As noted in previous Legal Ledger posts, House Bill (HB) 96, Ohio’s budget bill, includes several important changes for Ohio school districts. This week’s post focuses on the new cybersecurity requirements, which will appear as Ohio Revised Code section 9.64 when the bill takes effect on Sept. 30, 2025.

The new language requires government entities, including school districts, to do the following:

  1. Implement a cybersecurity program. Each district must adopt a cybersecurity program that safeguards the district’s data, information technology and information technology resources to ensure availability, confidentiality and integrity. The program must align with “generally accepted best practices for cybersecurity,” such as those provided by the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS).  

During a recent webinar hosted by CyberOhio, it was announced that the Auditor of State will begin checking school districts for compliance with the requirement to adopt a cybersecurity program starting July 1, 2026. CyberOhio and the Auditor’s office plan to co-host a follow-up webinar later this month with guidance on building a compliant cybersecurity program under HB 96.

  1. Obtain board approval before responding to a ransom demand. The new HB 96 language prohibits a school district experiencing a ransomware incident from paying or otherwise complying with a ransom demand unless the district’s board of education formally approves the payment or compliance in a resolution that specifically states why it is in the best interest of the school district.
  2. Report cybersecurity incidents to the state within specific timeframes. Districts must report any cybersecurity or ransomware incident to both the Ohio Cyber Integration Center (OCIC) and the Auditor of State. Reports to OCIC must be made as soon as possible, but no later than seven days after discovery of the incident. Reports to the Auditor of State must also occur as soon as possible, but no later than 30 days after the political subdivision discovers the incident.

CyberOhio plans to post a Frequently Asked Questions document on its website to address common concerns and clarify expectations. OSBA’s legal division will continue to monitor developments and will provide updates as they are available. If you have questions in the meantime, please call us at 855-OSBA-LAW or work with your district’s legal counsel.

Posted by Sara C. Clark on 8/4/2025