Ohio mandates local governments get public approval before paying ransomware under new cybersecurity rules
COLUMBUS, Ohio—Following a string of cyberattacks on local governments across Ohio, the state is now requiring all local governments to have cybersecurity policies and to approve ransom payments to hackers in full view of the public.
Proponents of the new requirements, which were tucked into the new state budget, say they’re needed to increase transparency and ensure that local governments can protect their computer systems from increasingly sophisticated online attacks from criminals who pilfer constituents’ personal data and hold entire computer systems for ransom.
But some local-government groups say they’re uncomfortable with the new rules—both on practical grounds and on principle.
Many local-government officials are right now trying to figure out how to comply with the new regulations. When CyberOhio, the state’s cybersecurity initiative, held a webinar on the new rules last week, all 1,000 slots were filled, according to the Ohio Municipal League.
What is the threat?
The new statewide cybersecurity rules come after a wave of high-profile cyberattacks and ransomware threats against local governments around Ohio, including the city of Cleveland, Cleveland Municipal Court, and the city of Columbus.
While no money was paid by Cleveland or its municipal court, Columbus Mayor Andrew Ginther approved a $4 million ransom payment that was later signed off on by Columbus City Council. A whistleblower later revealed that a massive trove of residents’ personal information was leaked anyway, refuting Ginther’s claims that the data was unusable.
But while these cyberattacks have garnered a lot of attention, Cleveland, Columbus, and other large cities in Ohio already have cybersecurity plans in place.
The new rules are, rather, mostly aimed at ensuring that smaller local governments in more rural areas of the state are also prepared to handle cyberattacks.
Several officials, experts, and lawmakers said they aren’t sure exactly how many of Ohio’s 3,000-plus local governments don’t have cybersecurity policies in place.
“I think it’s a pretty mixed bag of subdivisions that have policies or that don’t, and probably several that are just hoping this never happens to them,” said Ohio Senate Finance Committee Chair Jerry Cirino, a Lake County Republican.
Last year, State Auditor Keith Faber’s office announced that 23 local governments in Ohio, including cities, villages, townships, and school districts, were successfully targeted by online scammers in a one-year period, resulting in hundreds of thousands of dollars’ worth of taxpayer money being stolen.
Last week, a ransomware gang claimed responsibility for a May 2025 attack on the city of Washington Court House, about 40 miles south of Columbus, that disrupted city services and exposed loads of confidential data.
Faber’s office, as well as groups like the County Commissioners’ Association of Ohio and the Ohio Library Council, were involved in crafting the new rules, which were initially introduced in a standalone Ohio House bill before being folded into the enormous budget plan by the state Senate in June.
What are the new rules?
Starting in late September, every local government in Ohio—including counties, cities, school districts, and libraries—must put in place a cybersecurity program to safeguard their computer systems and data, as well as plan how to respond when their systems are attacked. Each policy must “be consistent with generally accepted best practices for cybersecurity,” under the new law.
Local governments must also require all of their employees to take cybersecurity training, such as that already offered by the state and the Ohio Cyber Range Institute.
In addition, the new law says local officials can only pay a ransom or otherwise comply with ransomware demands if the local government’s legislative body first votes to formally approve the move in a resolution or ordinance that specifically states why doing so “is in the best interest” of the political subdivision.
When such cyberattacks take place, local officials will have to report it to both the state auditor’s office and the Ohio Department of Public Safety.
That’s partly so the state homeland security officials can offer help, if needed, with addressing the cyberattack.
Cirino also said collecting that information will allow policymakers to better understand how big of a problem cyberattacks are in Ohio “so that we can make even, perhaps, different decisions in the future, maybe even put more restrictions.”
The arguments for the rules
Backers of the new regulations say they will ensure local governments will be ready to protect taxpayers’ money and personal information at a time when cybercrime is becoming more sophisticated and harder to stop, and government services and transactions are increasingly handled online.
“Having a policy or program in place is a commonsense step that will allow a local government that falls victim to a cyberattack to respond quickly, effectively, and with minimal loss,” said Tom Hancock, Faber’s Deputy Chief of Staff, during legislative testimony in June.
So far, at least 12 other states have passed laws addressing ransomware—including Florida and North Carolina, which each now have a total ban on ransomware payments, Hancock testified.
But Ohio’s new regulations are more decentralized than that, and proponents say they still allow local officials to decide what cybersecurity measures are best for them.
When drafting Ohio’s new rules, the initial plan was to similarly prohibit local governments from complying with any ransomware demands, Hancock said.
But that was eventually toned down to only requiring that ransomware payments must be formally approved during a public meeting—a measure Hancock said will give local officials flexibility to respond to cyberattacks while ensuring the public is informed about the decision they make.
City of Cleveland spokesman Tyler Sinclair, in an email, stated that the city already follows nearly all of the new rules, including having a cybersecurity plan that meets the new state requirements, requiring City Council to approve any large payments, and notifying state officials after every cyberattack.
“Any rules that bolster cybersecurity efforts for the public sector overall and help develop a collective cyber defense across the state are beneficial,” Sinclair stated.
The arguments against the rules
While some local-government groups are backing the new rules—including a couple that helped write them—officials from the Ohio Municipal League and the Ohio Mayors’ Alliance expressed concern.
Keary McCarthy, Executive Director of the Ohio Mayors’ Alliance, questioned backers’ assertions that it won’t be very expensive for local governments to create a cybersecurity policy in compliance with the new law.
“Adopting (cybersecurity) plans to be consistent with national best practices could be a challenge for some communities,” McCarthy said, noting that the state budget includes no funding to help local governments pay for such work.
McCarthy also said his organization is worried requiring local governments to always make decisions on ransomware demands in public could unintentionally jeopardize the investigation into the cybercrime and reveal information that the hackers could exploit.
“If they are in your systems, and you are reporting on what you know and what you do not know in those systems while they’re actively in those systems, that gives the attacker the opportunity to continue to do damage to a municipal system,” he said.
Kent Scarrett, Executive Director of the Ohio Municipal League, also said many of his members don’t like the new rules on principle, as it’s another example of state lawmakers infringing on local governments’ home-rule authority.
McCarthy and Scarrett each said they wished state lawmakers would have sought to pass the new rules in a standalone bill, with wider public debate, rather than enact them via the state’s 3,156-page budget.
“We all understand the challenges of investing in cybersecurity for our communities,” Scarrett said. But, he added, “We wish the state would have been more willing to work with our communities instead of mandating our communities.”