Article: Worthington Schools Adopts Cybersecurity Framework, Details Student Data Privacy Rules Under New Ohio Laws
Worthington Schools voted unanimously at its March 23, 2026 Board of Education meeting to adopt a formal cybersecurity program under new Ohio law. Chief Technology Officer Jeff Collett spent most of the meeting walking the board through two state laws that have changed how the district handles student data and digital security, then laid out what comes next: an AI policy due by July 21, 2026.
Senate Bill 29: Student data privacy
Senate Bill 29, signed in July 2024 and effective October 2024 (with a correction taking effect December 9, 2024), requires school districts to notify families annually by August 1 of every third-party technology relationship, make those contracts publicly accessible, and restrict monitoring of student devices and records.
To meet that requirement, Worthington now posts all vendor contracts in the Infinite Campus Parent Portal. As of the March 23 meeting, 215 contracts are available there. Collett noted the number differs from the count of approved technology resources because a single vendor contract can cover multiple products.
The district has catalogued its technology tools by approval status: 264 approved; 42 not requiring approval (typically no-login web tools where the vendor has certified no student data is collected); 135 under review; 91 designated "do not use" with student data; and 7 actively blocked with internet restrictions enforced. Blocked tools include those that would allow student data to be resold or are hosted on servers the district considers inappropriate.
The law also requires clear terms when a vendor relationship ends: the vendor must either return student data or certify its destruction, typically within 90 days (or as few as 30 days under some agreements).
For negotiating leverage with large vendors, Worthington joined a consortium that started with Ohio K-12 districts and has since expanded to seven states. "When Worthington Schools goes to negotiate with Google, they're not even going to have a discussion with us," Collett said. The consortium has its own legal team, uses standardized contract language, and lets new districts join existing agreements quickly as "rider" participants.
A new "exception" status is being introduced for edge cases where full compliance isn't yet achieved but reasonable assurances around data safety can be made. In those cases, parents will receive a waiver before the district proceeds.
During board Q&A, Board Member Kelli Davis asked whether student data is protected during the 90-day wind-down window after a vendor separation. Collett said there is no specific case law defining that period, but the district builds advance-notice requirements into contracts and vendors typically want to resolve their obligations quickly. Davis also asked whether the district finds comparable replacement tools when a resource is blocked. Collett called it "a big hurdle" but said his team uses the consortium's national network to identify alternatives, including checking whether districts in states with stricter data laws, such as California and New York, have approved comparable tools.
Board Vice President Stephanie Harless asked about Google's compliance with SB29. Collett said the district has accepted Google's legal terms for its core services and considers them compliant, but some specific services, including Google Earth and Google Translate, had to be disabled because they weren't covered by those terms.
House Bill 96: Cybersecurity mandates
House Bill 96, codified under Ohio Revised Code Section 9.64, requires all Ohio political subdivisions, including school districts, to adopt a cybersecurity program or framework meeting generally accepted best practices. The board met that requirement on March 23, voting 5-0 to approve Resolution I1.
Collett declined to publicly name the specific framework the district has adopted, citing a public records exemption built into the law. "We don't want to create a roadmap for hackers," he said.
Under HB96, the district must also adopt an AI policy by July 21, 2026. Collett said the district is in good shape on that front, given existing work by Assistant Superintendent Angela Adrean's team on AI guidelines and appropriate-use examples. "From an organizational lens, we are very mature with our understanding and implementation of AI," he said.
The law also requires annual cybersecurity training for all employees. Worthington already runs training at least twice a year, focused on phishing and spearphishing, which Collett called one of the district's biggest threat vectors. The district also runs phishing simulation exercises: employees who click a simulated link are automatically routed to remedial training.
HB96 defines what constitutes a cybersecurity incident, requires reporting to the state auditor's office and the Department of Homeland Security's local office, and requires advance public board approval for any ransom payment. Security-related procurement documents are now exempt from public records requests, and the board may hold executive sessions to discuss cyber incidents.
This year is expected to be the first in which the state auditor's office conducts a formal compliance audit under the new framework. Collett said the district has been working on related initiatives for years but acknowledged audit findings will likely turn up new work items.
Board discussion highlights
Board Member Nikki Hudson asked about the timeline for vendor notification of cybersecurity incidents. Collett confirmed that agreements covering non-PII data may allow a two-week window, while agreements covering personally identifiable information require faster timelines, in some cases 48 hours. He acknowledged the district has received notifications from vendors about incidents that occurred months earlier. "We've beefed up threat intelligence, intrusion monitoring," he said.
Board Member Sheena Costa Flowers asked whether the district's AI guidelines are flexible enough to stay relevant as technology keeps changing. Collett said the approach has been to keep them principle-based, focused on appropriate use rather than restriction, and that the existing student code of conduct already covers most of the relevant behaviors.
Board Vice President Stephanie Harless noted that the district's current AI policy was written to lead with appropriate uses rather than prohibitions. She said the policy under review will stay lean at the policy level, with guidelines providing more specific structure underneath.
Board President Amber Epling-Skinner brought up the 2024 Columbus City Schools cyberattack, noting that she and Davis were among those whose personal information was exposed. She urged Collett and Director of Communications Vicki Gnezda to have a solid crisis communications plan in place, pointing to Columbus's experience of spending millions on lawsuits, credit monitoring, and cybersecurity remediation. Treasurer TJ Cusick confirmed the district has raised its cyber insurance limits, though he declined to say how much. He noted that insurance carriers were already requiring training and other safeguards before HB96 passed, which pushed the district to act earlier than the law required.
Epling-Skinner also raised data record retention, pushing for regular audits to confirm the district isn't holding onto data it doesn't need. "Record retention, I think is critical in this too, that we are not holding on to records that we don't need to be holding on to," she said. Collett agreed, saying the district should treat all of its data, including third-party data and what it generates itself, as something that needs active management.
Next steps
- AI policy must be presented and adopted by July 21, 2026
- State auditor cybersecurity compliance audit expected in 2026
- Vendor contract renewals ongoing; current SB29 agreements are valid for three years
- Parents can review vendor contracts in the Infinite Campus Parent Portal