The Ohio Legislature included provisions in a recently enacted operating appropriations bill (Ohio House Bill 96) that regulate how and when state agencies can make ransomware payments, including a new requirement related to consultation with and approval from legislative officials. The bill also sets forth new cybersecurity standards and cyber-related event reporting requirements for state agencies. It is important that Ohio state agencies subject to the provisions update their incident response plans to include a process for engaging with legislative officials, among other areas, and update their information security policies.
The new Ohio law defines a “cybersecurity incident” and a “ransomware incident” differently. The former is defined as any of the following:
- A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network
- A disruption of a covered entity’s ability to engage in business or industrial operations or to deliver goods or services
- The unauthorized access to an entity’s information system or network, or nonpublic information contained therein, that is facilitated through or is caused by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider, or a supply chain compromise
Thompson Hine LLP – Steven G. Stransky, Thomas F. Zych, Thora Knight and Kimberly Pack
July 11 2025