Special thanks to Taft Summer Associate Richard Roediger for his significant contributions to this post.
On May 20, 2025 Ohio Rep. Adam Mathews (District 56) and Ohio Rep. Haraz N. Ghanbari (District 75) introduced Ohio House Bill 283 (the Act), legislation that requires political subdivisions within the state to enact cybersecurity programs. In Ohio, a "political subdivision" is a county, township, municipal corporation, or other body corporate and politic responsible for governmental activities in a geographic area smaller than the whole state.
The Act's language was incorporated in its entirety into Ohio's state budget bill passed on June 30, 2025.
Privacy and security experts will argue that a mandated cyber program is long overdue. But complicating a political subdivision's compliance efforts is the fact that time is short. The Act's provisions will go into effect on September 29, 2025. Not only will political subdivisions need to determine how best to build an effective program efficiently, but they will also need to prepare for restrictions on how to deal with ransomware security threats. Below are some of the key features of the Act's requirements:
Adoption of Cybersecurity Program
The Act places a wide array of responsibilities on local governmental bodies. Generally, it requires political subdivisions to adopt a cybersecurity program consistent with best practices, and cites the National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security Cybersecurity Best Practices as potential guidelines.
More specifically, the Act lists minimum requirements for what a program should do:
- identify and address critical functions and cybersecurity risks,
- identify potential breach impacts,
- specify threat-detection mechanisms,
- create procedures to analyze and contain cybersecurity incidents and establish communication channels, and
- create procedures to repair infrastructure and maintain security following an incident.
The Act also requires political subdivisions to implement employee cybersecurity training. The level and frequency of training for a given employee should correspond to their duties.
Cybersecurity Incident Response
The Act imposes additional duties on political subdivisions when "cybersecurity incidents" and "ransomware incidents" occur. Cybersecurity incidents involve either:
- a loss of system or network confidentiality, integrity, or availability,
- an impact on the safety and resilience of operational systems and processes,
- disruptions in business or industrial operations, or in the ability to deliver goods and services, or
- unauthorized system or network access caused by (i) a compromise of a third-party data hosting provider, or (ii) a supply chain compromise.
Ransomware incidents are a subset of cybersecurity incidents that involve an actor first using software to either (1) gain unauthorized access to a subdivision's information technology systems or data, or (2) otherwise render the systems or data unavailable to the subdivision. The actor then demands a ransom payment to prevent the data's publication, restore the subdivision's access to the data, or otherwise remedy the actor's software's effects.
Post-Incident Requirements
After any cybersecurity incident occurs, the political subdivision must report all incidents to the Executive Director of the Homeland Security division within the Department of Public Safety as soon as possible, but no later than seven days after discovering the incident. The political subdivision must also report all incidents to the Auditor of State as soon as possible, but no later than thirty days after discovering the incident.
In the case of a ransomware incident, the Act prohibits a political subdivision from complying with the demand unless its legislative authority passes a resolution or ordinance specifically stating why compliance is in the subdivision's best interest.
Recommendations
Although the Act does significantly change political subdivisions' responsibilities, at a minimum, they can implement the following to ensure that their cybersecurity programs are effective.
- Implement data classification and mapping policies to enable the subdivision to readily identify and locate its electronic documents. Such policies are prerequisites to any effective cybersecurity program.
- Adopt an enterprise-wide security policy that keeps all employees on the same page regarding cybersecurity issues.
- Execute thorough training and awareness efforts to reduce the risk of cybersecurity and ransomware incidents arising in the first place and inform employees of legal requirements if an incident does occur.
- Develop, implement and test an incident response plan. Such a plan provides a playbook to help guide decisions during and after an incident.
Implementing a robust cybersecurity program is a complicated process. Political subdivisions should consult qualified legal counsel to ensure that their program both complies with the new law and is effective in limiting risks associated with cybersecurity and ransomware incidents.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
