New Cybersecurity Law for Local Governments in Ohio

• Cybersecurity Program: Each local government must adopt a program tailored to its specific needs and consistent with generally accepted best practices.
• Employee Training: All employees must receive cybersecurity training. The training’s frequency and detail should align with each employee’s job duties. Free, state-provided training is available to fulfill this requirement.
• Deadlines: Counties and cities must have their cybersecurity plan in place by January 1, 2026. All other local government bodies have until July 1, 2026.

Reporting a Cyber Incident

If a local government is hit by a cyber incident or ransomware attack, they must report it quickly.

• Ohio Homeland Security: Notification must be made to the Executive Director of Ohio Homeland Security within 7 days of discovering the incident.
• Ohio Auditor of State: You must also notify the Ohio Auditor of State within 30 days of discovering the incident.

Important Details

• Paying a Ransom: A local government is not allowed to pay a ransom unless the governing body formally approves the payment in a resolution or ordinance. This document must explain why the payment is in the best interest of the community.
• Public Records: Information related to a local government’s cybersecurity program and incident reports is not considered a public record. This includes details about security software and hardware being considered or used.
• Certified Network Defense Architects (CNDA): MAXtech has CNDA expert technicians who are certified in ethical hacking and network defense, which meets DoD 8140 requirements and certifications.