Dive Brief:
- Ohio passed a law that requires local governments, school districts and water authorities in the state to establish cybersecurity programs to prevent, detect and respond to cyberattacks. Localities must also report cyberattacks to the state’s Department of Public Safety within seven days of the breach.
- The new regulations restrict local governments from paying ransoms from cyberattacks without first getting approval from their legislative authority and publicly outlining why compliance with the ransom “is in the best interest” of the local government.
- The legislature approved the mandate, which goes into effect Sept. 30, without any state funding for local governments to implement the measures.
Dive Insight:
There were 859,532 complaints of suspected cyber crimes in the U.S. last year, according to the Federal Bureau of Investigation’s latest Internet Crime Report. That number is down 2.4% from the year before. However, reported losses from internet crimes last year were $16 billion — a 33% surge year over year.
Cyberattacks are growing more sophisticated with the help of generative AI, according to the FBI. And with fewer resources and outdated systems, local governments are becoming a popular target.
“In minor cases, criminals leverage unauthorized email access to redirect an employee’s paycheck,” Phillip Harmon, an associate in Woods Rogers’ Cybersecurity and Data Privacy Practice, recently wrote in American City & County. “Catastrophic ransomware attacks, perpetuated by established criminal enterprises, can grind all operations to a complete halt, sometimes impacting critical health and safety systems like 911 dispatch centers.”
A ransomware attack in Columbus, Ohio, compromised the data of half a million people last year, and a cyberattack on an Ohio health system in May caused a system-wide tech outage.
In July, Columbus approved a $23 million investment in its IT infrastructure to bolster its cybersecurity measures.
As local governments across the country attempt to strengthen cybersecurity measures, however, many must do so within tight budget constraints. In an executive order earlier this year, the Trump administration placed more responsibility on state and local governments to handle cybercrimes.
While Ohio is not offering additional state funding for municipalities to implement cybersecurity programs, it is offering free annual cybersecurity training. CyberOhio, a government agency that coordinates all cybersecurity activities in the state, said this is “a foundational component of cyber risk reduction.”
