Data breach lawsuits expose Texas businesses to two categories of damages: actual costs and punitive awards.
Texas Senate Bill 2610, effective September 1, 2025, eliminates punitive exposure for qualifying businesses with fewer than 250 employees - provided a documented cybersecurity program was in place before any incident occurred.
The standard is specific, tiered by company size, and more demanding than most businesses currently meet.
Key Takeaways
Governor Greg Abbott signed SB 2610 on June 20, 2025. It adds a new Chapter 542 to the Texas Business and Commerce Code. The law is a legal incentive, not a regulatory mandate - it creates no new enforcement body and imposes no penalties.
If your business is sued following a data breach, and you can prove a qualifying cybersecurity program was in place at the time, the plaintiff cannot recover punitive damages from you. Punitive damages are the amounts courts award beyond actual harm - and the figures most likely to turn a manageable lawsuit into a business-ending one.
The law does not shield you from compensatory damages, which cover actual costs like credit monitoring, breach notification, and lost revenue. Regulatory enforcement actions and class action lawsuits remain outside its scope. The protection is real, but it covers one category of liability.
Texas is the fifth state to pass a cybersecurity safe harbor law, following Ohio, Utah, Connecticut, and Iowa. Ohio's version took effect in 2018, and cybersecurity investment among Ohio small businesses increased measurably in the years that followed.
Three conditions determine whether SB 2610 applies to your business:
The employee count applies to the entity being sued, not a parent company or affiliated group. That distinction matters for franchise operations, holding companies, and professional service firms organized under multiple legal entities.
Sensitive personal information, as defined in Texas Business and Commerce Code Section 521.002, means a person's name combined with any of the following:
Most businesses across healthcare, financial services, legal, engineering, retail, and nonprofit sectors routinely handle at least one of these data types. If your business collects applications, processes payments, manages employee records, or stores patient data, you are covered.
SB 2610 scales its requirements by headcount. A 15-person accounting firm is not held to the same standard as a 200-person specialty manufacturer.
The law requires documented policies, functional password management, employee security awareness training, and reliable data backup. Many small businesses already have informal versions of these controls. The compliance gap at this tier is usually documentation - policies that exist in practice but have never been written down or dated.
Businesses in this range must adopt CIS Controls Implementation Group 1 (IG1). IG1 is a set of 56 foundational safeguards from the Center for Internet Security.
It covers inventory management, software controls, data protection, secure configuration, account management, and basic incident response.
The framework targets the threats most common at this size - credential theft, unpatched software, and misconfigured systems - and is built to be implemented without enterprise-grade infrastructure.
Alignment with a recognized cybersecurity framework is required. Accepted options under SB 2610 include:
Businesses in full compliance with HIPAA, GLBA, or PCI DSS qualify under their applicable tier. That covers most healthcare organizations, community banks, and credit unions already operating under those standards.
Frameworks are updated periodically. When a revision occurs, businesses have until the published implementation deadline or one year from the revision date - whichever is later - to bring their programs into alignment.
SB 2610 operates as an affirmative defense. After a breach occurs, the burden falls on the business to prove a qualifying program was in place before the incident.
Demonstrating that requires records, not assertions. Specifically:
Many Texas businesses have functional security controls in place. Far fewer have the records that would hold up in legal proceedings. An MFA policy enforced through habit but never written down is not, legally speaking, a policy. Deployment records that were never kept cannot be reconstructed after the fact.
A managed cybersecurity program maintains documentation continuously - timestamped, current, and available well before any incident occurs. For businesses without a dedicated security team, that function is difficult to sustain internally.
Our cybersecurity solutions cover both the technical controls and the compliance record that makes them defensible under SB 2610. If you are not certain where your current program stands, a security assessment is the right place to start.
Businesses operating under HIPAA, GLBA, or PCI DSS may assume SB 2610 adds little to their existing obligations. For those in full compliance, that assumption holds. The framework already in place satisfies the law's requirements for the applicable size tier.
Partial compliance is where that assumption breaks down. A healthcare organization that completed a HIPAA risk analysis but left a documented gap in its access controls unaddressed does not meet SB 2610's standard. It cannot claim the safe harbor, even after years of HIPAA operation.
PCI DSS presents the same issue. Completing annual questionnaires with a card processor does not constitute full compliance with the standard. SB 2610's protection depends on documented, maintained compliance at the time of a breach - not compliance in principle.
If there is any uncertainty about whether your organization qualifies as fully compliant, resolve that question before a breach forces it.
Our post on cybersecurity essentials for regulated industries covers the baseline practices - network assessments, employee training, and contingency planning - that regulated businesses need regardless of which framework they follow.
Count employees in the legal entity and confirm which tier applies.
Measure your current security posture against the controls required for your tier. This step identifies what is missing, not just what is already in place.
For Tier 3 businesses, choose a framework that aligns with your industry and any existing compliance obligations. Healthcare organizations typically use NIST or HITRUST. Financial firms often align with NIST 800-171 or GLBA.
Deploy technical safeguards - MFA, endpoint protection, encrypted backups, network monitoring - alongside written administrative policies. Our post on the layered approach to cybersecurity explains how these components function together as a defense-in-depth program.
Employee behavior is the most common point of failure in a breach. Training must be documented with completion records - informal awareness is not sufficient under the law. Our post on cybersecurity training for employees covers what a compliant training program requires.
Every policy, assessment, deployment, and training session needs a date and a record. Documentation maintained as a continuous function is defensible. Documentation assembled after the fact is not.
When a framework version changes, track the revision and update your program within the required window.
The businesses that will not qualify for SB 2610's protection are not the ones that lacked resources. They are the ones that had functioning controls and no documentation to prove it. For Texas businesses under 250 employees, the documentation gap is now a legal liability with a defined cost: full exposure to punitive damages when a breach leads to litigation.
Our cybersecurity solutions team works with businesses across Lubbock, Amarillo, Midland, and Plano to assess programs against SB 2610's requirements and build the documentation record before it is needed.
Texas SB 2610 is a cybersecurity safe harbor law effective September 1, 2025. It protects Texas businesses with fewer than 250 employees from punitive damages in data breach lawsuits, provided a qualifying cybersecurity program was in place before the breach occurred.
It applies if your business operates in Texas, has fewer than 250 employees, and stores sensitive personal information such as Social Security numbers, financial account data, or health records. The employee count applies to the specific legal entity, not a parent company.
Requirements scale by headcount. Fewer than 20 employees need basic documented controls. Businesses with 20 to 99 employees must follow CIS Controls IG1. Businesses with 100 to 249 employees must adopt a recognized framework such as NIST CSF, ISO 27001, or CIS Controls.
Yes, for businesses in full compliance. HIPAA-covered entities and PCI DSS-compliant businesses satisfy the requirements for their size tier. Partial compliance does not qualify.
Dated written policies, employee training records, risk assessments, deployment evidence for technical controls, and a maintained incident response plan. The documentation must exist before a breach - it cannot be assembled after the fact.
No. The law covers punitive (exemplary) damages only. Actual damages, regulatory fines, breach notification costs, and attorney general enforcement actions are not covered.
Yes. A managed cybersecurity provider can assess your current posture against tier-specific requirements, implement missing controls, and maintain the documentation infrastructure the law requires. This is especially useful for businesses without a dedicated IT security team.