Would you like me to explain what Senate Bill 2610 (the Cybersecurity Safe Harbor Act) is and how it applies to small businesses (e.g., in Texas)?

What is SB 2610 / the Cybersecurity Safe Harbor Act?

SB 2610 adds Chapter 542 to the Texas Business & Commerce Code. Texas Legislature Online+3Texas Legislature Online+3Texas Policy Research+3

Its core purpose is to offer a “safe harbor” protection for certain Texas businesses: if a qualifying business has implemented and maintained a cybersecurity program (meeting specified standards) at the time of a breach, then in litigation arising from that breach, the business can be shielded from exemplary (i.e. punitive) damages. Plante Moran+3Texas Legislature Online+3workplaceprivacyreport.com+3

Importantly, the law does not eliminate all liability — it still allows claims for actual damages (compensatory losses), injunctive relief, or other remedies. GCS Technologies+2workplaceprivacyreport.com+2

The law takes effect September 1, 2025, and applies only to causes of action that accrue on or after that date. Texas Legislature Online+2Texas Legislature Online+2

SB 2610 only applies to business entities in Texas that (1) have fewer than 250 employees, and (2) own or license computerized data that includes sensitive personal information. Texas Legislature Online+3Texas Legislature Online+3Texas Policy Research+3

Key Legal Mechanics & Definitions

Here are the critical statutory provisions and how they operate:

Provision

What It Says / Means

Why It Matters

Safe Harbor from Exemplary Damages

Under Sec. 542.003, a harmed party cannot recover exemplary (punitive) damages from a qualifying business if that business can show it had a compliant cybersecurity program at the time of the breach. Texas Legislature Online+2Texas Legislature Online+2

Punitive damages can be large multiples of actual damages, so this protection can materially reduce litigation risk.

Cybersecurity Program Requirements

Sec. 542.004 lays out the requirements: the program must include administrative, technical, and physical safeguards, be designed to protect personal/sensitive information, guard against risks, threats, and unauthorized access that cause material risk of identity theft/fraud, etc. Texas Legislature Online+2Texas Legislature Online+2

The requirements are not vague — they must align with recognized frameworks.

Scaling by Business Size

The statute imposes tiered requirements::

< 20 employees: simplified requirements (password policies, cybersecurity training) Texas Legislature Online+2workplaceprivacyreport.com+2

20–99 employees: moderate requirements, including CIS Controls Implementation Group 1 Plante Moran+4Texas Legislature Online+4Tandem+4

100–249 employees: full compliance with a recognized cybersecurity framework as specified in the statute (e.g. NIST, ISO/IEC, CIS, etc.) Texas Legislature Online+4Texas Legislature Online+4Texas Policy Research+4 | These tiers ensure that the requirement is proportionate — small firms have lighter obligations, larger ones have more rigorous ones. |
| Recognized Frameworks | The cybersecurity program must conform (in whole or part) to one or more of the following industry-recognized frameworks:

NIST Cybersecurity Framework, NIST SP 800-171, 800-53/53a Texas Legislature Online+2Tandem+2

FedRAMP, CIS Critical Security Controls, ISO/IEC 27000 series Plante Moran+4Texas Legislature Online+4CIS+4

HITRUST CSF, Secure Controls Framework, SOC 2, etc. Texas Policy Research+3Tandem+3Plante Moran+3

Also compliance with or alignment to existing federal or sector-specific regimes (e.g. HIPAA, GLBA, PCI) if applicable. Plante Moran+3Texas Legislature Online+3Tandem+3 | Using a recognized standard helps ensure your program is “safe harbor compliant” and is defensible in court. |
| Updating for Revised Standards | If any recognized framework is updated, a business must update its cybersecurity program by (a) the implementation date in the update, or (b) within one year, whichever is later. Tandem+3Texas Legislature Online+3Texas Legislature Online+3 | This ensures that the protections remain current with evolving cybersecurity norms. |
| Limits & Other Provisions | - The law does not limit the authority of the Texas Attorney General to bring actions under other statutes. Texas Legislature Online+2workplaceprivacyreport.com+2

It does not affect whether a case can be certified as a class action. Texas Legislature Online+1

The safe harbor applies only to causes of action that accrue on or after the effective date. Plante Moran+3Texas Legislature Online+3Texas Legislature Online+3

What SB 2610 Means in Practice (for Texas SMBs)

Here’s how SB 2610 might affect a typical small or mid-sized business and what actions they should consider:

Benefits & Protections

Reduced Litigation Risk
If your business suffers a breach but can show you met the safe harbor requirements, you avoid punitive damages, which often are a large financial exposure. Plante Moran+3workplaceprivacyreport.com+3Tandem+3

Incentive to Strengthen Cybersecurity
Because the law links legal protection to documented, strong cybersecurity practice, it encourages proactive adoption of standards-based security, which often also improves resilience, lowers breach risk, and may help with insurance. CIS+3Plante Moran+3Tandem+3

Competitive & Insurance Advantage
Businesses may be able to market their compliance status, gain trust, or negotiate better terms with cyber insurance underwriters. Plante Moran+2Tandem+2

Legal Certainty
Having clear statutory criteria for “reasonable cybersecurity” gives better defensibility in court than vague standards.

Limitations & Risks

Only applies to smaller businesses
If you have 250 or more employees, this law does not provide you the safe harbor benefit. Plante Moran+3Texas Legislature Online+3Tandem+3

You still must pay actual damages
The safe harbor does not shield against compensatory damages, injunctive relief, or other remedies. GCS Technologies+2workplaceprivacyreport.com+2

Strict requirements — documentation matters
To claim safe harbor, you will need to show that your program was implemented and maintained at the time of breach and that it met the statutory standards. If the program is deficient or poorly documented, you may lose the protection. Plante Moran+3workplaceprivacyreport.com+3Tandem+3

Updating burden
If the framework you adopted gets updated, you must update your cybersecurity program accordingly within the required timeframe. Failing to do so may jeopardize your safe harbor protection. Tandem+3Texas Legislature Online+3Texas Legislature Online+3

Doesn’t override other laws or agencies
You could still face regulatory penalties (e.g. under Texas data breach notification laws, FTC, federal statutes) or enforcement by the Attorney General. Texas Legislature Online+2workplaceprivacyreport.com+2

Applies only to new claims
Only causes of action accruing on or after September 1, 2025, get the benefit of this safe harbor. Tandem+3Texas Legislature Online+3Texas Legislature Online+3

What a Business Should Do to Prepare / Qualify

Here are some steps (or a roadmap) for a Texas small or mid-sized business aiming to rely on SB 2610 safe harbor:

Inventory data and determine applicability

Confirm whether your business has fewer than 250 employees.

Determine whether you own or license computerized data containing sensitive personal information (e.g. SSNs, driver’s license, financial account numbers, health data) as defined under Texas law.

If you don’t handle sensitive personal info, the law may not apply.

Select a cybersecurity framework
Choose one or more “industry-recognized” frameworks listed in SB 2610 (e.g. NIST CSF, CIS Controls, ISO/IEC 27000, etc.). Texas Policy Research+3Texas Legislature Online+3Tandem+3

Design and document controls appropriate to business size

If < 20 employees: implement simpler controls (password policies, employee training) with documented evidence.

If 20–99: align with CIS Controls IG1.

If 100–249: implement full compliance with chosen framework(s).

Include administrative, physical, and technical safeguards.

Document implementation, monitoring, risk assessments, incident response plans, etc.

Maintain and update the program

Monitor changes or updates in the framework(s) used, and update accordingly (by the official implementation date or within one year).

Conduct periodic audits, reviews, testing, training refreshers, etc.

Preserve records & evidence

Maintain logs, internal reports, audit trails, policies, revision history, training records, risk analysis, vendor assessments, etc.

In litigation, you’ll need to demonstrate that you had the compliant program in place at the time of the breach.

Insurance & legal coordination

Engage your cyber insurance provider early to align your security controls with policy requirements.

Consult legal counsel to ensure that your program meets SB 2610’s statutory language and to assess residual risks.

Periodically reassess and evolve

As your business grows or changes, re-evaluate whether you still qualify under a given tier.

Monitor new threats and legal developments to stay aligned.

Example Scenarios (Illustrative)

10-Person Firm in Texas
Suppose you run a Texas firm with 10 employees, handling customer data that includes Social Security numbers. You implement basic security policies (strong passwords, MFA, employee security training, patching, limited access) and document them. If a breach happens, and you can show your security program complied with SB 2610’s simplified requirements, you could avoid punitive damages in a resulting lawsuit (though you must still pay actual damages).

75-Person Firm
For a Texas business with 75 employees, you’d need to align with CIS Controls IG1 (or another recognized framework). You’d need more structure (asset inventory, vulnerability management, log monitoring, etc.). Compliance would allow you to invoke safe harbor in the event of a breach.

200-Person Firm
With 200 employees, the business must comply with full recognized frameworks (e.g. NIST, ISO, etc.). The obligations are more rigorous. But if properly done, the protective shield from punitive damages applies.

Strategic & Business Implications

Shift in regulatory posture
SB 2610 is part of a trend toward incentive-based regulation in cybersecurity, where compliance with recognized standards is rewarded rather than simply punished after the fact. Plante Moran+2Todyl+2

Increased role for MSPs / security vendors
Given the technical demands of alignment, many businesses will rely on MSPs (Managed Service Providers) or security vendors to design, implement, monitor, and maintain compliance programs. Some commentators see this law positioning MSPs as strategic risk advisors. Todyl+2GCS Technologies+2

Market differentiation
Businesses that can credibly show SB 2610 compliance may have a competitive advantage in contracts (customers or partners who care about data security) and in obtaining favorable insurance terms.

Legal defense value
Even if a breach leads to litigation, having a documented, statute-compliant cybersecurity program gives better legal footing and may influence settlements or judicial outcomes.

Costs & burden
While the law does not impose penalties for non-compliance, the costs of designing, documenting, updating, and maintaining a mature cybersecurity program are non-trivial. Smaller firms will need to balance cost vs. risk.