Texas SB 2610 - America's New Safe Harbor Law

Texas SB 2610 is a state law that goes into effect on September 1, 2025. This new law creates a legal “safe harbor” for certain Small and Medium Businesses (SMBs) in Texas, where it offers legal protection for those SMBs that suffer a data breach. However, those businesses must be able to demonstrate they have taken reasonable cybersecurity actions beforehand to benefit from the protections the law offers.

This law is applicable to SMBs that:

• Have fewer than 250 employees; and

• Own or license computerized data containing sensitive personal information (e.g., Social Security Numbers (SSN), financial data, health records, etc.)

Texas SB 2610 Cybersecurity Requirements

The cybersecurity requirements in Texas SB 2610 include these four (4) points:

1. Contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information (Section 542.004(1));
2. Protect the security of personal identifying information and sensitive personal information (Section 542.004(3)(a));
3. Protect against any threat or hazard to the integrity of personal identifying information and sensitive personal information (Section 542.003(4)(b)); and
4. Protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates (Section 542.004(3)(c)).

SB2610 Protections Are A Double Edged Sword

Not only is Texas SB2610 a safe harbor to protect businesses from lawsuits, it creates a hard set of requirements that will determine the threshold for negligence. This is a “double edged sword” from the perspective that it protects businesses doing the right thing, but can also be used to easily demonstrate negligence if a business fails to implement reasonable practices.

This strikes at the heart of the question, "What are reasonable practices?" that are necessary to demonstrate conformity with this law?

Reasonable Cybersecurity Practices - Defined Frameworks

Texas SMBs seeking SB 2610 protections must conform to at least one (1) of these recognized cybersecurity standards:

• Secure Controls Framework (SCF);
• NIST Cybersecurity Framework (NIST CSF);
• NIST SP 800‑53;
• NIST SP 800‑171;
• ISO/IEC 27000 series;
• Trust Services Criteria (TSC) (e.g., SOC 2);
• CIS Critical Security Controls (CIS CSC);
• FedRAMP;
• HITRUST CSF;
• Other similar frameworks or standards of the cybersecurity industry; and
• If the business entity is subject to the following requirements, the current version of the following:
• HIPAA/HITECH;
• GLBA;
• FISMA; and/or
• PCI DSS.