Texas Legislation (SB 2610)- Cybersecurity Safe Harbor for Small Businesses - What you need to know and steps to prepare

The digital landscape presents an ever-evolving challenge for businesses of all sizes, but none are more acutely vulnerable than small and medium-sized businesses (SMBs). These enterprises frequently operate with limited budgets, smaller staff, and less specialized technical expertise, making them prime targets for malicious cyber activity.

The consequences of a successful cyberattack can be devastating, ranging from direct financial losses due to stolen funds to prolonged operational downtime that cripples daily functions. Beyond immediate monetary impacts, a breach can inflict lasting reputational harm, eroding customer trust and threatening the very survival of the business. Common attack vectors that disproportionately affect SMBs include sophisticated phishing and social engineering schemes, devastating ransomware attacks, and vulnerabilities stemming from poor patch management or weak password practices.  

Recognizing this critical vulnerability, the Texas Legislature has enacted Senate Bill 2610 (SB 2610), a landmark legislative effort designed to proactively address these cybersecurity challenges within the state's small business community. At its core, SB 2610 establishes a legal "safe harbor" for businesses that proactively adopt and diligently maintain recognized cybersecurity frameworks and best practices. Signed into law by Governor Greg Abbott on June 20, 2025 , this pivotal legislation aims to protect compliant businesses from punitive lawsuits in the event of a data breach, specifically by shielding them from exemplary damages. The law is set to take effect on September 1, 2025 , underscoring the urgency for businesses to prepare.  

For small business owners, this legislation represents a significant opportunity and a strategic advantage, rather than an additional regulatory burden. It embodies a "carrot, not a stick" philosophy , meaning it incentivizes and rewards good cybersecurity practices by reducing legal exposure, instead of imposing new penalties or obligations. This bill provides clear guidance and a tangible layer of protection, ultimately helping small businesses stay secure, mitigate risks, and remain focused on their core mission of serving their communities.

The legislative analysis of SB 2610 consistently highlights its purpose to "bolster Texas' economic resilience, reduce burdens on small businesses, and enhance consumer confidence in the state's marketplace". This framing suggests a strategic economic motivation behind the legislation. By incentivizing widespread cybersecurity adoption among its small business sector, Texas aims to create a more secure and trustworthy digital environment across the entire state. This proactive approach is designed to reduce the collective financial and reputational impact of cyberattacks, potentially attracting more investment and fostering greater consumer trust in Texas businesses. The state views robust cybersecurity as a critical component of its economic infrastructure, and SB 2610 is a policy tool to achieve this larger economic resilience, benefiting the entire state ecosystem, not just the individual compliant business. 

What is Texas SB 2610 and Who Does It Protect?

At its core, Texas SB 2610 amends the Business & Commerce Code to specifically prohibit the recovery of "exemplary damages" in civil actions arising from a breach of system security. Exemplary damages, often referred to as punitive damages, are distinct from compensatory damages. They are awarded by a court not to compensate an individual for actual losses, but rather to punish a defendant for egregious conduct and to deter similar actions in the future. This legal shield represents a significant limitation on a business's potential financial exposure in the aftermath of a data breach. It is crucial to understand, however, that this safe harbor is not a blanket immunity from all liability. Businesses can still be held liable for actual damages—such as direct financial losses or the costs of identity theft monitoring—incurred by individuals as a direct result of a breach. The protection afforded by SB 2610 is specifically against the punitive element of damages. 

The applicability of SB 2610 is defined by two clear-cut criteria for Texas businesses:

1. The business entity must be operating within the state of Texas and have fewer than 250 employees. This employee count refers to the total number of individuals employed by the entity. 

2. The business must own or license computerized data that includes sensitive personal information. This is a broad category that encompasses most businesses that handle customer or employee data digitally.  

The law defines "sensitive personal information" and "personal identifying information" according to Section 521.002 of the Texas Business & Commerce Code. Generally, this includes data elements such as Social Security numbers, driver's license numbers, financial account numbers, credit card details, and health information. 

The safe harbor protection afforded by SB 2610 is conditional. It applies only if the business can demonstrate that, at the time of the breach, it had actively implemented and was diligently maintaining a cybersecurity program that fully complies with the specific requirements outlined in Section 542.004 of the Business & Commerce Code. This "demonstration" aspect is critical and underscores the importance of thorough documentation. 

It is equally important to understand what the law does not do. SB 2610 does not create a new private cause of action or alter existing common law or statutory duties. This means individuals cannot sue because of this specific law; rather, the law provides a defense against exemplary damages within existing legal frameworks. Furthermore, it does not affect the certification of an action as a class action, nor does it limit the authority of the Texas Attorney General to seek any legal or equitable remedies under existing state laws. 

While the law clearly sets the 250-employee limit for applicability and scales requirements based on employee tiers, a critical nuance emerges from analysis of the bill's intent. Several sources highlight that "many businesses with small employee counts handle large volumes of sensitive data". For instance, a 10-employee law firm might manage thousands of client files, including Social Security numbers and health records, or a small dental practice could store extensive patient health histories and billing information. In such contexts, simply meeting the "simplified" or "moderate" requirements for their employee tier might not be truly "reasonable" or sufficient given the volume and sensitivity of the data they process. This points to a potential pitfall for small businesses. Businesses, regardless of their employee count, must conduct a thorough, data-centric risk assessment to determine the appropriate level of security needed for the specific data they handle. This might mean adopting a more robust framework than the minimum suggested for their employee tier. Failure to do so, even if technically compliant with the employee-based tier, could still lead to a breach resulting in significant actual damages and reputational harm, potentially undermining the spirit of the safe harbor. This emphasizes the need for a nuanced understanding of "reasonable" cybersecurity that extends beyond mere headcount.   

Decoding the Cybersecurity Program Requirements

For a cybersecurity program to qualify for the safe harbor under SB 2610, it must meet several fundamental criteria :

• It must contain comprehensive administrative, technical, and physical safeguards designed for the robust protection of personal identifying information (PII) and sensitive personal information.

• It must conform to an industry-recognized cybersecurity framework, as detailed by the bill.

• It must be explicitly designed to:

  • Protect the overall security of PII and sensitive PII.

  • Protect against any potential threat or hazard to the integrity of such information.

  • Protect against unauthorized access to or acquisition of PII and sensitive PII that could foreseeably result in a material risk of identity theft or other fraud to the individual whose information is compromised.

The law demonstrates a practical understanding of small business realities by scaling cybersecurity requirements based on employee count. This tiered approach acknowledges that businesses of different sizes have varying resources and complexities. The following table summarizes these scaled requirements: 

Table 1: Scaled Cybersecurity Requirements by Employee Count

The bill provides a comprehensive list of industry-recognized cybersecurity frameworks and standards that satisfy its requirements. This flexibility allows businesses to choose a framework that best fits their specific operations and risk profile:  

General Frameworks:

• The Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST)
• NIST's special publication 800-171

• • NIST's special publications 800-53 and 800-53a

  • The Federal Risk and Authorization Management Program's FedRAMP Security Assessment Framework (FedRAMP)

  • The Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS Controls)

  • The ISO/IEC 27000-series information security standards

  • The Health Information Trust Alliance's Common Security Framework (HITRUST CSF)

  • The Secure Controls Framework (SCF)

  • Other similar frameworks or standards of the cybersecurity industry.

Federal Laws/Standards (if applicable to the business):

• • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 

  • Title V, Gramm-Leach-Bliley Act (GLBA) 

  • The Federal Information Security Modernization Act of 2014 (FISMA)

  • The Health Information Technology for Economic and Clinical Health Act (HITECH)

A notable aspect of the bill is its explicit allowance for "any combination of current versions" of the listed frameworks. This provision offers businesses significant flexibility. Instead of being locked into a single, potentially overwhelming framework, entities can strategically select and combine elements from different frameworks that best suit their specific risk profile and operational needs. For example, a small healthcare provider might combine HIPAA compliance requirements with specific NIST controls to create a tailored program. This approach allows businesses to optimize resource allocation while still achieving compliance, demonstrating an understanding that a "one-size-fits-all" approach to cybersecurity frameworks is impractical for diverse small businesses. This flexibility can lead to more effective and sustainable cybersecurity programs. 

Furthermore, the bill specifies that a qualifying program must be "designed to... protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud". This phrasing adds a qualitative layer to the compliance requirement. It's not merely about implementing controls; it's about ensuring those controls are effective in preventing specific, high-impact outcomes such as identity theft or fraud. This means businesses should regularly assess the effectiveness of their controls against these specific risks, rather than just checking off boxes. It encourages a risk-based approach to cybersecurity, where the ultimate goal is to prevent harm to individuals, which in turn protects the business. This goes beyond mere technical implementation to a focus on the desired outcome of the security program.

Finally, the law addresses updates to these standards. If any standard in the list (excluding federal laws or PCI DSS) is published and updated, a business entity's cybersecurity program continues to meet the requirements if the entity updates the program to the new standard by the later of the implementation date published in the updated standard or the first anniversary of its publication. This provision ensures that compliant programs remain current with evolving cybersecurity best practices.  

Why Proactive Cybersecurity is Now More Rewarding Than Ever

Texas SB 2610 represents a significant shift in the cybersecurity paradigm, moving from a focus on punishment to one of proactive protection. As previously mentioned, the law is a "carrot, not a stick". It does not impose new cybersecurity obligations or penalties on businesses; instead, it encourages proactive investment in cybersecurity by offering meaningful protection when incidents occur despite best efforts. This contrasts sharply with traditional legal landscapes where businesses might face severe punitive damages after a breach, regardless of their prior efforts to secure data.

The economic incentive provided by SB 2610 is substantial. By reducing the risk of exemplary damages, the law significantly limits a business's potential financial exposure in the event of a data breach. This can be a game-changer for small businesses, which often lack the deep pockets of larger corporations to weather such lawsuits. The effectiveness of such incentives is not merely theoretical; similar safe harbor laws introduced in Ohio (2018) and Utah (2021) have already led to a "significant increase in investments in cybersecurity by SMBs", demonstrating the real-world impact of legislative encouragement.  

Beyond the direct legal protection, adopting recognized cybersecurity frameworks inherently improves a business's overall security posture, thereby reducing the likelihood and impact of breaches. This proactive approach leads to a cascade of broader benefits, including reduced operational downtime, preservation of customer trust, and protection of brand reputation—all critical factors for long-term survival and growth. Essentially, SB 2610 frames cybersecurity not just as a compliance checkbox, but as a critical business function and an essential legal shield.  

Furthermore, the bill's aim to "enhance consumer confidence in the state's marketplace" suggests an indirect market signal. In an era where data breaches are increasingly common and consumers are more aware of data privacy concerns, businesses that can demonstrate their commitment to robust cybersecurity, potentially by publicly advertising their adherence to a recognized framework, might gain a significant competitive edge. This could position compliance with SB 2610 as a de facto quality mark, leading to increased customer trust and potentially attracting more business compared to competitors who do not prioritize cybersecurity. This broader implication for market dynamics underscores that the benefits extend beyond legal defense to tangible business growth.  

Actionable Steps: How Your Small Business Can Qualify for Safe Harbor

To leverage the protections offered by Texas SB 2610, small businesses must take proactive and systematic steps to implement and maintain a compliant cybersecurity program.

Recommendation 1: Understand Your Data and Risks.

Before implementing any cybersecurity solution, it is imperative to identify what sensitive personal information your business collects, stores, processes, or transmits. This foundational step is crucial because the effectiveness of your cybersecurity measures hinges on knowing what you are protecting. Conduct a thorough risk assessment to understand where your data resides, who has access to it, and what vulnerabilities exist within your systems and processes. Prioritize cybersecurity measures that protect your most critical assets and the most sensitive data. This approach directly addresses the nuance that cybersecurity should be driven by data risk, not solely by employee headcount, ensuring that your efforts are truly effective.  

Recommendation 2: Select and Adopt a Suitable Cybersecurity Framework.

Choose an industry-recognized cybersecurity framework that aligns with your business size, industry, and, crucially, the sensitivity and volume of data you handle. As outlined in Table 1, the law provides scaled requirements. For smaller businesses with fewer than 20 employees, focus on simplified requirements such as strong password policies and basic, appropriate employee cybersecurity training. Businesses with 20 to 99 employees should consider implementing moderate requirements, including those of the Center for Internet Security Controls Implementation Group 1 (CIS Controls IG1). For businesses with 100 to 249 employees, more comprehensive frameworks like the NIST Cybersecurity Framework or the Health Information Trust Alliance's Common Security Framework (HITRUST CSF) are good starting points. If your business is already subject to federal regulations like HIPAA, GLBA, or PCI DSS, full compliance with those standards will also qualify for the safe harbor. Remember the flexibility the law offers: it allows for the combination of frameworks, enabling a tailored approach that best suits your specific needs and optimizes resource allocation. 

Recommendation 3: Document Your Cybersecurity Program Thoroughly.

The safe harbor protection applies only if your business can demonstrate that it implemented and maintained a compliant program at the time of a breach. Without proper documentation, proving compliance will be exceedingly challenging. Create clear, written policies for all aspects of your cybersecurity program, including password management, data handling procedures, incident response protocols, and employee training guidelines. Maintain meticulous records of all training sessions, risk assessments, audit results, and any security incidents, along with their resolutions. Documenting your security management process, including risk analysis and remediation plans, is crucial for demonstrating ongoing adherence. Documentation is not merely a formality; it is a legal necessity for securing the safe harbor.  

Recommendation 4: Implement Robust Safeguards (Administrative, Technical, Physical).

These three categories form the core components of any effective cybersecurity program and are explicitly required by SB 2610.  

• Administrative Safeguards: Define clear roles and responsibilities for cybersecurity within your organization. Establish comprehensive security policies that guide employee behavior and system use. Critically, manage vendor and third-party relationships by vetting their cybersecurity posture and ensuring contracts include appropriate security clauses.  

• Technical Safeguards: Implement multi-factor authentication (MFA) for all accounts accessing sensitive data. Enforce the use of strong, unique passwords and consider using a password manager. Encrypt sensitive data both in transit and at rest. Utilize up-to-date antivirus and anti-malware software. Ensure continuous vulnerability management and prompt patching of all software and systems to address known vulnerabilities. Implement role-based access controls to limit access to sensitive data only to those who require it for their job functions.  

• Physical Safeguards: Secure physical access to your data centers, servers, and any devices storing sensitive information.

Recommendation 5: Invest in Ongoing Employee Cybersecurity Training.

Human error remains a primary vulnerability in cybersecurity defenses. Your employees are your first line of defense, and their awareness is paramount. Conduct regular, mandatory cybersecurity awareness training for all employees. Training should cover topics such as phishing recognition, best practices for password hygiene, safe use of cloud applications, and how to identify suspicious links or attachments. Provide refresher training whenever there is a material change to policies or procedures. Consider conducting simulated phishing emails to test and improve employee detection skills. Foster a culture where employees feel comfortable reporting suspicious activity or potential breaches without fear of reprisal.  

Recommendation 6: Develop and Test an Incident Response Plan (IRP).

No system is 100% breach-proof. A well-defined and regularly tested Incident Response Plan (IRP) is crucial for minimizing the damage from a breach and for demonstrating proactive management, which supports your claim to the safe harbor. Create a written IRP that clearly outlines the steps for detection, containment, eradication, and recovery. Define specific roles and responsibilities for your incident response team, establish clear communication protocols (both internal and external, including law enforcement and insurance providers), and detail data backup and recovery procedures. Crucially, regularly test your IRP through tabletop exercises to identify weaknesses and ensure all personnel understand their roles. A robust IRP not only helps your business recover from a breach but also strengthens the argument that you maintained a diligent and compliant program.  

Recommendation 7: Regularly Review and Update Your Program.

The cyber threat landscape is dynamic and constantly evolving; a static cybersecurity program will quickly become ineffective. To maintain compliance and effective protection, your program must be a living document. Conduct annual policy reviews and updates to ensure they remain relevant and effective. Perform regular risk assessments and audits, ideally quarterly or at least biannually, to identify new vulnerabilities and assess the effectiveness of your controls. Continuously monitor for potential entry points and undetected threats. Ensure your program adapts to new threats, technologies, and changes in your business operations. 

To summarize these actionable steps, here is a quick reference:

Table 2: Essential Cybersecurity Best Practices for Small Businesses

The importance of managing third-party relationships cannot be overstated. While SB 2610 focuses on the business entity's own cybersecurity program, the effectiveness of the safe harbor can be indirectly impacted by risks introduced through vendors. If a breach originates from a poorly secured third-party provider, even if your internal systems are compliant, the initial data exposure might still occur, leading to a lawsuit where your business must demonstrate its adherence. A truly comprehensive cybersecurity program, designed to protect sensitive data and qualify for the safe harbor, must extend to vetting and managing the cybersecurity posture of all third-party vendors and business associates who handle your entity's sensitive data. This adds a layer of complexity, requiring businesses to consider their entire digital ecosystem, not just their internal systems.

Conclusion: Securing Your Future in the Digital Landscape

Texas Senate Bill 2610 offers a significant opportunity for small businesses across the state to protect themselves from the potentially crippling financial impact of exemplary damages in data breach lawsuits. This legislation underscores a fundamental truth in today's digital economy: proactive investment in cybersecurity is no longer just a cost, but a strategic investment. It yields not only crucial legal protection but also significantly enhanced operational resilience, reducing the likelihood and impact of cyberattacks on your business.   

With the law taking effect on September 1, 2025 , the time for action is now. Small business owners should begin assessing their current cybersecurity posture and implementing the necessary changes to ensure they qualify for this valuable safe harbor. For those navigating these requirements, seeking expert advice from cybersecurity professionals or legal counsel specializing in data privacy can provide invaluable guidance.  

This law represents a long-term shift in small business risk management. It is not a temporary measure but a permanent change in the legal landscape for Texas SMBs. This means cybersecurity must transition from an optional IT expense to a core, ongoing risk management function integrated into the business's operational DNA. The law effectively mandates a continuous improvement mindset for cybersecurity, pushing small businesses to mature their risk management practices beyond simple compliance to genuine resilience. By embracing the principles of SB 2610, businesses can secure not just their data, but the very future of their operations, while contributing to a more secure and trustworthy Texas economy.