Texas Law Effective September 1, 2025

Texas SB 2610: Cybersecurity Safe Harbor

Protect your business from punitive damages in data breach lawsuits. Texas law now provides safe harbor for small and mid-size businesses with compliant cybersecurity programs.

Check Your Status in 30 Seconds Get Full Compliance Score

< 250

Employees Covered

3

Compliance Tiers

10+

Recognized Frameworks

What Is SB 2610?

Plain English explanation for business leaders

SB 2610 is a Texas law that provides safe harbor protection for small and mid-size businesses facing data breach lawsuits. If your business is sued after a breach, and you had a compliant cybersecurity program in place, the court cannot award punitive damages against you.

What SB 2610 DOES

  • Shields you from punitive/exemplary damages
  • Incentivizes businesses to improve cybersecurity
  • Provides clear compliance tiers based on company size
  • Recognizes industry-standard frameworks

What SB 2610 Does NOT Do

  • Provide blanket immunity from lawsuits
  • Protect against actual/compensatory damages
  • Create new state enforcement programs
  • Apply to businesses with 250+ employees

Critical Requirement

Your cybersecurity program must be in place BEFORE a breach occurs. You cannot implement controls after a breach and claim safe harbor protection retroactively.

Does This Apply to You?

Answer these three questions to find out

1

Is your business based in Texas?

SB 2610 applies to businesses operating in Texas.

2

Do you have fewer than 250 employees?

The law applies to businesses with fewer than 250 employees.

3

Do you store customer or employee personal data?

If you handle personal information, you're a potential target for breach lawsuits.

If you answered YES to all three, SB 2610 applies to you.

Take the 30-Second Quick Check

The Three Compliance Tiers

Requirements vary based on your employee count

Tier 1

< 20 employees

Basic Security Controls

Password policies and cybersecurity training for all employees.

  • Strong password policies
  • Cybersecurity awareness training
  • Basic access controls
  • Data backup procedures

Complexity: Low

Tier 2

20-99 employees

CIS Controls v8 IG1

56 safeguards from CIS Critical Security Controls Implementation Group 1.

  • Asset inventory management
  • Software inventory control
  • Data protection policies
  • Secure configuration standards
  • Access control management
  • Continuous vulnerability management

Complexity: Moderate

Tier 3

100-249 employees

Full Framework Compliance

Complete implementation of a recognized cybersecurity framework.

  • NIST CSF or ISO 27001
  • SOC 2 Type II attestation
  • HIPAA/PCI DSS (if applicable)
  • Comprehensive risk management
  • Incident response planning
  • Third-party risk assessment

Complexity: High

Find Your Tier & Get Your Score

Recognized Frameworks

SB 2610 accepts compliance with these industry-standard frameworks

NIST CSF 2.0

National Institute of Standards and Technology Cybersecurity Framework. The most widely adopted general-purpose framework.

Best for: General business, government contractors

ISO 27001

International standard for information security management systems (ISMS). Globally recognized certification.

Best for: Companies with international operations

CIS Controls

Center for Internet Security Critical Security Controls. Practical, prioritized actions to improve cybersecurity.

Best for: Small to mid-size businesses (Tier 2)

SOC 2

Trust Services Criteria for service organizations. Demonstrates security, availability, and confidentiality controls.

Best for: SaaS providers, technology companies

HIPAA/HITECH

Health Insurance Portability and Accountability Act. Required for healthcare organizations handling PHI.

Best for: Healthcare providers, medical practices

PCI DSS

Payment Card Industry Data Security Standard. Required for businesses processing payment cards.

Best for: Retail, e-commerce, payment processors

NIST SP 800-171

Protecting Controlled Unclassified Information in non-federal systems. Foundation for CMMC compliance.

Best for: Defense contractors, federal suppliers

HITRUST CSF

Healthcare Information Trust Alliance Common Security Framework. Comprehensive healthcare framework.

Best for: Healthcare organizations, health tech

Industry-specific frameworks (HIPAA, PCI DSS, GLBA) satisfy SB 2610 requirements if they apply to your business. If you're already compliant with these frameworks, you may already qualify for safe harbor.

How to Achieve Compliance

Six steps to qualify for safe harbor protection

1

Determine Your Tier

Count your employees to identify which compliance tier applies to your business. Remember: fewer than 20, 20-99, or 100-249 employees.

2

Conduct Gap Analysis

Assess your current cybersecurity posture against the requirements for your tier. Identify what you have and what you need.

3

Select Framework

Choose an appropriate recognized framework for your tier and industry. Consider existing compliance requirements you may already meet.

4

Implement Safeguards

Deploy the technical controls, policies, and procedures required by your chosen framework. Document everything.

5

Document Implementation

Maintain records of implementation dates, policies adopted, and controls deployed. This documentation is critical for claiming safe harbor.

6

Maintain Continuously

Cybersecurity is ongoing. Regularly review and update your program to address new threats and maintain compliance.

Not sure where you stand? Start with a gap analysis.

Start with Our Compliance Scorecard

Common Mistakes to Avoid

Don't let these pitfalls undermine your safe harbor protection

1

Waiting Until After a Breach

Safe harbor protection only applies if your cybersecurity program was in place BEFORE the breach. You cannot retroactively implement controls.

How to avoid: Start now. Even basic controls provide protection and demonstrate good faith.

2

Choosing Wrong Framework for Company Size

Implementing a framework too complex for your organization wastes resources. Too simple may not provide adequate protection.

How to avoid: Match your framework to your tier requirements. A 15-employee company doesn't need SOC 2.

3

Failing to Document Implementation Dates

Without dated documentation, you cannot prove your program existed before a breach occurred.

How to avoid: Keep timestamped records of policy adoptions, control deployments, and training completions.

4

Not Updating When Frameworks Change

Security frameworks evolve. NIST CSF 2.0 replaced 1.1 in 2024. Using outdated versions may not qualify.

How to avoid: Review your framework annually and update to current versions within reasonable timeframes.

5

Assuming Safe Harbor = Complete Immunity

SB 2610 only shields against PUNITIVE damages. You can still be held liable for actual damages (data recovery, notification costs, etc.).

How to avoid: Maintain cyber insurance and continue improving security. Safe harbor is one layer of protection.

Frequently Asked Questions

Everything you need to know about Texas SB 2610

What is Texas SB 2610?

Texas SB 2610 is a cybersecurity safe harbor law that protects small and mid-size businesses (under 250 employees) from punitive damages in data breach lawsuits, provided they have an established cybersecurity program that complies with recognized industry frameworks. The law was signed by Governor Greg Abbott and became effective September 1, 2025.

When did SB 2610 go into effect?

Texas SB 2610 became effective on September 1, 2025. Businesses must have a compliant cybersecurity program in place BEFORE a breach occurs to claim safe harbor protection.

Who is covered by SB 2610?

SB 2610 applies to Texas businesses with fewer than 250 employees. The law establishes three tiers based on employee count: Tier 1 (under 20 employees), Tier 2 (20-99 employees), and Tier 3 (100-249 employees). Each tier has different compliance requirements.

What does safe harbor protect against?

SB 2610 safe harbor protects qualifying businesses from PUNITIVE or EXEMPLARY damages in data breach lawsuits. It does NOT provide protection against actual/compensatory damages, which include costs like breach notification, data recovery, and credit monitoring services.

What frameworks are recognized under SB 2610?

SB 2610 recognizes multiple cybersecurity frameworks including NIST Cybersecurity Framework (CSF), NIST SP 800-53, NIST SP 800-171, ISO/IEC 27001, CIS Critical Security Controls, SOC 2 Trust Services Criteria, HITRUST CSF, FedRAMP, and industry-specific frameworks like HIPAA/HITECH, GLBA, PCI DSS, and FISMA.

What are the tier requirements for different company sizes?

Tier 1 (under 20 employees) requires password policies and cybersecurity training. Tier 2 (20-99 employees) requires CIS Controls v8 Implementation Group 1 (56 safeguards). Tier 3 (100-249 employees) requires full implementation of a recognized framework like NIST CSF, ISO 27001, or SOC 2.

Do I need to be compliant before a breach to claim safe harbor?

Yes. This is critical. Your cybersecurity program must be in place and documented BEFORE a breach occurs. You cannot implement controls after a breach and claim safe harbor protection retroactively.

Does SB 2610 protect against all damages in a lawsuit?

No. SB 2610 only protects against punitive/exemplary damages. Businesses can still be held liable for actual damages, including breach notification costs, data recovery expenses, credit monitoring services, and other direct costs resulting from a breach.

How do I prove compliance after a breach?

Maintain thorough documentation including: dated policies and procedures, evidence of implementation (timestamped screenshots, deployment records), training completion records, risk assessment reports, and audit logs. This documentation must prove your program existed before the breach.

Are other states adopting similar safe harbor laws?

Yes. As of 2025, six states offer cybersecurity safe harbor protection, with 15+ states having pending legislation. Texas SB 2610 is among the most comprehensive implementations. This is part of a nationwide trend to incentivize businesses to improve their cybersecurity posture.

How GXA Can Help

Your partner for SB 2610 compliance

Our Credentials

SOC 2

Type II Attested

ISO 9001

Certified Since 2019

21

Years in Business

CISSP

Certified Leadership

GXA is SOC 2 Type II attested and ISO 9001 certified. Our CISSP-certified leadership understands both the technical and compliance requirements of SB 2610.

How We Help

  • gShield Cybersecurity Program

    Comprehensive security stack aligned with recognized frameworks.

  • vCISO Services

    Virtual CISO leadership for compliance strategy and framework implementation.

  • Security Gap Assessments

    Comprehensive evaluation of your current security posture against SB 2610 requirements.

  • Compliance Documentation

    Policies, procedures, and evidence collection to prove compliance.

Schedule a Compliance Consultation

Is Your Business Protected Under SB 2610?

Find out in 30 seconds with our free compliance check

Check Your Status Now Get Full Scorecard
21 Years in Business | SOC 2 Type II Attested | ISO 9001 Certified | CISSP Certified Leadership