Cybersecurity
Cybersec Essentials

Lessons from Ohio: how regulatory pressure is shaping k-12 cybersecurity

juanhernandez@preyhq.com
Juan H.
Dec 19, 2025
0 minute read
Lessons from Ohio: how regulatory pressure is shaping k-12 cybersecurity
Table of Contents
Heading H2
Share
About the Author
juanhernandez@preyhq.com
Juan H.

JC Hernandez is our Prey's Content Specialist. He researches interesting and relevant information related to cybersecurity, and explains it in a way that everyone can understand it and make use of it.

When cybersecurity becomes the norm at school

Ohio’s HB 96 is technically a budget bill, but hidden in that fiscal package is a big message for K-12 IT. Starting September 30, 2025, local governments and school districts in Ohio must run a formal cybersecurity program, train staff, and follow strict incident-reporting rules. In other words, a line item in a budget is quietly rewriting how schools think about cyber risk.

And HB 96 isn’t some quirky Ohio one-off. It sits alongside Texas’s SB 820, New York’s EdLaw 2-d, and other state rules pushing schools toward stronger security and data governance. Taken together, they signal a shift from “we should do this because it’s smart” to “we must do this because it’s the law”,  especially when student data and classroom continuity are at stake.

What K-12 IT leaders need to know about the HB 96

HB 96 changes the tone completely for K-12 IT teams. Districts now have to meet specific cybersecurity obligations, and they’re expected to prove it. That means more focus on documentation, repeatable processes, and audit-ready evidence.

Who’s covered

HB 96 applies to “political subdivisions,” which sounds abstract until you realize it squarely includes K-12. School districts, regional service agencies, and other public education bodies fall under this umbrella. If you’re managing tech for a public school system in Ohio, this law is talking directly to you, even if you don’t see “schools” in the title.

Who’s covered under HB 96:

  • Public school districts
  • Educational Service Centers (ESCs)
  • Joint vocational school districts
  • Community schools and other public charter entities
  • Other local public education agencies classified as political subdivisions

Core requirements for school districts

For districts, HB 96 boils down to building a real cybersecurity program, not just reacting to incidents when they happen. The law expects you to anchor your work in recognized standards, train people regularly, and handle incidents in a structured, documented way. Ransomware decisions also move from “IT panic mode” to a formal governance process.

Key HB 96 requirements for school districts:

  • Formal cybersecurity program based on recognized frameworks (e.g., NIST, CIS)
  • Annual cybersecurity training for relevant staff
  • Documented incident response plan
  • Mandatory incident reporting timelines (e.g., state homeland security within 7 days, Auditor within 30 days)
  • Restrictions and defined process for ransomware payments (board resolution and clear public interest justification)

HB 96 in context: comparing other state laws

Ohio’s HB 96 might be getting the spotlight right now, but it’s part of a growing patchwork of state laws reshaping how schools handle cybersecurity. Across the U.S., education is no longer exempt from the kind of security expectations already seen in finance and healthcare. Different states are approaching the issue in their own way—but the common thread is this: governance is no longer optional.

Texas SB 820 – the cybersecurity coordinator era

Texas got ahead of the curve back in 2019 with SB 820, one of the first state laws to impose cybersecurity requirements specifically on public school districts. It created a baseline for what schools should be doing—and who should be responsible for it. The law applies statewide and was baked into the state’s education code, not just a recommendation.

Key elements of SB 820:

  • Required cybersecurity policy at the district level
  • Designation of a Cybersecurity Coordinator to act as the point of contact with the state
  • Mandatory incident reporting to the Texas Education Agency (TEA)
  • Notification to affected parents/guardians when student data is compromised

New York EdLaw 2-d – privacy first

New York took a different route with EdLaw 2-d, focusing heavily on the privacy and protection of student and staff data. The law puts strong limits on how vendors can handle personally identifiable information (PII) and gives parents clear rights around how their child’s data is used and safeguarded. It’s more privacy-forward, but still full of security expectations.

Core requirements under EdLaw 2-d:

  • A formal data privacy and security policy
  • Appoint a Data Protection Officer
  • A published Parents’ Bill of Rights for data privacy
  • Strict contracts for third-party vendors who access student or teacher data
  • Breach notification requirements and technical controls like encryption and access restrictions

North Dakota HB 1127 – finance joins the governance shift

HB 1127 isn’t aimed at schools, but it’s still worth noting. Passed in 2025, this law targets financial companies regulated by the state, requiring them to adopt full-fledged information security programs. While the focus is finance, the structure is strikingly familiar: written plans, board oversight, breach notifications. It’s another example of states formalizing expectations through law.

Key requirements under HB 1127:

  • A written information security program tailored to the company’s size and data sensitivity
  • Technical, physical, and administrative safeguards to protect customer data
  • Ongoing risk assessments and documented controls
  • An incident response plan and mandatory breach reporting (within 45 days if 500+ customers affected)

What these laws have in common

On the surface, HB 96, SB 820, EdLaw 2-d, and HB 1127 all tackle different problems and sectors. But if you zoom out a bit, they’re clearly reading from the same script. Each one moves from “please consider doing this” to “you must do this,” assigns specific people or bodies to own cyber risk, and expects proof: reports, logs, notifications, documented plans.

Aspect Ohio HB 96
(Local Govt & K-12)		 Texas SB 820
(K-12)		 New York EdLaw 2-d
(K-12 Privacy)		 North Dakota HB 1127
(Finance)
State mandates vs. ad-hoc guidelines Turns cybersecurity practices into statutory requirements for political subdivisions, including districts. Builds cybersecurity expectations into the education code for all districts. Embeds privacy and security rules directly into state education law. Codifies data security duties for regulated financial firms, not just “best effort.”
Clear roles and responsibilities Implies structured governance and reporting to state bodies and local authorities. Requires a named Cybersecurity Coordinator in each district. Requires that educational agencies must appoint a Data Protection Officer. Requires board or governing body oversight and regular reporting on the security program.
Reporting and transparency requirements Sets timelines for reporting incidents to state homeland security and the Auditor. Demands incident reporting to TEA and notice to affected families. Requires disclosure of breaches and clear information for parents and staff. Imposes breach notification to the regulator within defined thresholds and timelines.
Pressure to build governed, auditable programs Pushes districts toward framework-based, documented, auditable security programs. Forces districts to formalize policies and incident processes, not just improvise. Drives districts to maintain policies, contracts, and safeguards that can withstand scrutiny. Makes written programs, risk assessments, and board updates part of normal operations.

Why this is happening: the pressure behind HB 96 and its peers

Cyber insurance, regulators, and attackers are all pushing in the same direction. Insurers now expect districts to have MFA, backups, incident response plans, and training just to qualify for coverage, or avoid painful exclusions and premium hikes. At the same time, K-12 has become a favorite target for criminals, with thousands of incidents reported in just a couple of recent school years in the U.S. alone.

  • Ransomware, business email compromise, and student data breaches are now the norm.
  • The U.S. Department of Education estimates districts face more than five cyber incidents per week, and CIS data shows 82% of U.S. K-12 schools experienced at least one incident between mid-2023 and 2024. In one recent period, K-12 saw 14,000 security events and 9,300 confirmed incidents, with ransomware attacks on education jumping 105% year over year.
  • Operational consequences: lost class days, manual workarounds, reputational damage.
  • The  U.S. Government Accountability Office (GAO) found that after an attack, districts lost 3 days to 3 weeks of learning. During that time, staff revert to manual processes, projects stall, and the district’s name gets repeatedly linked to “breach” in local coverage and search results.
  • Political pressure from parents and local media when student data is exposed.
  • Families and reporters start asking hard questions, boards have to respond in public, and leadership feels the pressure, especially when you mix tight budgets, more sophisticated attacks, and a lack of documented cybersecurity processes. Put together, those factors make legislative moves like HB 96 much more likely.

From “Best Practice” to legal obligation

For years, cybersecurity guidance for schools sounded like advice: smart to follow, but not strictly required. Laws like HB 96 flip that dynamic. They turn security expectations into legal duties with deadlines, reporting paths, and accountability. For K-12 IT leaders, the real shift is that processes, proof, and governance now matter just as much as firewalls and filters.

Policies and programs will be the new normal

Under HB 96-style laws, having “the right people who know what to do” is no longer enough. Districts are expected to have a written cybersecurity program that anyone in leadership can point to and understand. That program should line up with a recognized framework, like NIST or CIS, and clearly show which controls are in place, who owns them, and how they’re maintained over time.

Documentation and repeatability

If something isn’t written down, it might as well not exist in the eyes of auditors or regulators. That’s where repeatable, documented processes come in, so your district isn’t reinventing the wheel every time there’s an incident, a new hire, or a board question.

Here’s the kind of documentation that starts to matter a lot more:

  • Policies, procedures, and runbooks
  • Training records and attendance
  • Incident logs and post-incident reviews
  • A compliance mindset: evidence for auditors, not only good intentions

Incident response as a formal process

Incident response can’t be a late-night improvisation anymore. Districts need a clear playbook that covers triage, containment, communication, and recovery. Roles should be defined in advance, who leads, who talks to families, who handles regulators, who documents each step. And when ransomware is involved, decisions are now shaped by legal rules and reporting obligations, not just by stress, downtime, or public pressure.

Vendor and data governance

These laws also push districts to get serious about the companies touching their data. That means stronger due diligence on edtech and IT vendors, especially in places with EdLaw 2-d style privacy rules. Contracts need to spell out how data is handled, how breaches are reported, and which security controls vendors must maintain. All of that rides on a solid inventory of systems and data flows inside your cybersecurity program.

Conclusion: reading HB 96 as a signal

HB 96 sends a message that formal governance is now part of the job for K-12 IT teams. With Texas, New York, and North Dakota already enforcing similar laws, it’s clear that lawmakers see education as critical infrastructure. What used to be advice is now legal responsibility, and more states are following that path.

Even if your district isn’t in Ohio, the shift is already on its way. These laws point to a future where frameworks, clear roles, and written proof of what you’re doing are standard, not special. Districts that start now, tightening governance, documenting controls, and training staff, will be better prepared, more efficient, easier to insure, and ready for whatever cybersecurity laws their state rolls out next.

Frequently asked questions

What is the technology strategy framework?

A technology strategy framework is essential for businesses to effectively leverage technology to enhance operational efficiency, customer experience, and foster innovation while managing risks. This framework is often referred to as IT strategy or digital strategy.

What is an IT strategy framework?

An IT strategy framework is essential for aligning technology initiatives with business objectives, providing a clear structure to achieve strategic goals. By implementing this framework, organizations can ensure that their IT investments effectively support their overall business strategy.

Why is aligning IT goals with business objectives important?

Aligning IT goals with business objectives is crucial because it ensures that IT initiatives directly support the overall business strategy, driving growth and efficiency. This alignment facilitates better resource allocation and maximizes the impact of technology on business performance.

How can emerging technologies be leveraged in an IT strategy?

Leveraging emerging technologies in your IT strategy can drive innovation and create competitive advantages through the development of new business models and increased market value. Embracing these technologies ensures your organization stays ahead in a rapidly evolving landscape.

What are some common challenges in IT strategy implementation?

Common challenges in IT strategy implementation include a lack of alignment with organizational goals, resistance to change from stakeholders, and the tendency to adopt new technologies without clear value, often referred to as "shiny object syndrome." Addressing these challenges is crucial for successful execution.

On the same issue

Lessons from Ohio: how regulatory pressure is shaping k-12 cybersecurity
Lessons from Ohio: how regulatory pressure is shaping k-12 cybersecurity

Cybersecurity in K-12 is becoming the law, not a recommendation. See how Ohio’s HB 96 and similar state laws are reshaping school IT governance.

Dec 19, 2025
Continue reading
Essential Cybersecurity Controls for SMBs: A Complete Implementation Guide
Essential Cybersecurity Controls for SMBs: A Complete Implementation Guide

SMBs face 43% of cyberattacks. Learn the 5 essential cybersecurity controls, why MFA blocks 99.9% of automated attacks, and how to start in 120 days.

Dec 3, 2025
Continue reading
What Are Security Controls in Cybersecurity
What Are Security Controls in Cybersecurity

A complete guide to security controls in cybersecurity: what they are, key categories, real-world examples (firewalls, SIEM, backups, MFA), and how to use frameworks to build layered defenses.

Nov 28, 2025
Continue reading

Discover

Prey's Powerful Features

Protect your devices with Prey's comprehensive security suite.

Learn moreGet started