Local authorities in Ohio now require public consent prior to making ransom payments under new cybersecurity regulations.
In a bid to bolster cybersecurity and protect taxpayers' money and personal information, Ohio has enacted new regulations for local governments. The rules, which form part of House Bill 96 and were passed as part of the state budget bill on June 30, 2025, will come into effect on September 30, 2025.
The new regulations mandate all political subdivisions, including counties, municipalities, townships, and school districts, to implement comprehensive cybersecurity programs. These programs must protect the availability, confidentiality, and integrity of their information systems, following best practices such as those from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS).
Key Requirements
The cybersecurity programs must include several components, such as risk identification, threat detection, incident response, employee training, and post-incident security. Local governments are also required to provide annual cybersecurity awareness training to all employees to enhance security practices and awareness.
One of the notable requirements is the explicit approval procedure for ransom payments. Any such payment must be formally approved by the local government’s legislative body in a public meeting, ensuring transparency and taxpayer awareness. Upon experiencing a cyberattack, local governments must report the incident promptly to state safety officials within 7 days and to the state auditor within 30 days.
Transparency and Accountability
The new law aims to enhance transparency by requiring open legislative approval of ransom payments and timely reporting of cybersecurity incidents. This move is intended to reinforce public confidence and enable better statewide cybersecurity coordination.
The regulations come in response to an increase in sophisticated cybercrime and the shift of government services and transactions online. At least 12 other states have passed laws addressing ransomware, including Florida and North Carolina, which have total bans on ransomware payments.
Compliance and Concerns
Many local-government officials are trying to comply with the new regulations. However, some have expressed concerns about the affordability of adopting cybersecurity plans consistent with national best practices, as the state budget includes no funding for such work.
Kent Scarrett, Executive Director of the Ohio Municipal League, and Keary McCarthy, Executive Director of the Ohio Mayors' Alliance, wished the new rules had been passed in a standalone bill, rather than enacted via the state budget. Scarrett expressed opposition to the new rules as an infringement on local governments' home-rule authority.
Columbus Mayor Andrew Ginther, however, approved a $4 million ransom payment, which was later signed off on by Columbus City Council. A whistleblower later revealed that a massive trove of residents' personal information was leaked, refuting Ginther's claims that the data was unusable. McCarthy also expressed concern that requiring local governments to make decisions on ransomware demands in public could unintentionally jeopardize the investigation into the cybercrime.
In summary, Ohio’s new law mandates all local governments to adopt structured cybersecurity programs with strong standards, employee training, explicit approval procedures for ransom payments, and mandatory cyberattack reporting to state authorities, effective from September 30, 2025. The regulations are intended to increase transparency, protect taxpayers' money and personal information, and provide a framework for responding to cyberattacks.
In line with the new regulations, Ohio local governments are mandated to implement comprehensive cybersecurity programs that adhere to best practices from the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS), as part of their efforts to boost cybersecurity and protect taxpayers' information. The policy-and-legislation surrounding this entails an explicit approval procedure for ransom payments and timely reporting of cybersecurity incidents to ensure transparency and accountability.
As politics influence the implementation of these new cybersecurity policies, some local-government officials have raised concerns about the affordability of adopting cybersecurity plans consistent with national best practices. This discussion around cybersecurity, technology, and policy-and-legislation is a significant aspect of the general-news, with at least 12 other states having already passed laws addressing ransomware.
