Ohio local governments now have a clearer legal responsibility to take cybersecurity seriously. Under Ohio Revised Code Section 9.64, political subdivisions must adopt a cybersecurity program that helps protect their data, technology systems, and public services.
For villages, townships, cities, counties, libraries, and other local public entities, this is an important change. Cybersecurity is no longer something that can be treated as a future project or a nice extra. It needs to be part of how local government operates.
This article is intended as a practical overview, not legal advice. Local governments should review the law, consult their solicitor or legal counsel, and make sure their cybersecurity program fits their specific size, systems, budget, and risk level.
What Changed?
Ohio Revised Code Section 9.64 requires political subdivisions to adopt a cybersecurity program. The program must safeguard the political subdivision’s data, information technology, and information technology resources to help ensure availability, confidentiality, and integrity.
In plain language, that means local governments need a documented plan for protecting their technology, reducing risks, responding to incidents, training employees, and recovering when something goes wrong.
The law points to generally accepted cybersecurity best practices, including frameworks such as the National Institute of Standards and Technology Cybersecurity Framework and Center for Internet Security best practices. That does not mean every small village needs the same program as a large city. The program should be appropriate for the organization’s actual environment.
Who Does This Apply To?
The law applies to political subdivisions. This generally includes counties, townships, municipal corporations, and other local government bodies responsible for government activities within a smaller geographic area than the state.
For many Ohio communities, that means councils, boards, fiscal officers, administrators, department heads, and employees all need to understand that cybersecurity is now part of normal government responsibility.
Important Deadlines
Auditor of State Bulletin 2025-007 identifies implementation due dates for cybersecurity programs:
- Counties: January 1, 2026
- Cities: January 1, 2026
- All other entity types: July 1, 2026
That means many villages, townships, libraries, and smaller public entities have until July 1, 2026 to adopt a cybersecurity program. However, waiting until the deadline is risky. Even a basic program takes time to review, approve, document, and implement.
What Should a Cybersecurity Program Include?
The law gives local governments flexibility, but it also identifies important areas a cybersecurity program may address.
1. Identify Critical Functions and Risks
A local government should understand which systems are most important. This may include email, payroll, accounting software, utility billing, police records, public works systems, website access, file storage, council records, and employee devices.
Once those systems are identified, the organization should consider what could happen if they were unavailable, compromised, deleted, encrypted, or accessed by an unauthorized person.
2. Understand the Impact of a Cybersecurity Breach
Cyber incidents are not just technical problems. They can interrupt public services, delay payroll, affect utility billing, expose private information, damage public trust, and create unexpected costs.
A useful cybersecurity program should explain what impact a breach could have and which systems need the most protection.
3. Detect Potential Threats
Local governments should have a way to notice suspicious activity. This may include antivirus alerts, account login notifications, email security warnings, website monitoring, backup reports, firewall logs, or alerts from an IT provider.
The key is not just having tools in place. Someone needs to know who receives the alerts, who reviews them, and what happens next.
4. Create an Incident Response Process
If something goes wrong, employees should not have to guess what to do. A cybersecurity program should identify who gets contacted, who makes decisions, how systems are isolated, how evidence is preserved, and how communication is handled.
This is especially important for small local governments where one person may handle several roles. Clear instructions can save valuable time during an emergency.
5. Plan for Recovery
Backups, restoration procedures, password resets, device replacement, software reinstallation, and vendor contact information should be part of the plan.
A backup is only useful if it can actually be restored. Local governments should periodically confirm that important files and systems can be recovered.
6. Train Employees
ORC 9.64 requires cybersecurity training for employees, with the frequency, duration, and detail matching each employee’s duties. A fiscal officer, police department employee, utility clerk, mayor, council member, and public works employee may not all need the same depth of training, but they all need to understand their role in protecting public systems.
Training should cover practical risks such as phishing emails, suspicious attachments, unsafe links, password reuse, invoice scams, payment redirection, and what to do when something seems wrong.
Incident Reporting Requirements
ORC 9.64 also creates reporting requirements after a cybersecurity incident or ransomware incident is discovered.
- Ohio Homeland Security, Ohio Cyber Integration Center: Report as soon as possible, but no later than 7 days after discovery.
- Ohio Auditor of State: Report as soon as possible, but no later than 30 days after discovery.
These timelines make it important to identify incidents quickly and document who is responsible for reporting them.
Ransomware Payments Require Formal Approval
The law also addresses ransomware payments. A political subdivision experiencing a ransomware incident cannot pay or otherwise comply with a ransom demand unless the legislative authority formally approves it through a resolution or ordinance.
That resolution or ordinance must specifically state why the payment or compliance with the ransom demand is in the best interest of the political subdivision.
This is not a decision any local government should try to figure out during a crisis. The better approach is to prepare before an incident happens, know who must be contacted, and understand what legal approvals may be required.
Are Cybersecurity Plans Public Records?
ORC 9.64 provides public records protections for certain cybersecurity materials. Records, documents, and reports related to the cybersecurity program and framework, as well as reports of cybersecurity incidents or ransomware incidents, are not public records under the statute.
The law also treats certain records identifying cybersecurity related software, hardware, goods, and services as security records. This matters because publishing too much detail about security tools and systems can create additional risk.
What Small Villages and Local Entities Should Do Now
Small public entities do not need to overcomplicate this, but they do need to take it seriously. A practical starting point may include:
- List all important systems, accounts, devices, vendors, and data locations.
- Confirm who has access to email, banking, payroll, websites, domain names, hosting, and software accounts.
- Require strong passwords and turn on multi factor authentication where possible.
- Review backups and test whether important data can be restored.
- Document who to contact during a cyber incident.
- Provide cybersecurity training for employees and officials.
- Adopt a cybersecurity policy or program through the legislative authority.
- Review the plan regularly and update it when systems, vendors, or staff change.
Why This Matters
Local governments are trusted with public records, employee information, financial systems, utility billing, public safety information, and day to day services that residents rely on.
A cybersecurity incident can quickly become more than an IT issue. It can become a financial issue, a public trust issue, a service disruption issue, and a legal compliance issue.
The new Ohio requirement is a reminder that cybersecurity should be treated like any other essential part of local government operations. It needs planning, documentation, training, and regular attention.
Need Help Preparing a Cybersecurity Program?
Budder Technology LLC helps villages, small businesses, and local organizations simplify technology planning. If your public entity needs help reviewing systems, documenting risks, preparing a practical cybersecurity program, or improving backups and security practices, we can help.
This article is for general informational purposes only and should not be considered legal advice. Public entities should consult their solicitor, legal counsel, and official state guidance when adopting a cybersecurity program.