On June 30, 2025, Ohio Governor Mike DeWine signed House Bill 96, a wide-ranging measure that touches multiple areas of state law. One part of that bill—codified at Ohio Rev. Code § 9.64—creates multiple cybersecurity mandates for Ohio’s political subdivisions. For purposes of the new requirements, a political subdivision includes any county, township, municipal corporation, or other local government entity smaller than the state itself.
Taking primary effect on September 30, 2025, Section 9.64 imposes three major obligations on every political subdivision: (1) mandatory incident notifications; (2) restrictions on ransomware payments, and; (3) the adoption of a cybersecurity program. This alert highlights those requirements and what they mean for political subdivisions. If preparation has not yet begun, political subdivisions should act quickly—the deadlines are firm, and the obligations are substantial.
Incident Reporting – Effective September 30, 2025
Beginning September 30, 2025, Section 9.64 requires the reporting of any “cyber security incident,” defined to include: (a) a substantial loss of confidentiality, integrity, or availability of a political subdivision’s information system or network; (b) a serious impact on the safety and resiliency of operational systems and processes; (c) a disruption of the ability to conduct operations or deliver services; or (d) unauthorized access to systems or non public information caused by a compromise of a cloud/managed service or a supply-chain compromise. On discovery of a cybersecurity incident, a political subdivision must notify Ohio Homeland Security’s Executive Director through the Ohio Cyber Integration Center (OCIC) as soon as possible but no later than seven (7) days, and must notify the Auditor of State as soon as possible but no later than thirty (30) days.
While OCIC’s online intake is evolving, the Auditor of State now provides a Cyber security Reporting Form that requests, at minimum:
- Point of contact (name, title, email, phone)
- Government entity type
- Date and time of the incident and the type of incident
- Whether any data was compromised
- Whether funds were lost, and the amount
- Whether a ransom was demanded, and whether it was paid
- If a ransom was paid, the ordinance or resolution approving payment
- Whether policies and procedures were in place at the time of the event
A link to the Ohio Auditor’s form can be found here. The OCIC will likely upload its report forms once developed here. The OCIC can be reached regarding cyber security-incident reporting at 614-387-1089 or OCIC@dps.ohio.gov, and the Auditor of State can be reached at 866-FRAUD-OH or cyber@ohioauditor.gov.
Ransomware Payments – Effective September 30, 2025
Ransomware attacks continue to grow more common and costly. While Ohio officials have generally discouraged ransom payments, the statute now sets specific rules for how political subdivisions may respond. Starting September 30, 2025, a political subdivision experiencing a ransomware incident shall not pay or otherwise comply with a ransom demand unless the subdivision’s legislative authority formally approves the payment or compliance in a resolution or ordinance that specifically states why doing so is in the subdivision’s best interest.
A ransomware incident is defined by the statute as a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a political subdivision's information technology systems or data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.
These situations often necessitate rapid decisions because critical systems—such as payroll, emergency communications, or utility services—can be locked down without warning, leaving officials with limited time to weigh operational, financial, and security consequences. In such cases, R.C. § 121.22(F) permits an emergency meeting with less than twenty-four hours’ notice while still complying with Ohio’s Open Meetings Act.
Cybersecurity Program Requirement – Effective January 1, 2026 (Counties and Cities) / July 1, 2026 (All Other Subdivisions)
The statute’s most demanding requirement is the adoption of a formal cybersecurity program. While it allows the longest timeline for compliance—January 1, 2026 for counties and cities, and July 1, 2026 for all other political subdivisions—subdivisions cannot wait to begin preparing. Building a compliant program will take time, resources, and coordination.
The statute requires each political subdivision to adopt a program that safeguards its data, information technology, and technology resources to ensure availability, confidentiality, and integrity. The program must align with generally accepted best practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Controls. A well-designed program should:
- Identify and address the critical functions and cybersecurity risks of the political subdivision.
- Identify the potential impacts of a cybersecurity breach.
- Specify mechanisms to detect potential threats and cybersecurity events.
- Specify procedures for the political subdivision to establish communication channels, analyze incidents, and take actions to contain cybersecurity incidents.
- Establish procedures for the repair of infrastructure impacted by a cybersecurity incident, and the maintenance of security after the incident.
- Establish cybersecurity training requirements for all employees of the political subdivision; the frequency, duration, and detail of which shall correspond to the duties of each employee.
The statute also makes clear that annual cybersecurity training provided by the state—including the free Ohio Persistent Cyber Improvement (O-PCI) program delivered through the Ohio Cyber Range Institute—satisfies this requirement. This program offers tailored online, hybrid, and in-person training to equip employees with the skills needed to defend against cyberattacks.
Exactly what a compliant program looks like will vary depending on the size, resources, and existing safeguards of any political subdivision. The Auditor of State previously reviewed select cybersecurity practices in audits, but Section 9.64 now expands and transforms those expectations into binding law. Now is the time for subdivisions to evaluate what they have in place and identify the gaps.
The Road to Compliance
Information technology evolves quickly, while the law often lags behind. Federal statutes like Health Insurance Portability and Accountability Act (HIPAA), the Gramm–Leach–Bliley Act (GLBA), and the Federal Trade Commission Act impose security duties in certain sectors, but most entities have faced only a patchwork of state requirements. Ohio has now added to the patchwork.
If preparation has not yet begun, political subdivisions should act quickly. Section 9.64 represents a significant shift in Ohio law, moving cybersecurity expectations from best practices into binding obligations. Compliance will not be as simple as adopting a single policy or filling out a form. Subdivisions may need to designate a coordinator for incident reporting, map and evaluate their current information technology infrastructure, identify critical systems and risks, and implement new training requirements for staff. For some entities this will mean building entirely new programs; for others, it will mean reshaping existing practices to align with statutory standards. Either way, the process will take time, resources, and careful coordination across departments, elected officials, and outside vendors.
At Zashin & Rich, we understand that these new requirements can feel daunting. The deadlines are firm, the technical issues are complex, and the risks of missteps are real. We can help you break this down into manageable steps. Our team can advise on what the statute requires, draft internal policies and ransomware protocols, prepare ordinances or resolutions for Council approval, and connect you with our trusted cybersecurity partner to conduct assessments and implement a compliant program. Now is the time to get on the road to compliance, and we can be your driver.
*Ami J. Patel Z&R’s Practice Leader for Trade Secrets/Non-competes. She has years of experience representing clients in matters heavily influenced by information technology. Dylan C. Brown represents public and private employers in all facets of labor and employment law. For more information on House Bill 96, Ohio Rev. Code § 9.64, and its impact on political subdivisions, contact Ami J. Patel (ajp@zrlaw.com) or Dylan C. Brown (dcb@zrlaw.com) by email or at 216.696.4441.