Texas Cybersecurity Safe Harbor: What Every DFW SMB Owner Needs to Know
Senate Bill 2610 created a legal safe harbor for Texas businesses with fewer than 250 employees — an affirmative defense against punitive damages in breach lawsuits, if you’ve implemented a qualifying cybersecurity program before the breach.
The law has been in effect since September 2025. Most DFW SMBs still don’t know it exists.
Join outside counsel Jeremy Rucker (Partner, Pierson Ferdinand) and George Makaye (CEO, GXA) for a 60-minute panel: what the law actually requires, which compliance tier applies to your business, and a 90-day roadmap to qualify.
60
Minutes (45 + Q&A)
May 8
Friday, 2026
11:00
AM CT · Teams Webinar
The Opportunity
Texas Is Rewarding Businesses That Invest in Cybersecurity
SB 2610 is a "carrot, not a stick" law. There’s no mandate, no enforcement agency, and no penalty for opting out. Instead, the state is offering something valuable: if your business implements a cybersecurity program that conforms to a recognized industry framework, you’re shielded from punitive damages if a breach occurs.
Texas is the fifth state to pass this kind of legislation, following Ohio (2018) and Utah (2021). In those states, safe harbor laws drove a measurable increase in cybersecurity investment among small and mid-sized businesses. Framework-based cybersecurity is becoming the legal standard of care. Businesses that align now are ahead.
But the protection only works if your program is in place before a breach. Courts will scrutinize dated documentation, training records, risk assessments, and audit logs. Post-breach scrambling doesn’t count.
This webinar gives you the roadmap to qualify.
What You’ll Learn
60 Minutes. Your SB 2610 Compliance Roadmap.
A panel-style conversation built for DFW SMB owners, IT directors, and compliance-minded CFOs and COOs at companies under 250 employees.
We’ll cover:
What SB 2610 Actually Does — and What It Doesn’t
Plain-English walkthrough of the statute: what the affirmative defense protects against (punitive damages), what it doesn’t (compensatory damages, regulatory enforcement, contractual obligations), and how it interacts with cyber insurance. Jeremy Rucker leads this section.
Who Qualifies for Safe Harbor
Eligibility hinges on employee count (<250) and handling Texas residents’ sensitive personal information. To claim the defense, your qualifying program must be adopted and maintained before the breach — retroactive adoption doesn’t work. We’ll walk through what "qualifying" actually means.
The Three Compliance Tiers — in Operator Language
Under 20 employees: basic administrative, technical, and physical safeguards. 20–99 employees: a recognized framework such as CIS Controls v8 IG1 (56 safeguards) or NIST SP 800-171. 100–249 employees: NIST CSF, ISO/IEC 27001, HITRUST CSF, or an industry-specific equivalent. Jeremy states the legal requirement; George translates what it actually looks like to implement.
What DFW SMBs Actually Look Like Today
George’s candid view from 20+ years of DFW relationships: where most mid-market businesses sit right now, the most common gaps we see (missing documentation, MFA gaps, no written program), and why cyber insurance alone won’t protect you from punitive damages.
A 90-Day Compliance Roadmap
Assess (days 1–15) → select framework and draft the written program (days 15–30) → implement (days 30–75) → document and evidence (days 75–90). The documentation step is the one most businesses skip — and the one that wins the case.
Common Misconceptions — and Honest Answers
"We’re too small to be a target." "Our cyber insurance covers us." "We’ll get to it next year." "We’re already HIPAA compliant, so we’re covered." Jeremy and George tackle the four most common assumptions DFW owners get wrong.
Meet the Speakers
Your Presenters
Jeremy Rucker
Partner, Pierson Ferdinand
Guest speaker on the legal framework: what SB 2610 requires, who qualifies, what the affirmative defense actually protects, and what courts will look for. [PLACEHOLDER: Jeremy Rucker bio line pending — due May 1 per briefing §7.]
George Makaye
President & CEO, GXA
CISSP certified. Two decades of cybersecurity leadership for Texas businesses. Brings the operator’s view on the three compliance tiers, 90-day implementation, and what it takes for DFW SMBs to actually qualify.
This presentation is for educational purposes only and does not constitute legal advice. Consult your own counsel for specific guidance.
The Law Has Been Active Since September 2025
Every breach that occurs before your qualifying program is documented and in place is a breach without safe harbor protection. The businesses that acted in 2025 are already covered. The question is whether yours will be next — or whether you’ll find out you needed it after the fact.
60 minutes. No fluff. A clear plan you can execute immediately.
Already taken our quick check? SB 2610 Quick Check · Full Compliance Scorecard
Turn Cybersecurity Into a Legal Advantage
SB 2610 is already law. Qualifying for safe harbor protection is one of the highest-ROI decisions a Texas business can make this year.
Register on Microsoft Teams
Registration opens in a new tab at Microsoft Teams. You’ll receive a calendar invite and join link by email.
Reserve My Seat →Free · 60 minutes · Replay sent to all registrants
Questions? Call us at (972) 630-3323