Laws in Indiana, Minnesota and Ohio take aim at preventing cyberattacks — a growing threat that can impact school operations, staff and students

State K-12 education systems rely heavily on the “internet of things,” both for the instruction of students and in everyday operations.

Teachers upload homework assignments onto cloud portals. Daily attendance numbers and student grades are tracked and shared electronically. Digital payment systems are set up with external vendors. Students participate remotely in college-level coursework and career and technical education programs.

For all these reasons and more, when a cyberattack hits a school’s information technology infrastructure, the consequences can be severe.

“Ransomware costs themselves can be quite high [for schools], and then there’s the more-difficult-to-quantify cost associated with the loss of personnel data and student data that’s then later misused,” explains Reg Leichty, a legal and policy adviser to the Consortium for School Networking, an association of K-12 education technology leaders.

U.S. states are stepping in to address these threats — from the adoption of rules on incident reporting and new cybersecurity standards, to targeted financial assistance for schools, to more training for school staff and learning opportunities for students.

When a cyberattack hits …

The prevalence of cyber incidents appears to be quite high.

Over 18 months, between July 2023 and December 2024, the Center for Internet Security and the Multi-State Information Sharing & Analysis Center assessed cyber-threat risks among school systems across the country. Their 2025 report found that 82 percent of K-12 organizations experienced a cyber incident of some kind, with attackers mostly exploiting human behavior through phishing scams and malicious advertisements.

A 2023 incident from Minnesota underscores the seriousness of ransomware attacks on schools, Leichty says. That year, cybercriminals hit the Minneapolis Public School District.

According to The 74, a nonprofit news outlet focused on education, perpetrators gained access to around 157 terabytes worth of data containing the sensitive information of more than 105,000 people. When the school district refused to pay the ransom of $4.5 million in cryptocurrency, many of these files were then posted on the dark web.

“The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications,” The 74 reported at the time.

State-level requirements

At the state level, one option is to centralize incident reporting as well as cybersecurity protection standards and responses, as opposed to relying on a patchwork of local policies.

Minnesota’s HF 5216, signed into law in 2024, requires schools and local governments to report cyber threats to the Commissioner of Public Safety within 72 hours. A report detailing cyber-threat instances and responses will be submitted annually to the governor and Legislature.

This year, Ohio legislators passed a law directing the state’s political subdivisions, including school districts, to not pay ransom demands in most cases. HB 96 also requires the reporting of cyber incidents to the Ohio Department of Public Safety and the state auditor within seven and 30 days, respectively. Additionally, schools must adopt safeguard policies based on national cybersecurity best practices.

At the federal level, the Cyber Incident Reporting for Critical Infrastructure Act was signed into law in 2022. Among its provisions: require certain infrastructure sectors — including preK-12 schools and postsecondary institutions — to report instances of cyber threats and ransomware to the U.S. Department of Homeland Security within 24 to 72 hours.

Final rules for this new reporting mechanism are due by May 2026.

‘Proactive’ in Indiana

In early 2025, the Consortium for School Networking singled out a few states for having comprehensive approaches to cybersecurity protection: “strengthening institutional leadership, protecting sensitive information, expanding professional development requirements, and creating sustainable funding mechanisms for cybersecurity initiatives.”

Indiana was one of the consortium’s “spotlight states.”

SB 150 of 2024 and SB 472 of 2025 direct the Indiana Office of Technology and State Department of Education to develop cybersecurity-use standards. These standards will be available for all school districts to use as a guide by the end of 2027.

Rep. Matt Lehman

Also in Indiana, school employees must complete training in cybersecurity best practices. And any school corporation connecting to the state government’s technology infrastructure must first complete a cybersecurity assessment, use a secondary end-user authentication mechanism, and comply with the cybersecurity standards.

“We’re trying to be proactive more than we are reactive,” says Rep. Matt Lehman, a chief sponsor of both bills.

He notes that another provision in SB 150 created the Artificial Intelligence Task Force. The result, Lehman says, has been more discussion around the responsible use of AI in the public sector and its links to cybersecurity.

A proposed amendment to SB 472 would have created a state grant program to help Indiana school districts pay for cybersecurity insurance.

According to the consortium’s “2025 State of EdTech District Leadership, 59 percent of school districts reported that they were paying more in cyber-insurance premiums. Another 22 percent reported an increase in their deductibles.

Funding for the program would have partially come from civil fines paid by adult-content websites that violate Indiana’s new age-verification rules. The final version of SB 472 did not include this amendment.

But at least one state outside the Midwest is now helping schools with the rising cost of cybersecurity insurance.

Arkansas legislators created the Self-Funded Cyber Response Program in 2023 (HB 1780) to act as a secondary coverage plan for schools. Two years later, they directed the State Insurance Department to administer coverage to districts participating in multi-school insurance programs (HB 1821/SB 481) and appropriated $10 million to the Cyber Response Program.

‘Get kids involved’

Another policy option is to incorporate cybersecurity into the K-12 curriculum.

Starting this year in North Dakota, high school students must complete a course in computer science or cybersecurity in order to graduate (HB 1398 of 2023). These subjects also must be taught to students in the state’s elementary and middle schools.

In Nebraska, lawmakers considered, but did not pass, the Holistic Approach to Cybersecurity for K-12 Education Resource Act. Along with establishing state cybersecurity standards and developing a funding mechanism for schools based on tiers of need, LB 599 called for the State Board of Education to create new curriculum standards on digital citizenship.

Sen. Wendy DeBoer

The board also would have been tasked with building new career pipeline programs. These opportunities could have come in the form of high school internships at cybersecurity companies, or financial incentives for postsecondary cybersecurity majors to live and work in Nebraska (particularly rural areas) for a set number of years upon graduation.

“The idea was to get kids involved in the field younger … into areas that we think there’ll be some growth in terms of jobs in the future,” says Sen. Wendy DeBoer, the author of LB 599.