What Ohio’s HB 96 Means for K-12 IT Leaders: Understanding the New Cybersecurity Law

It’s been a while since cybersecurity stopped being a “nice to have” in the K-12 space. Districts across the country have been dealing with ransomware, data leaks, and phishing attacks for years—often with limited budgets and overworked IT teams. States like Texas, New York, and Massachusetts have already stepped in with formal requirements. Now, Ohio is officially joining that list.

But HB 96 is a big shift in how schools in Ohio are expected to handle cybersecurity, moving from best-effort to must-do. The law sets minimum requirements around incident response, training, and data protection, and it does so with legal deadlines and reporting obligations. For district leaders, it’s not just about avoiding attacks—it’s about showing the state you're doing your part to protect your community.

What HB 96 Is and Requires

HB 96 is Ohio’s new cybersecurity mandate tucked inside the state’s most recent budget bill, and it puts clear expectations on every political subdivision, including public school districts. The law’s cybersecurity requirements take effect on September 30, 2025, and they formalize what many districts have been trying to do on their own: adopt a structured, consistent program to protect systems, data, and daily school operations.

Ohio’s HB 96 spells out exactly what school districts need to put in place. From written programs to mandatory training and new reporting rules, the law lays down a framework that’s meant to be consistent, repeatable, and board-approved.

A Formal Cybersecurity Program

At the heart of HB 96 is a requirement for every district to implement a documented cybersecurity program. This isn’t just a “tech department thing”—it’s a district-wide commitment to protecting school operations and sensitive data. The program needs to be more than a policy—it should be active, measurable, and tied to recognized standards.

• Must protect confidentiality, integrity, and availability of IT systems & data.
• This isn’t vague language—it’s pulled straight from the law (Ohio Rev. Code § 9.64(C)). Your program should address how you prevent unauthorized access, ensure data isn’t altered or lost, and keep critical systems running during disruptions.
• Can follow NIST or CIS benchmarks.
• The law gives districts room to choose, but it clearly favors well-known frameworks like NIST Cybersecurity Framework or CIS Controls. These give you a structured way to define what “good enough” looks like—and what’s missing.
• Needs to be formally adopted by the board.
• This isn’t something the tech team can roll out solo. Your school board needs to review and officially approve the program. That creates shared accountability and signals to your community that cybersecurity is a district priority.

Annual Cybersecurity Training

A cybersecurity plan is only as strong as the people using it. HB 96 recognizes that everyone—tech-savvy or not—plays a role in protecting school systems. That’s why the law requires school districts to build annual cybersecurity training into their routine, and not just for IT teams, but for everyone with access to school systems, data, or devices.

• Establish cybersecurity training requirements for all employees.
• From admin staff to classroom aides, everyone must receive basic training to understand common threats like phishing, device misuse, and data handling risks. It’s about making cybersecurity part of everyday habits—not just a one-time PowerPoint.
• The frequency, duration, and detail of which shall correspond to the duties of each employee.
• Not everyone needs the same depth. A teacher might need tips on safe classroom tech use, while a payroll manager needs extra focus on data security. HB 96 gives you room to tailor content based on risk exposure.

Mandatory Incident Reporting

When something goes wrong, districts can’t afford to stay silent—or slow. HB 96 sets specific timelines for reporting cybersecurity incidents to state authorities. The goal is early coordination, not punishment. Quick reporting gives the state time to activate response teams, share threat intel, and help contain damage before it spreads.

• 7 days → Notify the Executive Director of the Division of Homeland Security.
• If your district discovers a cyber or ransomware incident, you must notify Ohio Homeland Security within 7 days via the Ohio Cyber Integration Center (OCIC). This triggers a case number, optional NDA, and support from responders like the Ohio Cyber Reserve, FBI, or CISA if needed.
• 30 days → Notify the Auditor of State.
• You’ll also need to report the same incident to the Auditor of State within 30 days. This helps track the impact on public resources and ensures districts are complying with risk management requirements.

What counts as a reportable incident?

Think: malware infections, ransomware, data breaches, suspicious logins, or compromise of personally identifiable information (PII). If there’s any impact to systems, sensitive data, or public services—it’s safer to report. And yes, even suspected attacks should be flagged early.

Ransomware Payment Restrictions

HB 96 also adds guardrails around one of the toughest decisions a district can face: whether to pay a ransom. Under the law, a district cannot pay or meet a ransom demand unless the school board formally approves it. That resolution must clearly explain why paying serves the public interest, creating transparency and ensuring the decision isn’t made under pressure or in isolation.

Timeline to Prepare: What K‑12 IT Leaders Should Do in 2025–2026

With a clear deadline on the calendar, now’s the time for districts to get organized. Ohio school districts need to be ready by July 1, 2026, that’s when the Auditor of State will start reviewing compliance with HB 96, now part of Ohio Revised Code § 9.64.

That gives districts a little over a year to build (and prove) a working cybersecurity program. Here’s a realistic prep timeline that avoids last-minute fire drills.

Fall 2025: Awareness + Gap Assessment

The first step is understanding where you stand. Before rushing into new policies, districts should take stock of what’s already in place, what’s missing, and how those gaps align with HB 96’s requirements. It’s about building a clear picture, so you’re not starting from zero.

• Inventory policies, controls, and training programs.
• Review your current policies around passwords, device use, backups, incident handling, and staff training. Identify what’s documented, what’s outdated, and what’s still living in someone’s inbox.
• Map district cybersecurity posture to NIST/CIS.
• Use a framework like NIST CSF or CIS Controls to assess strengths and gaps. These tools help you frame your cybersecurity maturity and prioritize improvements based on real-world risks—not guesswork.

Winter 2025–Spring 2026: Build & Formalize

Once you know the gaps, it’s time to get to work. This is the heavy-lifting phase, drafting your formal program, rolling out training, and setting up incident-handling processes that align with the new rules. You don’t need to be perfect, but you do need to be deliberate.

• Draft cybersecurity program: Turn your assessment into a formal, board-ready document. It should define responsibilities, controls, and objectives, and show how they protect confidentiality, integrity, and availability of systems and data.
• Update or create IRP: If you already have an incident response plan, tighten it up. If you don’t, now’s the time to create one that includes reporting steps, recovery procedures, and contact roles aligned with HB 96’s timelines.
• Deploy training plan and phishing simulations: Build out staff training by role and risk level. Add phishing tests, checklists, or short refreshers to make it stick—don’t let it be another forgettable annual presentation.
• Align with HB 96 reporting requirements: Map out how you’ll collect incident details, who’s responsible for submitting reports, and how quickly your district can notify OCIC and the Auditor of State after an event.

Summer 2026: Board Approval + Implementation

With the July 1 compliance date in sight, summer is your last checkpoint before reviews begin. This is the time to get your program officially adopted by the board and lock in all the key processes, from how you’ll report incidents to how you’ll handle ransomware demands if they ever land on your doorstep.

• Present the cybersecurity program for board adoption.
• Your program needs formal approval before it’s considered compliant. Present it clearly—show the risks it addresses, how it aligns with state expectations, and how it protects students, staff, and learning continuity.
• Lock in processes for incident reporting, documentation, and ransomware decision-making.
• Build a simple, documented playbook. Who reports? Who submits to OCIC and the Auditor? Who drafts board resolutions in the event of ransomware? You don’t want to figure this out mid-crisis.

School Year 2026–2027: Operationalize

With everything approved, the final step is to put your plan to work. This is where policy turns into practice—training your staff, watching for threats, and keeping everyone on the same page. HB 96 doesn’t require perfection—but it does expect follow-through.

• Roll out staff training.
• Make training active, role-based, and part of your onboarding and annual calendar. Keep it short, useful, and easy to understand. The goal: reduce risky clicks and increase staff confidence.
• Configure logging, incident detection, and asset visibility.
• Set up the tools to spot issues before they snowball. Think endpoint monitoring, email alerts, and geolocation tools that help you know what’s going on—and where.
• Keep leadership informed with quarterly reviews.
• Bring key updates to your superintendent or board every few months. Highlight risks, show progress, and track any incidents. It keeps accountability high and makes budgeting easier next year.

The Regional Domino Effect

Ohio’s move reflects a broader wave of states formalizing cybersecurity standards for public schools. In 2024–2025, states such as Arkansas, Texas, Massachusetts, Oregon, Pennsylvania and Indiana introduced or passed K‑12 cyber laws that include training requirements, data‑protection policies, incident‑reporting mandates, and even funding for cyber insurance or response services.

Even if your district isn’t in Ohio, HB 96 is worth paying attention to. It’s a preview of what other states may require next. As these standards become more common, districts will need tools and vendors that align with trusted frameworks like NIST or CIS. Being proactive now means fewer headaches when your state decides to follow Ohio’s lead.

Why K-12 Districts Are Squarely in the Spotlight

Nowadays, schools check all the boxes that cyberattackers look for: lots of sensitive data, many users, and often limited security resources. Recent data shows that educational institutions are being hit repeatedly with ransomware, credential theft, and phishing attacks. That makes K‑12 districts especially vulnerable—and especially in need of a structured defense.

• Phishing remains the most common threat vector. According to the 2025 DBIR, 77% of incidents in the education sector involved phishing—a clear sign that staff awareness and email security need attention across all roles.
• Credential theft is still a top concern. About 24% of breaches in education were linked to stolen or compromised credentials. Password reuse, weak login policies, or compromised student portals often give attackers a way in.
• Ransomware continues to hit schools hard. While ransomware was involved in 44% of breaches across all industries, the education sector still saw a 30% rate—underscoring how often attackers use extortion to pressure districts into payouts.

A Necessary Action

HB 96 is ultimately about building resilience, protecting your students, keeping systems running, and avoiding costs that come with preventable incidents. With the July 2026 compliance reviews around the corner, the smartest move is to start now. Early planning gives your team breathing room to prepare, test, and adjust before anyone’s asking for documentation.

Use Prey to track, secure, and monitor your district’s devices, all in one platform that supports audits, role-based access, and geofencing.

‍