OHIO — Ohio is changing cybersecurity standards for local governments.
[DOWNLOAD: Free WHIO-TV News app for alerts as news breaks]
The new law focuses on protecting your information and the everyday services you get from your local government.
As reported on News Center 7 at 6:00, I-Team Lead Investigative Reporter John Bedell has been looking into the changes governments must make starting tomorrow.
TRENDING STORIES:
- Brush clearing crew finds human remains behind Enon home
- 4 killed, 8 wounded in Michigan church shooting, fire
- Man hospitalized after being found shot multiple times in Miami County
Lawmakers put the language dealing with the cybersecurity tweaks in the first 40 pages of the state budget.
These days, whether it’s court records, utility bills, or even tax records, our local governments store all kinds of sensitive information about us electronically.
That’s information criminals are after.
“Bad guys, both nation-state actors and criminals, are taking advantage of the modern infrastructure that we built to service ourselves and are holding it hostage,” Kirk Herath, Cybersecurity Strategic Advisor to Governor Mike DeWine, said.
Bedell talked to Herath about recent ransomware attacks and the specific cyberattacks News Center 7 covered targeting local governments.
“They can wreak havoc on critical services,” Herath said.
And the changes in Ohio law dealing with new cybersecurity requirements for public governments.
Starting Tuesday, if a local government suffers a cyber incident, it has to report it to the Ohio Department of Public Safety and the Ohio Auditor’s Office.
Also starting Tuesday, for ransomware, there are changes to the approval procedure if a local government decides to make a payment.
“You can’t just pay ransomware in the middle of the night without anybody knowing. Your council or your board has to do a public resolution,” Herath said.
Counties and cities must have a cyber program, including training for employees, in place by Jan. 1. All other local governments have until July 1 to do so.
Last month, West Chester Township reported being hit by a potential cybersecurity incident.
The City of Middletown was also hit with a cyberattack last month.
News Center 7 has reported on how it impacted several city services.
In late 2023, the City of Huber Heights declared a state of emergency after a ransomware attack.
News Center 7’s John Bedell reached out to 13 local governments asking about the changes this new law will make. He received the following responses:
“We are in the process of, and in discussion with our vendors, to formalize our existing process into a written policy. No major changes are anticipated in our practices, as nearly all of the requirements in the law were put into place following the City’s November 2023 cyber incident.”- City of Huber Heights IT Department
“We are aware of the new standards that were included in HB 96. We think it is a good idea for all political subdivisions to have good policy around cyber security and we suspect most of them already do. HB 96 just forces the issue with any of them who do not. Our IT Department has modified our Comprehensive Cybersecurity Plan that has been in place for years to address all of the new items. The main two additions being around cyber incident reporting to the state and the requirement for a formal resolution from the Commissioners if they were to choose to pay a ransom. We are having team meetings to further refine the policy over the next month or so and we expect it to be approved by the appropriate boards well ahead of the January 1, 2026 deadline.”- Brandon Huddleson, County Administrator, Greene County
“The City is committed to maintaining strong cybersecurity practices and is attentive to the requirements outlined in HB 96. We are confident that our current program aligns with the state’s standards and will continue to evolve as new guidance emerges. Safeguarding City systems and information remains a top priority, and we will continue working with state and federal partners to ensure resilience and readiness.”- City of Dayton
“The City of Kettering was well positioned to comply with the new state legislation by having a comprehensive cybersecurity program already in place. The main changes involve formal documentation rather than operational adjustments.
City Council adopted a resolution formalizing the cybersecurity program, and staff created administrative policies documenting existing best practices and frameworks. The city also updated its incident response plan to include required notifications to the Ohio Auditor of State and Department of Public Safety.”
The new law also strengthens defenses by exempting many cybersecurity records from public disclosure requirements. Previously, cyber threat actors attempted reconnaissance by requesting documents about the city’s technology and security systems through public records requests.”
Again, our existing program already met these standards, so the legislation primarily formalizes practices and closes vulnerabilities. The city continues prioritizing cybersecurity to protect residents’ data and municipal systems.”- Amanda Harold, City of Kettering Communications and Engagement Manager
“Clark County has long embraced the core principles of risk management and incident response planning that are outlined in HB 96. This legislation simply formalizes what we have been practicing.”- Clark County Administrator Jennifer Hutchinson
“Troy has been substantially in compliance with the new local government cyber standards for about two years, so won’t need to make any significant changes at this time.”- City of Troy
“The City of Springfield already has many of the protections outlined in HB 96 in place, including staff training, cybersecurity policies and incident response measures. We are reviewing the law to ensure full compliance, in alignment with the Auditor of State’s emphasis on safeguarding taxpayer dollars, especially as ransomware attacks against local governments continue to increase nationwide. We remain fully committed to protecting our systems, our community, and the public resources entrusted to us.”- Karen Graves, City of Springfield Communications Director
“The new standards outlined in the state budget largely validate the proactive steps our IT team has been taking to protect our systems and community data. These updates reinforce that we have been on the right path. To align with the new requirements, we will be formally documenting our cybersecurity plan and having City Council adopt it.”- City of Centerville
“Montgomery County already has all the required cybersecurity standards in place to comply with the new law, and we take this responsibility very seriously. Protecting sensitive data and safeguarding the information of our residents and employees is a top priority. We also regularly review and update our practices to align with industry best practices and keep our systems secure.”- Jim Brandenburg, Director of Information Technology, Montgomery County Board of County Commissioners
“The City of Fairborn is actively updating its cybersecurity program to align with the new standards in Ohio law. Most of the changes are procedural, ensuring each department has its own action plan, that third-party vendors are covered, and that we meet the state reporting requirements. We are on track to be in full compliance with state law by January 2026, and we view these updates as strengthening the protections we already have in place for city services and resident information.”- Emily Gay, Communications Manager for the City of Fairborn.
“The City of Xenia is committed to enhancing our security framework and greatly values the State of Ohio’s support in advancing these standards. Our City has previously implemented most of the best practices now required as provisions of H.B. 96, though we are in the process of consolidating these functions into a broader policy. We eagerly anticipate further clarification and guidance from the State regarding some questions the new legislation has presented, most notably how local legislative approval should be pursued in light of the sensitive nature of the topic.”- City of Xenia
News Center 7 will continue to follow this story.
[SIGN UP: WHIO-TV Daily Headlines Newsletter]
©2025 Cox Media Group
