Auditor’s office backs bill banning most ransomware payments, with local-control exception
June 17, 2025 | Technology and Innovation, House of Representatives, Committees, Legislative, Ohio
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The Ohio House Technology and Innovation Committee considered House Bill 283 in its second hearing, listening to testimony from Tori Scholl, director of policy and legislative affairs for Auditor of State Keith Faber, who spoke in support of the bill.
The bill would ban political subdivisions from paying or complying with ransomware demands, but it includes a compromise: a local legislative authority may approve a ransom payment if it adopts a resolution explaining why the payment is in the public interest. "In house bill 283, it now includes a compromise which allows [a] legislative authority to pay your cybersecurity ransom if the local authority adopts a resolution explaining why the payment or compliance is in the public interest," Scholl told the committee.
Nut graf: supporters framed HB283 as a practical measure to require local governments to prepare for and report cyber incidents while preserving limited local discretion for rare cases; witnesses stressed reporting timelines and record exemptions to protect investigations.
Scholl outlined three main components of the bill. First, the draft generally prohibits political subdivisions from paying or complying with ransomware demands but preserves a local-resolution exception so elected local officials can authorize payment in narrowly defined circumstances. Second, the bill would require each political subdivision to adopt a cybersecurity program appropriate to its needs; the auditor’s office provided a nonexclusive list of six recommended elements and referenced NIST (National Institute of Standards and Technology) and the Center for Internet Security as scalable guidance. Third, HB283 would require political subdivisions to notify the Ohio Department of Public Safety (DPS) within seven days of a cyber incident and to notify the auditor’s office within 30 days.
Scholl told the committee the reporting deadlines reflect the differing roles of the agencies: DPS can provide immediate cyber response assistance, while the auditor’s office needs incident information during its audits. She also said the bill would exempt cybersecurity program records, incident reports to DPS and AOS, and cybersecurity procurement records from public records law to avoid exposing vulnerabilities.
Scholl provided state-level figures about recent incidents: since January 2023 the auditor’s office has been told of at least 221 incidents with nearly $11,200,000 in reported losses; roughly $3,400,000 of those losses were recovered or stopped, leaving approximately $7,800,000 in net loss among the reported cases, she said. She cautioned those figures are based on reports made to the auditor’s special investigations unit and are not exhaustive.
Committee members asked whether the bill should require a single baseline standard rather than leaving program contents to local discretion. Scholl said early drafts had contained more prescriptive language but that local governments and associations pushed for flexibility; the bill instead references NIST and CIS guidance so local entities can adopt scalable standards the auditor will audit against.
A member noted the policy dilemma: a strict statewide ban could prevent what might be a low-cost payment that avoids greater recovery expenses, while permitting payments risks creating a precedent of ransom payments. Scholl said the compromise preserves local control while ensuring public notice and auditability.
Ending: The committee received testimony and questions but did not take a vote on HB283 at the hearing; sponsors and interested parties will continue to refine implementation details, including the audit process and the public-records exemptions.
The bill would ban political subdivisions from paying or complying with ransomware demands, but it includes a compromise: a local legislative authority may approve a ransom payment if it adopts a resolution explaining why the payment is in the public interest. "In house bill 283, it now includes a compromise which allows [a] legislative authority to pay your cybersecurity ransom if the local authority adopts a resolution explaining why the payment or compliance is in the public interest," Scholl told the committee.
Nut graf: supporters framed HB283 as a practical measure to require local governments to prepare for and report cyber incidents while preserving limited local discretion for rare cases; witnesses stressed reporting timelines and record exemptions to protect investigations.
Scholl outlined three main components of the bill. First, the draft generally prohibits political subdivisions from paying or complying with ransomware demands but preserves a local-resolution exception so elected local officials can authorize payment in narrowly defined circumstances. Second, the bill would require each political subdivision to adopt a cybersecurity program appropriate to its needs; the auditor’s office provided a nonexclusive list of six recommended elements and referenced NIST (National Institute of Standards and Technology) and the Center for Internet Security as scalable guidance. Third, HB283 would require political subdivisions to notify the Ohio Department of Public Safety (DPS) within seven days of a cyber incident and to notify the auditor’s office within 30 days.
Scholl told the committee the reporting deadlines reflect the differing roles of the agencies: DPS can provide immediate cyber response assistance, while the auditor’s office needs incident information during its audits. She also said the bill would exempt cybersecurity program records, incident reports to DPS and AOS, and cybersecurity procurement records from public records law to avoid exposing vulnerabilities.
Scholl provided state-level figures about recent incidents: since January 2023 the auditor’s office has been told of at least 221 incidents with nearly $11,200,000 in reported losses; roughly $3,400,000 of those losses were recovered or stopped, leaving approximately $7,800,000 in net loss among the reported cases, she said. She cautioned those figures are based on reports made to the auditor’s special investigations unit and are not exhaustive.
Committee members asked whether the bill should require a single baseline standard rather than leaving program contents to local discretion. Scholl said early drafts had contained more prescriptive language but that local governments and associations pushed for flexibility; the bill instead references NIST and CIS guidance so local entities can adopt scalable standards the auditor will audit against.
A member noted the policy dilemma: a strict statewide ban could prevent what might be a low-cost payment that avoids greater recovery expenses, while permitting payments risks creating a precedent of ransom payments. Scholl said the compromise preserves local control while ensuring public notice and auditability.
Ending: The committee received testimony and questions but did not take a vote on HB283 at the hearing; sponsors and interested parties will continue to refine implementation details, including the audit process and the public-records exemptions.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
