Citizen Portal
Sign In

Council reviews cybersecurity ordinance tied to state law; county IT outlines reporting and policy requirements

5854703 · September 23, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Council heard a second-reading presentation of Ordinance 25-28, a cybersecurity policy assembled to comply with state House Bill 96 and ORC provisions; Knox County CIO said the ordinance provides a framework, requires ransomware reporting within seven days, and would prohibit ransom payments without legislative approval.

City Council committee reviewed Ordinance 25-28, a proposed municipal cybersecurity policy prepared to meet recent state requirements and guidance.

Kyle Webb, chief information officer for Knox County (which provides IT services for the city), told committee the ordinance implements elements of House Bill 96 and the Ohio Revised Code provision he cited (ORC 9.64 as referenced in committee). Webb said the law requires political subdivisions to adopt cybersecurity policies and noted two operational duties the state emphasized: reporting ransomware incidents to the Ohio Department of Public Safety within seven days and making any ransom payment only following legislative approval. "If you're gonna pay a ransom for ransomware ... it has to come to legislation," Webb said, summarizing the statutory requirement discussed in committee.

Webb and city IT staff described the proposed ordinance as a policy framework that meets state standards; they recommended adopting it as a baseline while continuing to develop more detailed operational response plans, contact lists and department-level procedures. Webb said the city already has begun implementing several best practices, including multi-factor authentication and monthly municipal technology board meetings, and that insurance requirements also push for stronger cyber controls.

Council members discussed balancing specificity with flexibility so the city is not bound to rigid procedures that become obsolete; one council member asked about the operational annex (incident-response plan) and Webb said the ordinance intentionally references a separate, more detailed operational plan that can be updated without amending the ordinance. Webb also said the city will change council email accounts to .gov addresses on Oct. 1 and walk members through the sign-in change. Committee indicated it will request an amendment to designate the safety service director (rather than the utilities director) as a lead contact listed in the ordinance's section assigning incident authorities.