Ohio has two cybersecurity laws on the books that most business owners have never heard of. One creates hard deadlines for government entities. The other gives private businesses a legal shield they can use right now. Both matter if you operate in Ohio, and the clock is running on the biggest deadline.
Here is what you need to know, what applies to your business, and what to do about it before July 2026.
Ohio House Bill 96: Mandatory Cybersecurity for Government Entities
House Bill 96 was signed into law in June 2025 as part of Ohio's state operating budget. It requires every political subdivision in the state to adopt a formal cybersecurity program. That includes counties, cities, townships, municipalities, and school districts.
The law sets two compliance deadlines:
- January 1, 2026 -- Counties and cities must have their cybersecurity programs in place (this deadline has already passed).
- July 1, 2026 -- All other political subdivisions, including townships, municipalities, and school districts, must comply.
Programs must align with a recognized cybersecurity framework. The law specifically points to standards like the NIST Cybersecurity Framework (CSF) and CIS Controls as acceptable foundations.
Beyond standing up a program, HB 96 also introduces reporting requirements:
- Cyber incidents must be reported to the Ohio Cyber Integration Center within 7 days.
- The Ohio Auditor of State must be notified within 30 days.
Key deadline: July 1, 2026 is the compliance date for townships, municipalities, and school districts. If your organization falls into one of these categories, your cybersecurity program needs to be documented and operational before that date.
Ohio Data Protection Act (SB 220): The Legal Shield Most Businesses Are Missing
While HB 96 targets government entities, Ohio's Data Protection Act -- Senate Bill 220 -- has been available to private businesses since 2018. Most small businesses have no idea it exists.
Here is the core idea: if your business has a written cybersecurity program based on a recognized industry framework, and you later experience a data breach and get sued, that program serves as an affirmative defense in court.
In practical terms, this means a court will consider whether your business had reasonable security controls in place at the time of the breach. If you did -- if you can point to a documented program that follows NIST CSF, CIS Controls, or a similar framework -- the lawsuit has a much harder time succeeding.
This is not theoretical. It is a concrete legal advantage that Ohio law provides to businesses that take cybersecurity seriously. The flip side is equally clear: if you have no documented program, you have no defense to point to.
What Qualifies for Safe Harbor
To claim the safe harbor protection under SB 220, your cybersecurity program must:
- Be in writing.
- Align with a recognized framework such as NIST CSF, CIS Controls, ISO 27001, HIPAA, or PCI DSS.
- Be reasonably designed to protect the security and confidentiality of the information your business handles.
- Be maintained and updated -- a document gathering dust on a shelf will not hold up in court.
Why Private Businesses Should Pay Attention to HB 96
If you are a private company, you might read HB 96 and think it does not apply to you. Technically, the mandate targets political subdivisions. But the downstream effects are real.
Government Contractors and Vendors
If your business provides services to counties, cities, school districts, or any other government entity in Ohio, expect those entities to start requiring cybersecurity documentation from their vendors. When the government is required to have a cybersecurity program, they will push that requirement down to the companies they work with. This is the same pattern we have seen play out with federal contractors and CMMC compliance -- requirements flow downhill.
Insurance Carriers Are Watching
Cyber insurance carriers have been tightening their requirements for years. Documented cybersecurity programs, MFA enforcement, endpoint protection, and incident response plans are increasingly table stakes for getting coverage. Ohio's legislative environment gives carriers another reason to require documented programs. If the state says it matters enough to legislate, insurers will use that as justification to raise the bar for policyholders.
Client and Partner Expectations
Even outside of government contracts and insurance, the market is moving toward documented security. Larger companies are requiring cybersecurity attestations from their vendors. RFPs increasingly include security questionnaires. Having a documented program is becoming a competitive requirement, not just a compliance checkbox.
What Your Business Should Do Now
Whether you fall directly under HB 96 or want to take advantage of SB 220's safe harbor, the action items are the same. The good news is that none of this requires reinventing the wheel.
1. Adopt a Recognized Framework
Pick a framework that fits your business. For most Ohio small and mid-sized businesses, NIST CSF or CIS Controls are the best starting points. They are widely accepted, well-documented, and flexible enough to scale with your organization. If you are in healthcare, HIPAA requirements will shape your framework. If you handle payment data, PCI DSS applies. But for general business use, NIST CSF is the gold standard.
2. Document Your Cybersecurity Program
A cybersecurity program that exists only in your head or in scattered configurations across your IT environment does not count. You need a written document that describes your security controls, policies, and procedures. This is what you will point to if you ever need to claim safe harbor under SB 220, and it is what government entities will ask to see if you are a vendor.
3. Maintain It
This is not a one-time exercise. Frameworks evolve. Threats change. Your business grows. Your cybersecurity program needs to be reviewed and updated regularly -- annually at minimum, and whenever significant changes occur in your environment. A program written in 2024 and never touched again will not hold up as a credible defense in 2027.
4. Implement the Controls
A document without implementation is just paper. The controls described in your program need to actually be in place -- endpoint protection, multi-factor authentication, access controls, backup and recovery procedures, security awareness training, and incident response planning. The court test under SB 220 is whether your controls were "reasonable," and that means they need to be real.
How SkyNet MTS Approaches This
At SkyNet, compliance is not a separate project we bolt onto your IT. It is the natural result of managing your environment correctly.
When we onboard a client, we build security into the foundation -- endpoint protection, identity management, backup verification, patch management, and monitoring are all part of how we operate. The documentation and framework alignment that HB 96 and SB 220 require are built into our vCISO services, where we help businesses formalize their security programs, align them to recognized frameworks, and keep them current.
For Ohio businesses specifically, this is a significant opportunity. You can build the cybersecurity program your business needs, get the legal protection SB 220 offers, and position yourself to meet any downstream requirements from HB 96 -- all without adding complexity or standing up a separate compliance department.
Bottom line: Ohio is one of a small number of states that gives businesses a clear legal incentive to invest in cybersecurity. The safe harbor is there. The frameworks are well-defined. The only question is whether you take advantage of it before something forces your hand.
