Bill > SB203

This bill requires political subdivisions (such as counties, townships, and municipal corporations) to establish comprehensive cybersecurity programs to protect their information technology systems and data. The legislation defines key terms like "cybersecurity incident" and "ransomware incident" and establishes specific requirements for how these entities should manage potential cyber threats. Political subdivisions must develop a cybersecurity program that identifies critical functions and risks, establishes mechanisms to detect threats, creates communication and incident response procedures, and provides cybersecurity training for employees. If a political subdivision experiences a ransomware incident, it cannot pay a ransom without formal legislative approval and must provide a specific rationale for doing so. The bill also mandates that political subdivisions report any cybersecurity or ransomware incidents to the state's homeland security division within seven days and to the state auditor within thirty days. Importantly, the records related to these cybersecurity programs and incident reports are not considered public records, which helps protect sensitive information about potential vulnerabilities. The cybersecurity program must be consistent with best practices, such as those outlined by the National Institute of Standards and Technology and the Center for Internet Security.

Business and Industry

https://www.legislature.ohio.gov/legislation/136/sb203