A plain-English guide to Ohio's cybersecurity law for government entities — who it affects, what it requires, and the deadlines you need to know.
If you work for or manage a government entity in Ohio — a city, county, township, school district, or library — you've probably heard people talking about HB96. Maybe someone mentioned it at a board meeting, or your IT provider brought it up. But what does it actually mean, and what are you supposed to do about it?
This guide breaks down Ohio House Bill 96 in plain English: what the law says, who it applies to, what you need to do to comply, and the deadlines you're working against.
Ohio House Bill 96 (codified as ORC § 9.64) is a state law that requires every political subdivision in Ohio to adopt a formal cybersecurity program aligned with a recognized industry framework — specifically NIST Cybersecurity Framework (CSF) or CIS Controls. Before HB96, there was no statewide standard for cybersecurity at the local government level. Individual entities could handle cybersecurity however they wanted — or not handle it at all.
The law covers a broad range of entities: counties, cities, villages, townships, school districts, public libraries, port authorities, transit authorities, and special districts. If your organization is classified as a political subdivision under Ohio law, HB96 applies to you.
The intent behind the law is straightforward — government organizations handle enormous amounts of sensitive data. Social Security numbers, tax records, student information, medical data, financial records, and law enforcement information all flow through these entities. A ransomware attack on a school district doesn't just take down email — it can expose thousands of student records. A breach at a county office can leak taxpayer data for an entire community. HB96 exists to make sure these entities have formal protections in place, not just good intentions.
Every political subdivision in Ohio is subject to HB96. There are no exceptions based on size, budget, or staffing levels. The law applies equally to a county with hundreds of employees and a small township with a part-time clerk.
The entities covered include: counties, cities, villages, townships, school districts (including Educational Service Centers), public libraries, port authorities, transit authorities, and any other entity classified as a political subdivision under Ohio law.
One of the most common misconceptions about HB96 is that it only applies to large entities. It doesn't. A village of 800 residents has the same legal obligation as a city of 80,000. A rural township with five employees must comply just as a county government with 500 does. The scope of your program will obviously differ — but the requirement to have one does not.
HB96 establishes four core requirements for compliance. First, your entity must adopt a recognized cybersecurity framework — NIST Cybersecurity Framework 2.0 and CIS Controls v8 are the most commonly selected options. This framework becomes the foundation for your entire security program.
Second, you need written cybersecurity policies and procedures. This includes a formal cybersecurity program document, a documented risk assessment identifying critical functions and potential impacts, a written incident response plan with specific state reporting procedures (incidents must be reported to the Ohio Department of Public Safety within 7 days and to the Auditor of State within 30 days), and a ransomware response policy that requires board or council approval before any ransom payment.
Third, the law requires annual cybersecurity awareness training for all staff. This isn't optional — every employee who uses technology in their work needs documented training.
Fourth, you must designate a specific person as the point of contact for cybersecurity matters within your organization.
Importantly, HB96 also provides a legal safe harbor. Entities that are in compliance gain legal protection against certain liability claims in the event of a data breach. This safe harbor is one of the most compelling reasons to comply — it transforms compliance from a cost into a form of insurance.
HB96 uses a staggered compliance timeline. Counties and cities had a deadline of January 1, 2026 — which has already passed. If your county or city hasn't implemented a compliant cybersecurity program yet, you are technically past due. The practical risk increases at your next Auditor of State audit.
All other political subdivisions — townships, school districts, libraries, villages, and special districts — face a deadline of July 1, 2026. That may sound like plenty of time, but building a compliant program from scratch takes work. A realistic timeline is 4–8 weeks with professional help, and that doesn't include the time needed for board review, discussion, and formal adoption through a resolution.
If your entity hasn't started yet, the math is simple: working backward from July 1, you need to engage an advisor by mid-April to be safely in compliance before the deadline. Every week of delay makes the timeline tighter.
HB96 does not specify direct financial penalties for non-compliance — there is no fine for missing the deadline. However, the consequences of not complying are real and potentially far more expensive than the cost of building a program.
The most significant consequence is the loss of safe harbor protection. Compliant entities receive legal protection against certain liability claims following a data breach. Non-compliant entities don't. If your organization experiences a breach and you have no formal cybersecurity program in place, you face full liability exposure — legal costs, regulatory action, and civil claims from affected individuals.
Beyond the legal exposure, non-compliance can affect your cyber insurance coverage (insurers are increasingly requiring formal security programs), your eligibility for certain grants and funding, and public trust in your organization. The Auditor of State reviews cybersecurity programs during regular audits. A finding of non-compliance becomes part of your public audit record.
The cost of building a compliant program — typically $5,000 to $15,000 for most political subdivisions — is a known, manageable investment. The cost of a breach without a program in place is unknown and potentially catastrophic.
Building an HB96-compliant cybersecurity program is achievable even for small organizations with limited technical resources. The process typically follows a clear path: assess where you stand today, select a framework, develop your policies and procedures, implement training, and document everything for board adoption.
Many organizations start with a gap assessment — a structured review of your current security posture against the requirements of HB96 and your chosen framework. This identifies what you already have in place and what needs to be built. From there, the work is primarily documentation: writing the policies, procedures, risk assessments, and incident response plans that the law requires.
You don't need to do this alone. Many political subdivisions work with outside cybersecurity advisors who specialize in compliance program development. Ridgepoint Technologies builds turnkey HB96 compliance programs for Ohio political subdivisions — from gap assessment and framework alignment through policy development, training recommendations, and board-ready documentation. Programs are typically delivered in 4–8 weeks and priced between $5,000 and $15,000 depending on entity size and complexity.
The important thing is to start. The deadline is approaching, the requirements are clear, and the consequences of inaction are real. Whether you build the program internally or work with an outside advisor, the time to begin is now.
FAQ
We build turnkey HB96 compliance programs for Ohio political subdivisions — gap assessment, framework alignment, policies, and training recommendations, typically delivered in 4–8 weeks.