom payments, the statute now sets specific rules for how political subdivisions may respond. Starting September 30, 2025, a political subdivision experiencing a ransomware incident shall not pay or otherwise comply with a ransom demand unless the subdivision’s legislative authority formally approves the payment or compliance in a resolution or ordinance that specifically states why doing so is in the subdivision’s best interest.
A ransomware incident is defined by the statute as a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a political subdivision's information technology systems or data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.
These situations often necessitate rapid decisions because critical systems—such as payroll, emergency communications, or utility services—can be locked down without warning, leaving officials with limited time to weigh operational, financial, and security consequences. In such cases, R.C. § 121.22(F) permits an emergency meeting with less than twenty-four hours’ notice while still complying with Ohio’s Open Meetings Act.
The statute’s most demanding requirement is the adoption of a formal cybersecurity program. While it allows the longest timeline for compliance—January 1, 2026 for counties and cities, and July 1, 2026 for all other political subdivisions—subdivisions cannot wait to begin preparing. Building a compliant program will take time, resources, and coordination.
The statute requires each political subdivision to adopt a program that safeguards its data, information technology, and technology resources to ensure availability, confidentiality, and integrity. The program must align with generally accepted best practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Controls. A well-designed program should:
The statute also makes clear that annual cybersecurity training provided by the state—including the free Ohio Persistent Cyber Improvement (O-PCI) program delivered through the Ohio Cyber Range Institute—satisfies this requirement. This program offers tailored online, hybrid, and in-person training to equip employees with the skills needed to defend against cyberattacks.
Exactly what a compliant program looks like will vary depending on the size, resources, and existing safeguards of any political subdivision. The Auditor of State previously reviewed select cybersecurity practices in audits, but Section 9.64 now expands and transforms those expectations into binding law. Now is the time for subdivisions to evaluate what they have in place and identify the gaps.
Information technology evolves quickly, while the law often lags behind. Federal statutes like Health Insurance Portability and Accountability Act (HIPAA), the Gramm–Leach–Bliley Act (GLBA), and the Federal Trade Commission Act impose security duties in certain sectors, but most entities have faced only a patchwork of state requirements. Ohio has now added to the patchwork.
If preparation has not yet begun, political subdivisions should act quickly. Section 9.64 represents a significant shift in Ohio law, moving cybersecurity expectations from best practices into binding obligations. Compliance will not be as simple as adopting a single policy or filling out a form. Subdivisions may need to designate a coordinator for incident reporting, map and evaluate their current information technology infrastructure, identify critical systems and risks, and implement new training requirements for staff. For some entities this will mean building entirely new programs; for others, it will mean reshaping existing practices to align with statutory standards. Either way, the process will take time, resources, and careful coordination across departments, elected officials, and outside vendors.
At Zashin & Rich, we understand that these new requirements can feel daunting. The deadlines are firm, the technical issues are complex, and the risks of missteps are real. We can help you break this down into manageable steps. Our team can advise on what the statute requires, draft internal policies and ransomware protocols, prepare ordinances or resolutions for Council approval, and connect you with our trusted cybersecurity partner to conduct assessments and implement a compliant program. Now is the time to get on the road to compliance, and we can be your driver.
*Ami J. Patel Z&R’s Practice Leader for Trade Secrets/Non-competes. She has years of experience representing clients in matters heavily influenced by information technology. Dylan C. Brown represents public and private employers in all facets of labor and employment law. For more information on House Bill 96, Ohio Rev. Code § 9.64, and its impact on political subdivisions, contact Ami J. Patel (ajp@zrlaw.com) or Dylan C. Brown (dcb@zrlaw.com) by email or at 216.696.4441.
On June 30, 2025, Ohio Governor Mike DeWine signed House Bill 96, a wide-ranging measure that touches multiple areas of state law. One part of that bill—codified at Ohio Rev. Code § 9.64—creates multiple cybersecurity mandates for Ohio’s political subdivisions. For purposes of the new requirements, a political subdivision includes any county, township, municipal corporation, or other local government entity smaller than the state itself.
Taking primary effect on September 30, 2025, Section 9.64 imposes three major obligations on every political subdivision: (1) mandatory incident notifications; (2) restrictions on ransomware payments, and; (3) the adoption of a cybersecurity program. This alert highlights those requirements and what they mean for political subdivisions. If preparation has not yet begun, political subdivisions should act quickly—the deadlines are firm, and the obligations are substantial.
Incident Reporting – Effective September 30, 2025
Beginning September 30, 2025, Section 9.64 requires the reporting of any “cyber security incident,” defined to include: (a) a substantial loss of confidentiality, integrity, or availability of a political subdivision’s information system or network; (b) a serious impact on the safety and resiliency of operational systems and processes; (c) a disruption of the ability to conduct operations or deliver services; or (d) unauthorized access to systems or non public information caused by a compromise of a cloud/managed service or a supply-chain compromise. On discovery of a cybersecurity incident, a political subdivision must notify Ohio Homeland Security’s Executive Director through the Ohio Cyber Integration Center (OCIC) as soon as possible but no later than seven (7) days, and must notify the Auditor of State as soon as possible but no later than thirty (30) days.
While OCIC’s online intake is evolving, the Auditor of State now provides a Cyber security Reporting Form that requests, at minimum:
- Point of contact (name, title, email, phone)
- Government entity type
- Date and time of the incident and the type of incident
- Whether any data was compromised
- Whether funds were lost, and the amount
- Whether a ransom was demanded, and whether it was paid
- If a ransom was paid, the ordinance or resolution approving payment
- Whether policies and procedures were in place at the time of the event
A link to the Ohio Auditor’s form can be found here. The OCIC will likely upload its report forms once developed here. The OCIC can be reached regarding cyber security-incident reporting at 614-387-1089 or OCIC@dps.ohio.gov, and the Auditor of State can be reached at 866-FRAUD-OH or cyber@ohioauditor.gov.
Ransomware Payments – Effective September 30, 2025
Ransomware attacks continue to grow more common and costly. While Ohio officials have generally discouraged ransom payments, the statute now sets specific rules for how political subdivisions may respond. Starting September 30, 2025, a political subdivision experiencing a ransomware incident shall not pay or otherwise comply with a ransom demand unless the subdivision’s legislative authority formally approves the payment or compliance in a resolution or ordinance that specifically states why doing so is in the subdivision’s best interest.
A ransomware incident is defined by the statute as a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a political subdivision's information technology systems or data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.
These situations often necessitate rapid decisions because critical systems—such as payroll, emergency communications, or utility services—can be locked down without warning, leaving officials with limited time to weigh operational, financial, and security consequences. In such cases, R.C. § 121.22(F) permits an emergency meeting with less than twenty-four hours’ notice while still complying with Ohio’s Open Meetings Act.
Cybersecurity Program Requirement – Effective January 1, 2026 (Counties and Cities) / July 1, 2026 (All Other Subdivisions)
The statute’s most demanding requirement is the adoption of a formal cybersecurity program. While it allows the longest timeline for compliance—January 1, 2026 for counties and cities, and July 1, 2026 for all other political subdivisions—subdivisions cannot wait to begin preparing. Building a compliant program will take time, resources, and coordination.
The statute requires each political subdivision to adopt a program that safeguards its data, information technology, and technology resources to ensure availability, confidentiality, and integrity. The program must align with generally accepted best practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Controls. A well-designed program should:
- Identify and address the critical functions and cybersecurity risks of the political subdivision.
- Identify the potential impacts of a cybersecurity breach.
- Specify mechanisms to detect potential threats and cybersecurity events.
- Specify procedures for the political subdivision to establish communication channels, analyze incidents, and take actions to contain cybersecurity incidents.
- Establish procedures for the repair of infrastructure impacted by a cybersecurity incident, and the maintenance of security after the incident.
- Establish cybersecurity training requirements for all employees of the political subdivision; the frequency, duration, and detail of which shall correspond to the duties of each employee.
The statute also makes clear that annual cybersecurity training provided by the state—including the free Ohio Persistent Cyber Improvement (O-PCI) program delivered through the Ohio Cyber Range Institute—satisfies this requirement. This program offers tailored online, hybrid, and in-person training to equip employees with the skills needed to defend against cyberattacks.
Exactly what a compliant program looks like will vary depending on the size, resources, and existing safeguards of any political subdivision. The Auditor of State previously reviewed select cybersecurity practices in audits, but Section 9.64 now expands and transforms those expectations into binding law. Now is the time for subdivisions to evaluate what they have in place and identify the gaps.
The Road to Compliance
Information technology evolves quickly, while the law often lags behind. Federal statutes like Health Insurance Portability and Accountability Act (HIPAA), the Gramm–Leach–Bliley Act (GLBA), and the Federal Trade Commission Act impose security duties in certain sectors, but most entities have faced only a patchwork of state requirements. Ohio has now added to the patchwork.
If preparation has not yet begun, political subdivisions should act quickly. Section 9.64 represents a significant shift in Ohio law, moving cybersecurity expectations from best practices into binding obligations. Compliance will not be as simple as adopting a single policy or filling out a form. Subdivisions may need to designate a coordinator for incident reporting, map and evaluate their current information technology infrastructure, identify critical systems and risks, and implement new training requirements for staff. For some entities this will mean building entirely new programs; for others, it will mean reshaping existing practices to align with statutory standards. Either way, the process will take time, resources, and careful coordination across departments, elected officials, and outside vendors.
At Zashin & Rich, we understand that these new requirements can feel daunting. The deadlines are firm, the technical issues are complex, and the risks of missteps are real. We can help you break this down into manageable steps. Our team can advise on what the statute requires, draft internal policies and ransomware protocols, prepare ordinances or resolutions for Council approval, and connect you with our trusted cybersecurity partner to conduct assessments and implement a compliant program. Now is the time to get on the road to compliance, and we can be your driver.
*Ami J. Patel Z&R’s Practice Leader for Trade Secrets/Non-competes. She has years of experience representing clients in matters heavily influenced by information technology. Dylan C. Brown represents public and private employers in all facets of labor and employment law. For more information on House Bill 96, Ohio Rev. Code § 9.64, and its impact on political subdivisions, contact Ami J. Patel (ajp@zrlaw.com) or Dylan C. Brown (dcb@zrlaw.com) by email or at 216.696.4441.
Monday, September 8, 2025
Non-Competes Are Alive and Well: FTC Abandons Appeals of Non-Compete Ban Rule
By Ami J. Patel and Stephen S. Zashin*
The legal battle over the FTC’s nationwide non-compete ban has reached a decisive turning point. On September 5, 2025, the FTC dismissed its appeals of two federal court decisions that struck down the FTC’s purported Non-Compete Rule (“Rule”) and announced that it will instead pursue case-by-case enforcement actions.
As mentioned in our previous Alerts, the Federal Trade Commission adopted a rule in April 2024 banning most non-compete agreements. The Rule faced immediate challenges. On August 14, 2024, the U.S. District Court for the Middle District of Florida issued a preliminary injunction in Properties of the Villages Inc. v. FTC, blocking enforcement against a single employer. Days later, on August 20, 2024, the U.S. District Court for the Northern District of Texas went further in Ryan LLC v. FTC, holding that the FTC lacked statutory authority and setting aside the Rule nationwide. The FTC appealed both rulings to the Eleventh Circuit and Fifth Circuit.
In January 2025, Andrew Ferguson was appointed as FTC Chairman, shifting the agency’s posture toward the Rule. On March 7, 2025, the FTC asked the Fifth and Eleventh Circuits to hold its appeals in abeyance for 120 days. Ferguson, who dissented when the FTC first adopted the Rule in April 2024, reiterated that the Rule was unlawful.
The FTC’s shift is now seemingly finalized, as on September 5,2025, the FTC voluntarily dismissed its appeals in Ryan LLC v. FTC and Properties of the Villages Inc. v. FTC, abandoning its defense of the nationwide non-compete ban. Chairman Andrew Ferguson confirmed that the FTC would not continue “tilting at windmills” and instead will target non-competes through case-by-case enforcement. The agency pointed to its recent settlement with Gateway Services Inc., which barred enforcement of non-competes against 1,800 workers, and launched a request for public input to identify additional practices for investigation. Democratic Commissioner Rebecca Kelly Slaughter dissented, criticizing the majority for discarding a rule supported by more than 25,000 public comments.
Employers should not view the dismissal of these appeals as the complete end of FTC scrutiny—but close. The Commission has made clear that it will continue to challenge non-compete agreements on a case-by-case basis. At the same time, some state-level restrictions continue to expand. Employers should take this moment to review their restrictive covenants, confirm they are narrowly tailored to protect legitimate business interests, and ensure they remain defensible under state law. Zashin & Rich stands ready to help employers evaluate and strengthen their agreements in this evolving legal landscape.
*Ami J. Patel is Z&R’s Practice Leader for Trade Secrets/Non-competes. She works extensively in trade secret and restrictive covenant litigation. Stephen Zashin is Z&R’s Managing Partner and also has worked extensively representing clients in trade secret and restrictive covenant litigation. For more information on matters concerning the FTC Rule or non-compete agreements generally, contact Ami J. Patel (ajp@zrlaw.com) or Stephen S. Zashin (ssz@zrlaw.com) via email or by phone at 216.696.4441.
The legal battle over the FTC’s nationwide non-compete ban has reached a decisive turning point. On September 5, 2025, the FTC dismissed its appeals of two federal court decisions that struck down the FTC’s purported Non-Compete Rule (“Rule”) and announced that it will instead pursue case-by-case enforcement actions.
As mentioned in our previous Alerts, the Federal Trade Commission adopted a rule in April 2024 banning most non-compete agreements. The Rule faced immediate challenges. On August 14, 2024, the U.S. District Court for the Middle District of Florida issued a preliminary injunction in Properties of the Villages Inc. v. FTC, blocking enforcement against a single employer. Days later, on August 20, 2024, the U.S. District Court for the Northern District of Texas went further in Ryan LLC v. FTC, holding that the FTC lacked statutory authority and setting aside the Rule nationwide. The FTC appealed both rulings to the Eleventh Circuit and Fifth Circuit.
In January 2025, Andrew Ferguson was appointed as FTC Chairman, shifting the agency’s posture toward the Rule. On March 7, 2025, the FTC asked the Fifth and Eleventh Circuits to hold its appeals in abeyance for 120 days. Ferguson, who dissented when the FTC first adopted the Rule in April 2024, reiterated that the Rule was unlawful.
The FTC’s shift is now seemingly finalized, as on September 5,2025, the FTC voluntarily dismissed its appeals in Ryan LLC v. FTC and Properties of the Villages Inc. v. FTC, abandoning its defense of the nationwide non-compete ban. Chairman Andrew Ferguson confirmed that the FTC would not continue “tilting at windmills” and instead will target non-competes through case-by-case enforcement. The agency pointed to its recent settlement with Gateway Services Inc., which barred enforcement of non-competes against 1,800 workers, and launched a request for public input to identify additional practices for investigation. Democratic Commissioner Rebecca Kelly Slaughter dissented, criticizing the majority for discarding a rule supported by more than 25,000 public comments.
Employers should not view the dismissal of these appeals as the complete end of FTC scrutiny—but close. The Commission has made clear that it will continue to challenge non-compete agreements on a case-by-case basis. At the same time, some state-level restrictions continue to expand. Employers should take this moment to review their restrictive covenants, confirm they are narrowly tailored to protect legitimate business interests, and ensure they remain defensible under state law. Zashin & Rich stands ready to help employers evaluate and strengthen their agreements in this evolving legal landscape.
*Ami J. Patel is Z&R’s Practice Leader for Trade Secrets/Non-competes. She works extensively in trade secret and restrictive covenant litigation. Stephen Zashin is Z&R’s Managing Partner and also has worked extensively representing clients in trade secret and restrictive covenant litigation. For more information on matters concerning the FTC Rule or non-compete agreements generally, contact Ami J. Patel (ajp@zrlaw.com) or Stephen S. Zashin (ssz@zrlaw.com) via email or by phone at 216.696.4441.
Subscribe to:
Posts (Atom)