As cybersecurity becomes an ever-pressing concern for local governments, Ohio is taking bold steps to protect its communities with new regulations aimed at safeguarding sensitive data and critical services. I had the privilege of sitting down with Desiree Sainthrope, a legal expert with extensive experience in compliance and emerging technologies. With her deep understanding of regulatory frameworks, Desiree offers invaluable insights into how these new cybersecurity rules will reshape local governance in Ohio, the challenges communities face, and the broader implications for residents and public safety.
What inspired Ohio to roll out these new cybersecurity regulations for local governments?
Ohio’s new cybersecurity regulations are a direct response to the growing threat of cyberattacks on local governments. With sensitive data like court records, tax documents, and utility bills increasingly digitized, local entities are prime targets for malicious actors, including ransomware groups and nation-state operatives. The goal is to protect personal information and ensure that essential services aren’t disrupted by these attacks. It’s about building a resilient infrastructure that can withstand the evolving tactics of cybercriminals while maintaining public trust.
Can you walk us through the kinds of cyber threats local governments are up against today?
Local governments face a wide array of threats, from ransomware attacks that lock up critical systems to phishing schemes targeting employees. Ransomware, in particular, has been devastating, as it can halt access to vital services like emergency response or utility management. Recent incidents in places like West Chester Township and Huber Heights highlight just how disruptive these attacks can be, often leading to states of emergency or significant service interruptions. These threats aren’t just technical—they impact real lives and community safety.
What are the key requirements local governments must follow under this new law starting this week?
Starting immediately, local governments are required to report any cyber incident to both the Ohio Department of Public Safety and the Ohio Auditor’s Office. This ensures swift state-level coordination and oversight. Additionally, if a local government is considering paying a ransomware demand, they can’t do it behind closed doors. A public resolution from their council or board is mandatory, promoting transparency and accountability in such high-stakes decisions.
How are the compliance deadlines structured for different types of local entities in Ohio?
The law sets staggered deadlines to give entities time to adapt. County and city governments must have comprehensive cybersecurity programs, including employee training, in place by January 1. Other local entities, such as smaller townships or special districts, have a bit more time, with a deadline of July 1. These timelines are designed to balance urgency with the practical challenges of implementation, especially for under-resourced areas.
From what you’ve seen, how prepared are local governments to meet these new standards?
Preparation varies widely. Some areas, like Dayton and Kettering, have already been proactive, with robust cybersecurity frameworks in place. For them, the new law is more about formalizing existing practices through documentation and reporting. Others, especially smaller communities, are still catching up and may need to overhaul their systems. Feedback from places like Huber Heights shows a commitment to aligning with the law, but it’s clear that not every locality started from the same baseline.
What kind of support or obstacles are local governments encountering as they work toward compliance?
The state is providing some guidance, which is critical for compliance, but resources can be limited, especially for smaller towns or counties with tight budgets. Larger cities might have dedicated IT teams, but rural areas often struggle to allocate funds or expertise for cybersecurity. There’s a real disparity in capacity, and while the state’s intent is to bolster security across the board, the challenge lies in ensuring equitable access to tools and training for all communities.
How does the law address the risk of cybersecurity information falling into the wrong hands?
One of the smarter provisions in this law is the exemption of certain cybersecurity records from public disclosure. This means that detailed plans, vulnerability assessments, or incident reports won’t be accessible through public records requests. By keeping this information under wraps, the law prevents cybercriminals from using it to map out weaknesses in local systems, effectively reducing the risk of targeted attacks.
What kind of impact do you anticipate these regulations will have on Ohio residents?
For most residents, the changes will likely be behind the scenes. They might not notice immediate differences in how services are delivered, but the enhanced protections should mean fewer disruptions from cyberattacks. Over time, as systems become more secure, there’s potential for greater confidence in how personal data is handled by local governments. However, if compliance costs strain budgets, some communities might face indirect effects like reduced funding for other services.
Looking ahead, what is your forecast for the future of cybersecurity in local governance?
I expect cybersecurity to remain a top priority as threats continue to evolve, particularly with the rise of sophisticated AI-driven attacks. Ohio’s regulations are a strong starting point, but they’ll need to adapt to new challenges, like deepfake scams or IoT vulnerabilities in municipal systems. I foresee more collaboration between state and local entities, possibly with increased federal funding or partnerships with private tech firms. The key will be staying proactive rather than reactive, ensuring that protections keep pace with the ingenuity of cybercriminals.
