Ohio's New Cybersecurity Law: What Small Businesses Need to Know Before July 2026

If you run a business in Ohio, two cybersecurity laws are about to change how you think about security. One creates hard deadlines for government entities that will ripple into the private sector. The other gives your business a legal shield if you get breached — but only if you've done the work ahead of time. Here's what both mean for you, in plain English.

Two Ohio Cybersecurity Laws That Matter Right Now

Ohio actually has two separate laws that work together to reshape the cybersecurity landscape for businesses in the state. Most articles only talk about one or the other. You need to understand both.

Ohio House Bill 96 (HB 96)

Signed into law in June 2025 as part of the state's operating budget, HB 96 requires every political subdivision in Ohio — counties, cities, townships, municipalities, and school districts — to adopt a formal cybersecurity program. Counties and cities had to comply by January 1, 2026. All other entities face a July 1, 2026 deadline.

These programs must align with recognized cybersecurity frameworks like the NIST Cybersecurity Framework or the CIS Critical Security Controls. Organizations must also report cyber incidents to the Ohio Cyber Integration Center within seven days and notify the Ohio Auditor of State within 30 days.

Ohio Data Protection Act (SB 220)

This law has been on the books since 2018, but most small businesses still don't know about it. The Ohio Data Protection Act provides a legal safe harbor for any business that creates, maintains, and follows a written cybersecurity program based on a recognized framework.

What does "safe harbor" mean? If your business suffers a data breach and you get sued, you can use your cybersecurity program as an affirmative defense. The court considers whether you had reasonable security controls in place. If you did, the lawsuit has a much harder time succeeding. If you didn't, you're exposed.

Why This Matters for Private Businesses

You might read about HB 96 and think, "That's a government thing. Doesn't apply to me." Technically, the mandate is aimed at public entities. But the ripple effects hit private businesses in three ways:

Your government clients will start asking

If you do business with counties, cities, school districts, or state agencies in Ohio, expect them to start asking about your security posture. As these entities build their own cybersecurity programs, they'll scrutinize the vendors and contractors they work with. If you can't demonstrate that you take security seriously, you may lose contracts.

The legal standard just got clearer

Between HB 96 and the Data Protection Act, Ohio has drawn a clear line: businesses that follow recognized cybersecurity frameworks get legal protection. Businesses that don't are on their own. If you get breached and can't show you had a program in place, a plaintiff's attorney will point to these laws and ask, "Why didn't you follow the standard that the state of Ohio itself laid out?"

Insurance carriers are watching

Cyber insurance carriers already require evidence of security controls before issuing policies. Ohio's laws give carriers another benchmark to point to. We're already seeing carriers in Ohio reference these frameworks during the underwriting process. If you want to learn more about how penetration testing helps with cyber insurance, we've written a detailed guide.

What Frameworks Does Ohio Recognize?

Both laws reference industry-standard cybersecurity frameworks. To qualify for the Data Protection Act's safe harbor, your cybersecurity program must "reasonably conform" to one of the following:

• NIST Cybersecurity Framework (CSF) — the most popular choice for small businesses. Five core functions: Identify, Protect, Detect, Respond, Recover.
• CIS Critical Security Controls — 18 prioritized security practices, from basic patching and access control up to penetration testing and incident response.
• ISO 27000 family — international information security standards.
• PCI DSS — required if you handle credit card data (must be combined with one of the above).
• HIPAA Security Rule — for healthcare organizations handling patient data.
• FedRAMP — for cloud service providers working with the federal government.

The law is intentionally flexible about which framework you choose. What matters is that you pick one, document your program, and actually follow it. The framework should be appropriate for your company's size, complexity, and the sensitivity of the data you handle.

Where Penetration Testing Fits In

Here's where it gets concrete. Most of these frameworks include penetration testing as either a requirement or a strong recommendation:

• CIS Control 18 specifically calls for penetration testing to validate that your security controls actually work.
• NIST CSF includes penetration testing under the "Identify" and "Protect" functions as a way to assess your current security posture.
• PCI DSS requires annual penetration testing and retesting after significant changes.
• HIPAA recommends regular risk assessments, which should include penetration testing for any organization serious about compliance.

A vulnerability scan can tell you what software is outdated. A penetration test tells you whether someone can actually break into your network, access your data, and move through your systems undetected. If you're not sure about the difference, read our breakdown of penetration tests vs vulnerability scans.

What a Cybersecurity Program Actually Looks Like

You don't need a Fortune 500 security department to build a program that qualifies. Ohio's law specifically says the program should be scaled to the size and complexity of your business. For a small or midsize company, that typically means:

1. Written security policies. Document your rules around passwords, access control, data handling, acceptable use, and incident response. These don't need to be 200-page manuals. Clear, practical documents your team can actually follow.
2. Technical controls. Firewall, endpoint protection, multi-factor authentication, encryption, patch management, and access controls. Most businesses already have some of these. The key is making sure they're configured correctly and applied consistently.
3. Risk assessment. Identify what data you have, where it lives, and what threats are most relevant to your industry. This is where a penetration test provides enormous value — it gives you a real-world assessment of your risk, not a theoretical one.
4. Employee training. Your people are your first line of defense. Regular security awareness training on phishing, social engineering, and data handling goes a long way.
5. Incident response plan. Know what to do when something goes wrong. Who gets called? How do you contain the damage? How do you notify affected parties? HB 96 requires notifying the Ohio Cyber Integration Center within seven days, so this isn't optional.
6. Regular testing. Test your defenses at least annually with a penetration test. Document the results and track remediation. This is what proves your program isn't just paperwork.

The July 2026 Deadline: What to Do Now

Even though HB 96's July deadline technically applies to government entities, the smart play for private businesses is to use the same timeline. Here's why: the Data Protection Act's safe harbor has no deadline. It's available right now. But if you get breached before you put a program in place, it's too late to claim the defense.

Here's a practical timeline for getting your business ready:

Now through April: Assess

• Choose a framework (NIST CSF is the most accessible for small businesses)
• Schedule a penetration test to get a clear picture of your current security posture
• Identify gaps between where you are and where the framework says you should be

April through May: Build

• Write your security policies based on the framework you chose
• Address the critical and high-severity findings from your penetration test
• Implement or upgrade technical controls where gaps exist
• Set up employee security awareness training

June: Validate

• Document everything — your policies, controls, training records, and test results
• Consider a retest to verify that the vulnerabilities found earlier have been resolved
• Review your incident response plan and make sure your team knows it

By July, you'll have a documented, framework-aligned cybersecurity program backed by real testing evidence. That's exactly what the Data Protection Act requires for safe harbor, and it's exactly what insurance carriers and government clients want to see.

Don't Wait for a Breach to Take This Seriously

We work with Ohio businesses every day that thought they were "too small to be a target" or assumed their IT provider had security covered. In almost every engagement, we find exploitable vulnerabilities — default credentials that were never changed, flat networks where one compromised machine gives access to everything, and infrastructure that nobody has monitored for years.

Ohio has given businesses a clear framework for protection. The law doesn't require perfection. It requires a reasonable, documented effort to secure your systems. A penetration test is the most direct way to prove you've made that effort — and to find the problems before an attacker does.