Cleveland.com reports:
In response to Cleveland and other local governments around Ohio being targeted with cyberattacks and ransomware threats, the state of Ohio will soon require all counties, cities, townships, school districts, libraries, and other local governments to have a cybersecurity policy that adheres to certain standards, as well as only allow locals to approve ransomware demands during a public meeting. As Jeremy Pelzer reports, proponents of the new rules – inserted in the state’s massive new state budget – say they’re commonsense steps for local governments to protect taxpayers’ money and personal information in a transparent way. Some local-government groups, though, are concerned, both on practical grounds and on principle.
Direct link to Ohio Law HB 96. From that law, which goes into effect September 30, 2025, the ransomware payment provision:
A political subdivision experiencing a ransomware incident shall not pay or otherwise comply with a ransom demand unless the political subdivision’s legislative authority formally approves the payment or compliance with the ransom demand in a resolution or ordinance that specifically states why the payment or compliance with the ransom demand is in the best interest of the political subdivision.