US (TX) - SB 2610

Name: Texas Senate Bill 2610 (SB 2610)

Type: Statutory (Law)

Authoritative SourceTexas Legislature SB 2610

Certification Available: No. There is no official certification for Texas SB 2610. However, the Secure Controls Framework Conformity Assessment Program (SCF CAP) has the ability to provide a third-party conformity assessment against Texas SB 2610 requirements that can lead the following SCF-based certification: SCF Certified – SCF CORE Fundamentals.

Note: Texas SB 2610 listed the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage.

Too Long / Didn’t Read (TL/DR): Texas Senate Bill 2610 establishes a novel and pragmatic approach to bolstering cybersecurity among small businesses that otherwise could not afford extensive defenses or litigation costs. By offering legal protection from punitive damages, Texas created a clear incentive structure that aligns legal risk reduction with best-practice security governance. The caveat is that Texas businesses can prove it has an appropriate, maintained cybersecurity program is in place.

Texas SB 2610 encourages businesses to take concrete steps: evaluate risk, adopt a recognized framework scaled to their size, implement layered safeguards and document every facet of their program. Those that do so not only stand to gain legal protection in the event of a breach but also enhance operational resilience, customer trust and compliance posture. This “carrot, not stick” approach is designed to empower Texas’s SMBs to invest in meaningful cybersecurity without fear of crippling litigation, even in the face of unfortunate breaches.

Texas SB 2610 - Origins and Purpose

In a landscape where cyber threats increasingly target small and medium businesses, Texas has taken a landmark step with Senate Bill 2610, enacted in June 2025 (effective September 1, 2025). Rather than imposing new burdens, the law offers a strong incentive with limited liability protection to small businesses that proactively adopt and maintain reasonable cybersecurity practices. Specifically, it shields qualifying businesses from exemplary (punitive) damages in data breach lawsuits, provided they can demonstrate an active cybersecurity program aligned with recognized standards at the time of the breach.

This page provides a cybersecurity-focused summary of Texas SB 2610 from a GRC practitioner's perspective, including:

  • The history of this law;
  • The consequences of non-compliance;
  • Practical compliance strategies; and
  • The role of high-quality documentation in audit readiness and breach resilience.

Legislative Journey

  • Filed March 13, 2025 and shepherded by Sen. César Blanco (with co-sponsors Sen. Kelly Hancock and Rep. Giovanni Capriglione), Texas SB 2610 emerged from recognized risks faced by small businesses in the wake of pervasive cybercrime targeting the sector.
  • The bill passed the Texas Senate unanimously on April 30, 2025 and cleared the House on May 28. It received the Governor’s signature June 20 and takes effect September 1, 2025.

Texas SB 2610 Key Policy Drivers

The legislative analysis notes that penalties for data breaches, particularly for small businesses with limited legal and compliance resources, can threaten long-term survival. Texas SB 2610 addresses this by offering a legal safe harbor: small businesses that adopt sufficient cybersecurity measures are protected from punitive damages, even if a breach occurs.

Supporters including the National Federation of Independent Business (NFIB) framed the bill as a crucial support for economic resilience, calling it a "carrot not a stick" that encourages investment in cybersecurity without imposing regulatory mandates.

Additionally, Texas SB 2610 aligns Texas with earlier state efforts in Ohio (2018) and Utah (2021), which demonstrated increased cybersecurity investment following similar safe harbor legislation.

Texas SB 2610 Covered Entities

Texas SB 2610 applies to Texas-based business entities that:

  • Have fewer than 250 employees; and
  • Own or license computerized data containing “personal identifying information” or “sensitive personal information.”

Texas SB 2610 Trigger Event

The safe harbor applies only in actions arising from a “breach of system security” under Texas law (e.g., when sensitive data is unlawfully acquired) and only for causes accruing on or after September 1, 2025.

Texas SB 2610 Legal Benefits

  • If a qualifying small business can prove a compliant cybersecurity program was in place at the time of a breach, exemplary damages are prohibited in any resulting lawsuit;
  • Compensatory damages, regulatory penalties and injunctive relief remain unaffected;
  • The statute does not create a private cause of action; rather, it modifies damage exposure in existing tort actions; and
  • Class certification rights and regulatory enforcement powers (e.g., by the Texas Attorney General) are preserved.

Texas SB 2610 Cybersecurity Program Requirements

To qualify for safe harbor, a business must demonstrate maintenance of a cybersecurity program satisfying criteria outlined in Section 542.004, including:

Administrative, Technical and Physical Safeguards

The program must include these three essential categories of safeguards (e.g., administrative, technical and physical), focused specifically on protecting "personal identifying information" and "sensitive personal information."

Alignment with Recognized Frameworks

The program must conform to at least one recognized cybersecurity standard from lists that include:

Design Objectives

Section 542.004(3) identifies that a business entity’s cybersecurity program must be designed to:

  • Protect the security of personal identifying information and sensitive personal information (Sec 542.004(3)(A));
  • Protect against any threat or hazard to the integrity of personal identifying information and sensitive (Sec 542.004(3)(B)); and
  • Protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates (Sec 542.004(3)(C)).

Scaled Requirements by Employee Tier

Texas SB 2610 adopts a tiered approach, requiring different levels of compliance depending on employee size:

  • SIMPLIFIED REQUIREMENTS. For a business entity with fewer than 20 (<20) employees, simplified requirements, including:
    • Password policies; and
    • Appropriate employee cybersecurity training;
  • MODERATE REQUIREMENTS. For a business entity with at least 20 but fewer than 100 (20 < 100) employees, moderate requirements, including the requirements of the Center for Internet Security Controls Implementation Group 1; and
  • COMPLETE REQUIREMENTS. For a business entity with at least 100 but fewer than 250 (100 < 250) employees, compliance with the requirements of Subsection (b) (e.g., “A cybersecurity program under this section conforms to an industry-recognized cybersecurity framework for purposes of this section if the program conforms to [cybersecurity frameworks listing]

Industries Likely to Use or Benefit from Texas SB 2610

While targeted at small- and mid-sized enterprises (SMEs) across the board, Texas SB 2610 is particularly relevant to businesses that:

  • Handle sensitive personal information (e.g., retailers, healthcare practices, law firms, financial service providers, etc.);
  • Operate with limited cybersecurity resources and would benefit from legal protection if a breach occurs; and
  • Seek cost-effective alignment with recognized standards to reduce litigation risk.

The law empowers entities often overlooked by large-scale legislative or regulatory cybersecurity requirements.

Texas SB 2619 Limitations and Considerations

  • The safe harbor does not protect against compensatory damages, regulatory penalties, or injunctive relief;
  • Ownership or licensing of digital systems holding sensitive data is required for applicability; and
  • Businesses must prove compliance existed at breach time; supposed halfway or post-breach implementations offer no protection.

Common Methods to Achieve and Maintain Texas SB 2610 Compliance

To take full advantage of Texas SB 2610’s safe harbor, organizations should develop and document a cybersecurity program with the following components:

  • Risk Assessment & Framework Selection
    • Conduct thorough risk assessment to understand data environment and threats; and
    • Choose appropriate framework(s) based on employee size, data type and risk profile.
  • Policy Development & Governance
    • Create or formalize written policies covering data handling, access control, incident response, vendor management, etc.; and
    • Establish governance oversight—assign responsibility, review cycles and board reporting.
  • Technical Controls
    • Implement access controls, multi-factor authentication, encryption and patch management; and
    • Use security tools: endpoint protections, logging, SIEM, vulnerability scanning.
  • Physical Safeguards
    • Secure physical locations, equipment and data storage; and
    • Manage visitor access, environmental protections and storage disposal policies.
  • Training and Awareness
    • Provide regular cybersecurity training tailored by role; and
    • Conduct phishing exercises and security-awareness refreshers.
  • Incident Response Readiness
    • Develop an incident response plan (IRP);
    • Perform tabletop exercises or drills; and
    • Retain logs and forensic evidence.
  • Vendor Management
    • Vet third parties and incorporate security clauses in contracts; and
    • Monitor vendor compliance.
  • Update and Review
    • Update controls when frameworks are revised (within 180 days per law); and
    • Reassess program periodically to reflect evolving threats.

Understanding The Value of Quality Cybersecurity Documentation in Texas SB 2610

Texas SB 2610’s liability protection is conditional on demonstrable compliance. If a breach occurs, a company must show that:

  • At the time of the breach, a program aligned with the law was implemented and maintained;
  • The program followed administrative, technical and physical safeguards; and
  • Adoption of an appropriate framework was active and up-to-date.

Consequently, quality documentation is essential:

  • Risk assessment reports;
  • Policy and procedure manuals;
  • Training logs and schedules;
  • Incident response plans and evidence of exercises;
  • Change logs and control updates; and
  • Audit trails, access review records and vendor assessments.

Without comprehensive records, an organization cannot credibly assert its eligibility for safe harbor and that puts it at full exposure to punitive damages. Documentation must be maintained continuously, version-controlled and readily available for legal defense or compliance reviews.

Strategic Implications and Risk Management

This legislation signals that cybersecurity is now a strategic business imperative, not just an IT task. Companies that embrace Texas SB 2610’s spirit position themselves for:

  • Enhanced customer and market trust;
  • Competitive advantage over poorly protected peers;
  • Operational resilience; and
  • Alignment with broader regulatory regimes wherever applicable (e.g., HIPAA, PCI DSS).

Financial Risk Mitigation

Eliminating exposure to punitive damages can be transformational for small businesses, where such awards (even if rare) can be financially devastating. Texas SB 2610 helps limit worst-case litigation costs, allowing firms to invest more confidently in cybersecurity.

Cybersecurity As Business Risk Management

By imposing no penalties and offering measurable benefits, Texas SB 2610 encourages proactive upgrades. As newer frameworks are published, businesses are required to update within 180 days, fostering ongoing improvement and adaptability. That helps ensure that cybersecurity practices remain in step with evolving threats and industry expectations.

 

** SPONSORED CONTENT **

ComplianceForge GRC importable policies standards procedures