By: Tony K. Telidis, Esq.
Cybersecurity program requirements for boards of education became law on September 30, 2025, through Ohio House Bill 96. The newly enacted R.C. 9.64 requires school districts to “adopt a cybersecurity program that safeguards” the district’s “data, information technology, and information technology resources to ensure availability, confidentiality, and integrity.”
The statutory directive to adopt a cybersecurity “program” is not an order to adopt a board policy on the subject, and for good reason. A cybersecurity program likely constitutes a “security record” under Ohio law, which exempts it from disclosure under Ohio’s Public Records Act. R.C. 149.433. This notion is further echoed by R.C. 9.64(E), which makes clear that all records, documents, and reports related to the cybersecurity program and framework are not public records.
R.C. 9.64 states that a cybersecurity program shall be consistent with generally accepted best practices for cybersecurity, such as the national institute of standards and technology (“NIST”) cybersecurity framework, and the center for internet security (“CIS”) cybersecurity best practices, and may include information relating to:
1.) Identifying and addressing the critical functions and cybersecurity risks of the district;
2.) Identifying the potential impacts of a cybersecurity breach;
3.) Specifying mechanisms to detect potential threats and cybersecurity events;
4.) Specifying procedures for the district to establish communication channels, analyze incidents, and take actions to contain cybersecurity incidents;
5.) Establishing procedures for the repair of infrastructure impacted by a cybersecurity incident, and the maintenance of security after the incident; and
6.) Establishing cybersecurity training requirements for all employees of the district; the frequency, duration, and detail of which shall correspond to the duties of each employee.
To adopt a cybersecurity program, a board of education should take action by passing a resolution at a public meeting which refers to a cybersecurity program presented to it by the district administration. That presentation can occur in an executive session under R.C. 121.22(G)(6), which permits an executive session to be held to discuss details relative to the security arrangements and emergency response protocols for a public body if disclosure of the matters discussed could reasonably be expected to jeopardize the security of the public body. However, the Board’s adoption of the cybersecurity program must occur in open session: resolutions cannot be passed in executive session.
Cybersecurity Incident Notification Requirements
R.C. 9.64 also establishes reporting requirements following a cybersecurity or ransomware incident. School districts must notify both of the following:
1. The Executive Director of the Division of Homeland Security within the Ohio Department of Public Safety, as soon as possible but not later than seven days after the school district discovers the incident; and
2. The Ohio Auditor of State (“AOS”), as soon as possible but not later than 30 days after the school district discovers the incident.
If your school district needs assistance with the drafting of a resolution to adopt a cybersecurity program or if you have questions about Ohio’s new cybersecurity requirements, do not hesitate to contact the attorneys at Pepple & Waggoner.
216.520.0088
ttelidis@pepple-waggoner.com