Texas SB 2610: What Small and Mid-Sized Businesses Need to Know

The cybersecurity liability landscape in Texas changed on September 1, 2025. Most businesses still don't know how — or what to do about it.

Texas SB 2610, signed into law in June 2025, created the first statewide cybersecurity safe harbor for small and mid-sized businesses. It rewards companies that implement reasonable safeguards with meaningful liability protection in the event of a data breach.

It is not a regulation. It does not require compliance. It is voluntary — and that's exactly why most Texas business leaders haven't acted on it.

This guide explains what SB 2610 actually does, who qualifies, what the safeguards look like in practice, and the five questions every leadership team should be able to answer.

What Changed on September 1, 2025

SB 2610 added Chapter 542 to the Texas Business and Commerce Code. The provision is straightforward: if your business suffers a data breach and gets sued, and you can demonstrate that you were operating a cybersecurity program aligned to a recognized framework before the breach, the court cannot award exemplary (punitive) damages against you.

That's the safe harbor. It is targeted, technical, and — for small and mid-sized businesses — financially significant. Punitive damages are typically the largest and most unpredictable component of a data breach verdict. Removing that exposure changes the entire risk math of running a business in Texas.

The law applies to Texas businesses with fewer than 250 employees that own or license computerized data containing sensitive personal information — which in practice covers nearly every company doing business in the state.

What SB 2610 Does Not Do

SB 2610 is a shield against one specific category of damages. It is not blanket immunity. Specifically, it does not protect against:

  • Compensatory damages. If a breach causes actual harm to your customers — financial losses, costs of credit monitoring, lost business — you can still be held liable for that.

  • Class action lawsuits. SB 2610 limits one type of award; it does not prevent your business from being named in a class action.

  • Regulatory enforcement. State attorneys general, the FTC, and federal agencies retain full authority to investigate and penalize.

  • Breach of contract claims. If your customer agreements require specific security controls and you fail to meet them, contractual liability stands.

  • Industry-specific obligations. HIPAA, PCI DSS, SEC cybersecurity rules, and similar regimes apply independently of SB 2610.

If a vendor, consultant, or IT provider tells you SB 2610 makes your business "compliant" or "covered," they are misrepresenting the law. The safe harbor is real and worth pursuing — but it does one specific thing, and overstating it creates legal exposure of its own.

The Three Tiers — and Which One Applies to You

SB 2610 takes a tiered approach. The cybersecurity requirements scale with the size of your business — which is unusually pragmatic for cybersecurity legislation, and one of the reasons the law passed unanimously in the Texas Senate.

Tier 1 — Fewer than 20 employees

Required: basic cybersecurity practices.

Documented password policies, employee security awareness training, and a written cybersecurity program addressing administrative, technical, and physical safeguards. The bar is low but it is not zero. "We have antivirus" is not enough.

Tier 2 — 20 to 99 employees

Required: alignment to CIS Controls Implementation Group 1.

CIS Implementation Group 1 is a defined set of 56 specific cybersecurity safeguards developed by the Center for Internet Security. It covers asset inventory, access management, MFA, malware defenses, backup integrity, vulnerability management, and basic incident response. Most businesses in this tier are not currently meeting it — but it is achievable without enterprise-scale investment.

Tier 3 — 100 to 249 employees

Required: alignment to a recognized comprehensive framework.

NIST Cybersecurity Framework (CSF), NIST SP 800-53 or 800-171, ISO/IEC 27001, FedRAMP, or full CIS Controls. The expectation here is a documented program with ongoing monitoring and evidence of implementation.

If you have between 10 and 50 users, you fall into Tier 1 or Tier 2. The good news: a properly operated IT environment can satisfy either tier without an additional compliance program — provided the safeguards are actually enforced, not just documented.

"Reasonable Conformity" Is the Standard — Here's What It Looks Like

The law does not require perfection. It requires "reasonable conformity" to a recognized framework. In practice, that means three things:

One — the safeguards are implemented, not just on paper. A written policy that says "MFA is required" without MFA actually being enforced provides no safe-harbor protection. The controls must be operating.

Two — the safeguards are documented. You need to be able to demonstrate, in writing, what controls are in place, when they were implemented, and how you verify they are working. Documentation is what turns operational security into legal defensibility.

Three — the safeguards are reviewed and updated. The law expects ongoing alignment, not a one-time check-the-box. Frameworks evolve. So do threats. So should your program.

If your IT provider has never produced documented evidence of your security posture — never sat down with leadership to walk through what's enforced, what's measured, and what's at risk — your safe-harbor position is weaker than it appears on paper.

Five Questions Every Leadership Team Should Be Able to Answer

1. Are we operating safeguards aligned to a recognized framework — and which one? If the answer is "we have antivirus and firewalls," the answer is no. The framework alignment must be explicit (CIS, NIST, ISO) and documented.

2. Is multi-factor authentication enforced on every user account? MFA is the single most-cited control across every recognized framework. If even a handful of accounts are exempted, the program has a defensible gap.

3. Are administrative privileges restricted to the minimum necessary? Excess admin access is the most common audit finding. Every user with administrative rights they do not need is an unnecessary liability surface.

4. Do we have continuous detection and a documented incident response process? "We'll figure it out if something happens" is not incident response. The law expects a workflow, and so do the frameworks it references.

5. Can we prove all of the above in writing? The safe harbor lives or dies on documentation. If you cannot produce evidence of your safeguards to a court, you cannot claim protection from one.

If you can answer all five with confidence, your safe-harbor position is strong. If you cannot, every day between now and the next breach is a day of unnecessary exposure.

Where We Stand

Total 360 Technology implements and operates the technical safeguards that align an organization to recognized cybersecurity frameworks — including CIS Controls Implementation Group 1, the framework most relevant to small and mid-sized Texas businesses under SB 2610.

We do not certify legal compliance. We do not act as your attorney. Legal determinations about safe-harbor eligibility, breach notification obligations, and litigation strategy remain with your counsel — as they should.

What we do is run the safeguards: identity control, threat detection and containment, patch enforcement, data protection, and documented oversight. We produce the evidence your counsel needs to make a defensible safe-harbor argument if it ever becomes necessary.

This is what Security-Controlled IT Operations means in practice. It is the operational layer underneath any reasonable legal compliance posture.

The SB 2610 Readiness Checklist

A one-page checklist of the safeguards required at each SB 2610 tier, with space to mark which controls you currently have, which are partial, and which are missing. Designed to be completed by your leadership team and reviewed with your IT provider or counsel.

Free. No sales call required to download.