By Andrew Thornton, Director of Sales, DataServ
A New Cybersecurity Mandate for Ohio Schools
Ohio’s new cybersecurity law, included in the biennial budget House Bill 96 (HB96), has been a hot topic in recent months. The new requirements add clear, statewide expectations for local government organizations, including public school districts, to put a documented cybersecurity program in place and to follow specific reporting timelines and procedures when incidents occur.
For schools, the stakes are especially high. From protecting student data to maintaining an uninterrupted learning environment, compliance with the new requirements included in HB96 is not only a legal requirement but also a critical safeguard for all of Ohio’s school districts.
HB96 Cybersecurity Requirement Deadlines
- September 30, 2025 – Incident reporting requirements take effect
- Districts must report cybersecurity incidents/ransomware events within 7 days to the Ohio Department of Public Safety’s Ohio Homeland Security (via OCIC).
- They must also report within 30 days to the Auditor of State.
- January 1, 2026 – Counties and cities must adopt and implement a cybersecurity program by this date.
- July 1, 2026 – All other political subdivisions, including school districts, must adopt and implement their cybersecurity programs by this date.
What HB96 Actually Requires
The law requires each district’s board of education to formally adopt a cybersecurity program. It is important to note that HB96 does not mandate a single standard. Instead, it requires that programs align with generally accepted best practices. The statute names nationally recognized frameworks as examples districts may use to guide their cybersecurity programs, such as:
- NIST Cybersecurity Framework (CSF)
- CIS Critical Security Controls (CIS Controls)
Districts may choose one of these or another equivalent approach, as long as it reflects industry best practices and is appropriate for the district’s size and risk profile.
At a minimum, every program should include:
- Identification of critical systems and risks
- Threat detection processes
- Incident response procedures (communication, containment, recovery)
- Employee training requirements that match job responsibilities
Incident Reporting Requirements
When a cybersecurity incident or ransomware event occurs, schools must report it to two places:
1. Ohio Department of Public Safety’s Ohio Homeland Security (via the Ohio Cyber Reserve/OCIC): as soon as possible, no later than 7 days after discovery.
2. Auditor of State: as soon as possible, no later than 30 days after discovery.
Establishing clear internal reporting procedures is essential so your team knows who is responsible for filing reports within the required timelines.
Handling Ransomware Demands
Ransomware attacks are a growing concern for schools, and HB96 adds guidelines for how districts may respond.
- Payment or compliance is prohibited unless the board of education passes a formal resolution approving the action.
The resolution must state why payment or compliance is in the district’s best interest.
- In other words, a decision to pay cannot be made quickly or by a single individual but instead requires formal board approval to ensure that the choice is deliberate, transparent, and accountable.
Practical Next Steps for School Leaders
To prepare for compliance and strengthen security across the district, consider the following steps:
1. Start with a district-wide cybersecurity assessment. This creates a baseline for your program. If needed, engage with experts to help ensure the assessment is thorough.
2. Form a cross-departmental cybersecurity committee (IT, administration, finance, HR, operations).
3. Select and document your chosen framework (for example, NIST CSF, CIS Controls or another framework).
4. Update policies and procedures to cover access, acceptable use, backups, and vendor risk.
5. Schedule annual training and track completion for all employees.
6. Practice incident response through tabletop exercises, including ransomware decision-making.
7. Align compliance documentation with what auditors will expect to review.
Summary
The cybersecurity requirements in HB 96 apply broadly across Ohio’s political subdivisions, but for schools it represents an urgent call to action. With deadlines approaching, districts should begin aligning their cybersecurity programs with accepted best practices, formalizing training requirements, and preparing for incident reporting.
By taking these steps now, schools can not only meet the letter of the law but also better protect their students, staff, and learning environments from ever-evolving cyber threats.