COLUMBUS, Ohio — Ohio is now requiring local governments to adopt a cybersecurity program to safeguard taxpayer data and only pay ransom to hackers if their legislative authority approves the payment.
The new rules are critical to help local governments protect public money and taxpayers' private information, according to David Roorbach, Press Secretary, Ohio Auditor of State.
"They're not only handling public funds, they're also handling taxpayer records, personally identifiable information, and we want to make sure that those public dollars are protected from cyber criminals," he said.
The new rules come after hundreds of cyberattacks on Ohio's local governments have cost taxpayers millions of dollars.
Rohrbach said there have been at least 235 incidents since the auditor began tracking the growing problem in 2023.
The number includes a cyberattack on the Cleveland Municipal Court in February and a ransomware attack on Cleveland City Hall last summer.
RELATED: Ohio Auditor issues scathing assessment of Cleveland's cybersecurity practices
As a result of the 235 incidents, approximately $8.8 million ended up in hackers' hands, he said.
Along with adopting a cybersecurity program to protect their systems and data, the new rules also require local governments to have a plan in place to respond to a cybersecurity attack.
Local governments must also report attacks to the Ohio Department of Safety and the Ohio Auditor of State so they can track the number of incidents and offer assistance if needed, and require all local government employees to take cybersecurity training every year.
We reached out to the City of Cleveland about the state's new cybersecurity rules.
City spokesperson Tyler Sinclair sent us the following response:
"Nearly all of the amendments to Section 9.64, as it relates to the City of Cleveland, were either already in place or being implemented prior to that budget bill being passed. My understanding is that these provisions were largely put in place more so for standardization purposes with some of the rural municipalities who may lack the IT infrastructure of larger cities and suburbs. For example, regarding:
Cybersecurity Program –
- Our technology, response plan, and other cybersecurity measures already follow the NIST (i.e. National Institute of Standards and Technology) cybersecurity framework.
Ransomware –
- This was already in place as city council, who is our legislative authority, must approve large expenditures prior to them being paid out.
Reporting / Notification –
- This is part of our protocol. For example, we notified the state’s division of homeland security immediately when we experienced a cybersecurity incident last summer.
Training –
- We remain committed to enhancing our cybersecurity efforts and continue to engage the state and vendor partners for training, resources, and other forms of assistance."
Ohio's new cybersecurity rules take effect in late September.
