OH SB203

Political subdivisions (counties, townships, municipal corporations) must adopt cybersecurity programs consistent with NIST framework and Center for Internet Security best practices to safeguard data availability, confidentiality, and integrity

Ransom payments following ransomware incidents are prohibited unless the legislative authority formally approves via resolution or ordinance explaining why payment is in the subdivision's best interest

Cybersecurity incidents must be reported to the Division of Homeland Security executive director within 7 days and to the Auditor of State within 30 days of discovery

Required cybersecurity programs must include risk identification, breach impact assessment, threat detection mechanisms, incident response procedures, infrastructure repair protocols, and employee training requirements

All cybersecurity program documents and incident reports are exempt from public records disclosure under Ohio law