Table of Contents >> Show >> Hide
Texas has decided that small and midsized businesses should not have to choose between paying for cybersecurity and praying their luck holds. With Senate Bill 2610, the state created a limited safe harbor for certain businesses hit by a data breach. The basic idea is simple: if a qualifying business takes cybersecurity seriously before something goes wrong, the law can block claims for exemplary damages afterward.
That sounds dramatic, and it is. But it is not a get-out-of-lawsuit-free card. It is more like a legal seat belt. Wearing it will not prevent a crash, erase the repair bill, or stop everyone from being upset. It can reduce some of the worst fallout if the company can prove it had a compliant cybersecurity program in place when the breach happened.
For business owners, in-house counsel, IT leaders, accountants, insurers, and anyone else who enjoys sleeping at night, this law matters because it turns cybersecurity from a vague “best practice” into a practical litigation strategy. In other words, Texas is telling smaller businesses: document your controls, follow a recognized framework, train your people, and do not wait until ransomware has already redecorated your weekend.
What Texas SB 2610 Actually Does
Texas Senate Bill 2610 adds a cybersecurity safe harbor to state law for certain businesses dealing with sensitive personal information. If a covered company suffers a breach of system security, a harmed person cannot recover exemplary damages from that company if the business can show that, at the time of the breach, it had already implemented and maintained a qualifying cybersecurity program.
That “exemplary damages” phrase matters. In plain English, the law is aimed at punitive damages rather than all damages. Texas did not hand businesses a force field. It handed them a narrower shield. A plaintiff may still pursue other claims. A company may still face compensatory damages, response costs, legal fees, reputational damage, contractual headaches, insurer scrutiny, and the joyless parade of incident response calls that begin with, “Can everyone join right now?”
So the safe harbor is real, but it is limited. That is why smart businesses should view SB 2610 as a risk-reduction tool, not a permission slip to cut corners. The law rewards preparation. It does not reward wishful thinking, post-breach panic shopping, or the old classic: “We were definitely going to update multi-factor authentication next quarter.”
Which Businesses Can Use the Safe Harbor?
This law is not for every company under the Texas sun. It applies to a business entity in Texas that has fewer than 250 employees and owns or licenses computerized data that includes sensitive personal information. That means the sweet spot is smaller organizations that hold valuable personal data but usually do not have enterprise-sized budgets or armies of security engineers.
Think about the kinds of businesses that may fit this description: medical and dental practices, law firms, local retailers with online checkout, accounting firms, professional services companies, small manufacturers with employee records, property managers, franchised businesses, and growing e-commerce brands. If the organization stores sensitive customer or employee data, the law may be highly relevant.
Still, eligibility is only step one. A company does not qualify merely because it is small enough. It must also show that its cybersecurity program met the statute’s requirements at the time of the breach. That timing point is critical. Buying better tools after an incident is useful for the future, but it will not time-travel back into compliance.
The Employee-Count Tiers Matter
Texas scales the compliance expectations based on employee count, which is one of the most practical parts of the law.
Businesses with fewer than 20 employees can meet simplified requirements, including password policies and appropriate employee cybersecurity training. Businesses with 20 to 99 employees move into moderate requirements, including the Center for Internet Security Controls Implementation Group 1. Businesses with 100 to 249 employees need compliance with a recognized framework or applicable standards at a higher level.
That tiered approach makes sense. A 12-person bookkeeping firm should not be expected to operate like a national bank. But Texas is also saying that “we are small” is no longer a persuasive excuse for sloppy cyber hygiene. Even the smallest businesses need foundational controls, and once a company grows, the law expects more structure, more documentation, and more discipline.
What Counts as a Qualifying Cybersecurity Program?
The statute does not tell businesses to wave vaguely in the direction of cybersecurity and hope for the best. It sets out real requirements.
To qualify, a cybersecurity program must contain administrative, technical, and physical safeguards for protecting personal identifying information and sensitive personal information. It must conform to an industry-recognized cybersecurity framework. It must also be designed to protect the security of that information, protect against threats to its integrity, and guard against unauthorized access or acquisition that could create a material risk of identity theft or fraud.
In practice, that means businesses need more than antivirus software and a strongly worded email from the office manager. A defensible program usually includes written policies, access controls, vendor oversight, user training, password management, multi-factor authentication, patching practices, backup procedures, device security, incident response planning, and documentation that ties all of it together.
Recognized Frameworks Texas Accepts
Texas did not invent a brand-new framework from scratch, which is probably good news for everyone’s blood pressure. Instead, the law points businesses toward familiar standards and frameworks, including:
- NIST Cybersecurity Framework
- NIST SP 800-171
- NIST SP 800-53 and 800-53A
- FedRAMP Security Assessment Framework
- CIS Critical Security Controls
- ISO/IEC 27000-series standards
- HITRUST Common Security Framework
- Service Organization Control Type 2 framework
- Other similar cybersecurity frameworks or standards
The law also recognizes compliance with certain sector-specific or regulatory frameworks where they apply, including HIPAA, GLBA, FISMA, HITECH, and PCI DSS. That is especially useful for businesses that already live under existing compliance obligations. Instead of building a second parallel universe of controls, they may be able to align current obligations with safe harbor requirements.
In short, Texas is not saying, “Become perfect.” It is saying, “Use a recognized framework, implement it credibly, and keep it current.”
What the Safe Harbor Does Not Do
This is the section every business owner should read twice, then forward to anyone who says, “Great, so we are covered now.”
SB 2610 does not eliminate all liability. It does not erase compensatory damages. It does not cancel regulatory scrutiny. It does not guarantee that a lawsuit will disappear early. It does not stop incident response costs, ransom negotiations, forensic reviews, customer notice obligations, or public relations disasters. It also does not create a new private cause of action.
That last point matters because the law is defensive in nature. It changes exposure in existing breach-related litigation; it does not create a new right for plaintiffs to sue. So the statute is less about opening a new courthouse door and more about narrowing one category of damages if a covered business can prove it earned the protection.
There is also a practical wrinkle. Proving compliance may itself become a fact-heavy exercise. Plaintiffs may argue the company’s controls were incomplete, outdated, poorly enforced, or not truly aligned with the chosen framework. That means documentation is not optional fluff. It is part of the defense.
Why Texas Passed This Law
The policy logic is easy to understand. Small and midsized businesses are frequent cyber targets, yet they often lack the staffing, money, and legal resources of bigger organizations. Texas lawmakers framed the statute as a way to encourage investment in recognized cybersecurity practices without creating another heavy-handed mandate.
That is why the law feels more like a carrot than a stick. Texas is trying to nudge businesses toward better security by attaching a legal benefit to proactive behavior. If that sounds refreshingly practical, that is because it is. Legislatures do not always resist the urge to make life more complicated, so when one occasionally says, “Do the smart thing and we will reduce part of your downside,” it gets attention.
The law also fits a broader trend in state cybersecurity policy. Businesses are increasingly expected to treat cyber risk as enterprise risk, not just an IT problem. Boards ask about it. Insurers ask about it. Customers ask about it. Regulators ask about it. And now in Texas, plaintiffs’ lawyers may end up asking whether the defendant can prove it had the right program in place before the breach.
How Businesses Should Respond Now
The best response to SB 2610 is not panic. It is structure.
1. Figure out whether the law applies to you
Start with the basics. Do you have fewer than 250 employees? Do you own or license computerized data containing sensitive personal information? If yes, keep going.
2. Choose a framework that fits your business
A smaller company may begin with the essentials and mature over time. A healthcare practice may lean into HITRUST or HIPAA-aligned controls. A retailer handling payment card data should think carefully about PCI DSS. A professional services firm may find NIST CSF or CIS Controls to be the most practical starting point.
3. Build the program before a breach, not during one
Texas makes timing part of the bargain. The business must have implemented and maintained the program when the breach occurred. If your documentation begins the week after the incident, that is going to be a hard sell.
4. Document like your future lawyer will read it
Because one day they might. Policies, training logs, access reviews, patching records, risk assessments, vendor due diligence, incident response plans, tabletop exercises, and framework mappings all matter. If the protection depends on proving what existed at the time of the breach, evidence is part of the product.
5. Keep the program current
Frameworks evolve. Threats evolve. Your business evolves. Texas allows time to update when a standard changes, but companies still have to keep pace. A stale binder gathering dust in a cabinet is not a cybersecurity strategy. It is office decor with delusions of grandeur.
What Businesses Are Experiencing in Practice
In the real world, the experience of preparing for Texas’s safe harbor law is usually less glamorous than a legislative headline and more like a long-overdue cleanup project with legal consequences. For many smaller businesses, the first emotional reaction is relief. The second is confusion. The third is realizing that someone, somewhere, still has a shared spreadsheet of passwords named something like “FINAL_login_list_v7_REAL.xlsx.” That is when the work begins.
Take the typical small professional services firm. It may already use cloud software, collect sensitive client information, and assume its vendors “probably handle security.” Once leadership starts reading the law carefully, the conversation changes. Suddenly, cybersecurity is not just an IT expense. It becomes part of litigation planning, client trust, and insurance strategy. The firm starts asking better questions: Who has admin rights? Are backups tested? Are employees trained to spot phishing? Do we have proof? That last question is the one that keeps coming back.
Mid-sized businesses often experience the law differently. They usually have more systems, more vendors, more endpoints, and more room for inconsistency. One department may be fairly mature while another is running on habit and optimism. For these companies, SB 2610 often acts like a flashlight. It reveals gaps that were easy to ignore when cybersecurity felt abstract. Multi-factor authentication may exist for finance but not for legacy systems. Security policies may be written but not enforced. Training may happen once a year with all the enthusiasm of a fire drill during lunch. The law pushes companies to make those controls more consistent and easier to defend.
Healthcare, legal, retail, and financial-service organizations tend to feel the pressure most directly because they already know the data they hold is sensitive. Many of them discover that the smartest path is not building an entirely new compliance universe. It is mapping existing obligations to the Texas safe harbor requirements, identifying gaps, and tightening documentation. That approach saves time and reduces the number of duplicate controls that make teams grumpy and budgets nervous.
Another very real experience is the shift in internal language. Instead of saying, “Security is IT’s thing,” leaders start saying, “Security is everybody’s thing, and we need evidence.” Human resources gets involved because training matters. Operations gets involved because process discipline matters. Legal gets involved because the safe harbor depends on what can be shown in court. Executives get involved because a breach is no longer just a technical incident. It is a business event with legal, financial, and reputational consequences.
And perhaps the most common experience of all is this: businesses realize that the path to safer operations is rarely one giant purchase. It is usually a series of boring, valuable improvements done consistently over time. Better passwords. Cleaner permissions. Stronger training. Better vendor review. Tested backups. Written procedures. Framework-based discipline. Not flashy, but neither is surviving a lawsuit.
Final Takeaway
Texas’s safe harbor law is a meaningful development for certain smaller businesses, especially those that handle sensitive personal information and want a practical reason to tighten cybersecurity beyond “because everyone says we should.” SB 2610 offers a real benefit, but it is a narrow one. It can reduce exposure to exemplary damages after a breach if the business did the hard work ahead of time.
The winners under this law will not be the companies with the fanciest buzzwords. They will be the businesses that can calmly show what they implemented, why they implemented it, how they maintained it, and which recognized framework guided the work. In cybersecurity, as in life, receipts matter.
If you are a covered Texas business, the message is straightforward: choose a framework, build a program that matches your size and risk, document it well, train your people, and keep it current. That will not make you breach-proof. Nothing does. But it may make you much harder to hack, much easier to defend, and much less likely to discover that your most expensive technology was false confidence.
