Texas SB 2610: What Every Texas Business Owner Needs to Know

Texas SB 2610 is a cybersecurity safe harbor law that went into effect September 1, 2025. For Texas businesses with fewer than 250 employees, it offers a meaningful form of legal protection: if your business is sued after a data breach and you had a compliant cybersecurity program in place before the incident, the court cannot award punitive damages against you. It is not blanket immunity, and it does not cover actual damages — but for small and mid-size Texas businesses, it is one of the strongest legal incentives yet to treat cybersecurity like a business function rather than an IT line item.

This guide breaks down what the law actually says, who it applies to, what compliance looks like at each tier, and the mistakes that quietly disqualify businesses from the protection they assumed they had.

What SB 2610 Actually Is (and Isn’t)

At its core, SB 2610 is a statutory incentive. The Texas legislature did not create a new enforcement regime, a new reporting obligation, or a new state agency. Instead, the law says that if a Texas business with fewer than 250 employees implements a cybersecurity program aligned with a recognized framework — and a data breach happens anyway — a court cannot impose punitive or exemplary damages on that business in a resulting lawsuit.

That distinction matters. Punitive damages are the damages designed to punish a defendant for egregious conduct, often many multiples of actual losses. Removing them as a possibility lowers the ceiling of what a plaintiff can extract from a single breach lawsuit. It does not eliminate the floor.

What SB 2610 does:

• Shields qualifying businesses from punitive and exemplary damages in data breach lawsuits.
• Creates clear, tiered compliance expectations scaled to business size.
• Recognizes widely used industry frameworks rather than inventing a new Texas-specific standard.
• Incentivizes small and mid-size businesses to implement real cybersecurity programs before a breach occurs.

What SB 2610 does not do:

• Provide blanket immunity from data breach lawsuits.
• Protect against actual or compensatory damages (breach notification, credit monitoring, data recovery, regulatory fines).
• Apply to businesses with 250 or more employees.
• Retroactively cover programs implemented after a breach.

The most misunderstood aspect of the law is that it operates as an affirmative defense. Your lawyers have to be able to demonstrate, with evidence, that your cybersecurity program was in place before the breach. That means dated policies, deployment records, training logs, and framework documentation — not just a good-faith claim that “we always took security seriously.”

Who Is Covered Under SB 2610

Three conditions determine whether SB 2610 applies to your business:

1. Your business operates in Texas. The law applies to Texas businesses subject to Texas jurisdiction.
2. You have fewer than 250 employees. Once you cross 250, the safe harbor no longer applies.
3. You handle personal information. If you store customer, employee, or patient data that could be the subject of a breach lawsuit, you are a potential target.

If all three are true, SB 2610 applies to you. If you are unsure where you stand, the GXA team built a 30-second quick check that walks through the eligibility questions and gives you a straight answer.

The employee threshold is not cumulative across affiliates or parent companies in the way some federal laws calculate workforce size. It is a practical count of the business entity being sued. Many Texas professional services firms, small manufacturers, charter schools, medical practices, and nonprofits fall squarely inside the covered population.

The Three Compliance Tiers

SB 2610 does not impose a single cybersecurity standard on every business under 250 employees. It scales expectations by company size across three tiers. This is one of the more thoughtful features of the law — a 15-person architecture firm is not held to the same standard as a 200-person specialty manufacturer.

Tier 1: Fewer Than 20 Employees

For the smallest businesses, the law expects basic, foundational security controls:

• Strong password policies
• Cybersecurity awareness training for all employees
• Basic access controls
• Data backup procedures

Implementation complexity is low. Most Tier 1 businesses can satisfy the requirement with well-documented policies, a password manager, routine phishing awareness training, and reliable backup software. The emphasis is on proof — you need to be able to show the program existed and employees were trained.

Tier 2: 20 to 99 Employees

Tier 2 businesses are expected to implement the CIS Critical Security Controls v8, Implementation Group 1 — a specific set of 56 safeguards that the Center for Internet Security designed as a baseline for small and mid-size organizations.

Representative Tier 2 controls include:

• Asset inventory management (hardware and software)
• Data protection policies
• Secure configuration standards for enterprise assets
• Access control management with multi-factor authentication
• Continuous vulnerability management
• Incident response preparation

CIS Controls IG1 is not a certification in the formal sense — there is no audit body issuing a stamp — but it is a defined, widely adopted checklist. The burden is on the business to implement it and document the implementation.

Tier 3: 100 to 249 Employees

Tier 3 raises the bar to full framework compliance. Businesses in this range must implement a complete, recognized cybersecurity framework. Options include:

• NIST Cybersecurity Framework (CSF 2.0) or NIST SP 800-53
• ISO/IEC 27001
• SOC 2 Type II attestation
• HIPAA/HITECH (for healthcare)
• PCI DSS (for payment processing)
• NIST SP 800-171 (for defense contractors and federal suppliers)

Tier 3 implementation typically involves formal risk assessments, a documented information security management system, incident response planning, and third-party risk management. For most businesses in this band, it is a multi-quarter program — not a weekend project.

The Recognized Frameworks

SB 2610 deliberately does not invent a new standard. It defers to frameworks that already exist and are widely understood. That is helpful because many businesses already comply with one or more of these for other reasons — industry regulation, customer contracts, or insurance requirements.

The recognized frameworks most relevant to Texas small and mid-size businesses:

• NIST CSF 2.0 — the most widely adopted general-purpose framework, suitable across industries.
• ISO 27001 — the international standard for information security management systems; often chosen by businesses with international clients.
• CIS Controls — practical, prioritized safeguards; the designated baseline for Tier 2.
• SOC 2 — the Trust Services Criteria commonly required of SaaS and technology providers.
• HIPAA/HITECH — required for healthcare organizations handling protected health information.
• PCI DSS — required for businesses processing payment card data.
• NIST SP 800-171 — foundation for CMMC; relevant to defense contractors.
• HITRUST CSF — a comprehensive healthcare-specific framework.

If your business already operates under an industry framework (HIPAA, PCI DSS, GLBA), you may already satisfy SB 2610’s requirements. The question is whether you can prove it with documentation. Most can’t, because they have never had to.

The Mistakes That Quietly Disqualify Businesses

After working with Texas businesses on compliance programs, the same disqualifying patterns come up repeatedly.

Waiting until after a breach to implement controls. This is the most fatal error. Safe harbor only applies if your program was in place before the breach. Implementing CIS Controls the week after your incident response team arrives does not count.

Choosing the wrong framework for your company size. A 15-employee law firm does not need SOC 2 Type II attestation. A 200-employee manufacturer cannot hide behind a password policy. Match the framework to your tier. Over-investing wastes resources; under-investing fails to qualify.

Failing to document implementation dates. Without timestamped evidence — policy adoption dates, training completion records, deployment logs, screenshots — you cannot prove the program existed before the breach. Oral testimony is not evidence.

Using outdated framework versions. NIST CSF 2.0 superseded 1.1 in 2024. Courts evaluating safe harbor claims will look at whether your program aligns with current versions of recognized frameworks. Static programs age out of compliance.

Assuming safe harbor equals total immunity. SB 2610 removes punitive damages. It does not remove breach notification costs, credit monitoring expenses, regulatory fines, or actual damages. Cybersecurity insurance is still essential. Safe harbor is one layer, not the only layer.

How to Get Compliant

The path to qualifying for SB 2610 safe harbor is straightforward in concept, even if the execution requires real effort:

1. Determine your tier. Count your employees. Identify which tier applies.
2. Conduct a gap analysis. Assess your current security posture against the requirements for your tier. The GXA SB 2610 compliance scorecard walks through this.
3. Select your framework. Pick a framework that fits your tier, industry, and existing compliance obligations.
4. Implement the safeguards. Deploy the technical controls, policies, and procedures. Do not skip documentation.
5. Document everything. Timestamped policies. Training records. Deployment evidence. This is what your lawyers will need.
6. Maintain continuously. Cybersecurity programs age. Review annually and update against current framework versions.

The businesses that handle this well treat SB 2610 as the forcing function it was designed to be — a reason to finally build the cybersecurity program they knew they needed, with a legal protection on the other side of the effort.

Live Webinar: SB 2610 in Depth

GXA is hosting a 60-minute webinar on Friday, May 8, 2026 at 11:00 AM CT — Texas Cybersecurity Safe Harbor: What Every DFW SMB Owner Needs to Know. The panel features Jeremy Rucker (Partner, Pierson Ferdinand) and George Makaye (CEO, GXA). Topics include framework selection, a three-tier walkthrough, a 90-day compliance roadmap, and live Q&A. Registration is open at /events/sb2610-webinar.

The webinar pairs with an upcoming episode of The Virtual IT Leadership Show going deeper on the implementation playbook for companies that want to be defensible by the end of the year.

Bottom Line

SB 2610 is not a compliance burden. It is a legal incentive to do the cybersecurity work that every Texas small and mid-size business already should have been doing. The tiers are reasonable. The frameworks are familiar. The documentation requirements are what any competent IT partner already produces as part of normal operations.

The businesses that will benefit from safe harbor are the ones that start now, match their program to their tier, and document the work as it happens. The businesses that wait until after a breach will discover, too late, that safe harbor does not work retroactively.

If you want a clear picture of where your business stands today, start with the 30-second quick check or the full compliance scorecard. If you’d rather have a conversation about implementation, schedule a consultation with the GXA team. And if you want the unfiltered deep dive, register for the May 8 webinar.

The law is in effect. The protection is real. The only question is whether your program will be ready when you need it.