Resident urges delay, stricter rules for Mount Vernon cybersecurity ordinance after 2022 ransomware

Joshua Morrison, a Third Ward resident, told the Mount Vernon City Council on Sept. 22 that the city’s proposed cybersecurity ordinance lacks clear timelines, enforcement and public-notification requirements and should be revised before taking effect. Morrison said the city suffered a ransomware attack in December 2022 attributed to the LockBit group and criticized the city’s response and the proposed ordinance’s provisions. “Backups were attacked as well. Complete data was lost. Recovery was delayed,” he said, and added that a $24,000 bitcoin payment was authorized through a third party to retrieve city data but that “we don't know what we got for it.” The ordinance under consideration is framed to comply with Ohio Revised Code section 9.64. At the meeting, Council Member Mahan gave the ordinance a second reading and indicated the council would be prepared to vote at the next meeting unless members request more work: “If you have questions, and wanna have an additional meeting, please let us know. But at this point, we'll be ready to vote at the next meeting,” he said. Morrison urged tighter deadlines for incident reporting and stronger enforcement: the draft allows incidents to be reported up to seven days after an attack, he said, while the auditor of state must be notified within 30 days. “If you've ever had your identity stolen, that is way too long to start your cleanup efforts,” he said, and recommended notifying state and federal agencies within 24 hours and adding multi-factor authentication, patching, training and public communication plan requirements. Morrison also raised concerns about the ordinance’s secrecy provisions and the ordinance’s emergency clause and effective date. He said the new ORC 9.64 goes into effect soon but that the city’s local ordinance “doesn’t have to go into effect until 07/01/2026” and that the council should “take the necessary time to get it right.” Discussion vs. decision: the council completed a second reading of Ordinance 2025-28, “An ordinance adopting a cybersecurity policy for the city of Mount Vernon, Ohio in accordance with Ohio Revised Code 9.64 and declaring an emergency.” No vote to adopt the ordinance occurred at the Sept. 22 meeting; council members indicated they expect to take final action at the next meeting unless further questions are raised. Clarifying details from the meeting: Morrison said the ransomware incident was officially listed as starting on Dec. 19, 2022, while some city employee emails suggest Dec. 15; he stated an outside contractor was the point of attack; he said a $24,000 bitcoin payment was made through a third party but said it was not clear who ultimately paid the ransom (city, vendor insurance, or other). Why it matters: the ordinance sets the city’s procedural and reporting framework for cyber incidents and will affect how quickly residents and state authorities are notified and how the city enforces vendor and employee cybersecurity obligations. What’s next: council members indicated the ordinance will be eligible for a final vote at the next meeting unless they request additional committee review. The ordinance remains under discussion; no formal adoption occurred Sept. 22.