Texas SB 2610 Compliance Guide for Texas Small Businesses

CYBERSECURITY COMPLIANCE

Texas SB 2610: Cybersecurity Safe Harbor
Compliance Guide for Texas Small Businesses

Q: What exactly is Texas SB 2610 and when did it take effect?

Texas SB 2610, the Cybersecurity Safe Harbor Act, was signed by Governor Greg Abbott on June 20, 2025, and took effect September 1, 2025. It creates a legal safe harbor from punitive damages for Texas businesses with fewer than 250 employees that implement and maintain a recognized cybersecurity framework before a data breach occurs. Texas is the fifth state to pass such a law.

Q: Does SB 2610 apply to my business if I have more than 250 employees?

No. SB 2610 safe harbor protection applies exclusively to Texas business entities with fewer than 250 employees. Larger organizations are not eligible. However, adopting recognized cybersecurity frameworks is still advisable for security and to demonstrate reasonable care in litigation.

Q: What happens if we get breached even after implementing a cybersecurity program?

If your qualifying cybersecurity program was in place before the breach, you are protected from punitive damages in any resulting lawsuit. You remain liable for actual compensatory damages including breach notification costs and credit monitoring. The safe harbor prevents the most financially devastating judgment: punitive damages.

Q: Can I implement a cybersecurity framework after a breach and still qualify?

No. The law is explicit that your cybersecurity program must be implemented and maintained before the security incident occurs. Post-breach implementation does not qualify for safe harbor protection retroactively.

Q: As a small business under 20 employees, what do I actually need to do?

SB 2610 requires basic cybersecurity measures including documented password policies and cybersecurity awareness training for all employees. You need written policies, training completion records, and evidence that controls are being followed.

Q: Does SB 2610 create any new regulations or compliance obligations?

No. SB 2610 does not impose new regulatory mandates or penalties. It modifies existing damage exposure in tort actions to reward businesses that proactively adopt cybersecurity standards. Businesses that choose not to implement a qualifying program face no new penalties; they simply lose safe harbor protection.

Q: How does SB 2610 interact with HIPAA or other federal regulations?

SB 2610 expressly recognizes HIPAA, GLBA, and PCI DSS as qualifying compliance programs. Full compliance with one of these federal regulations automatically qualifies for the SB 2610 safe harbor without needing a separate framework.

Q: How much does SB 2610 compliance cost for a small business?

Costs depend on business size and current security posture. Micro-businesses (under 20 employees): $2,000-$8,000/year. Small businesses (20-99): $8,000-$25,000/year. Mid-size (100-249): $25,000-$75,000/year. These cover risk assessments, policy development, technical controls, training, and monitoring.

Q: What is the penalty for not complying with SB 2610?

There is no direct penalty for non-compliance. SB 2610 creates a voluntary incentive. Without a recognized cybersecurity framework, your business simply does not qualify for safe harbor protection and remains exposed to both compensatory and punitive damages in breach lawsuits.

Q: How long does it take to become SB 2610 compliant?

Timeline depends on your starting point. Businesses already complying with HIPAA or GLBA can achieve safe harbor in 2 weeks. Those with some security measures need 4-6 weeks. Organizations starting from scratch should plan 60-90 days for full CIS Controls IG1 implementation.

By DKBinnovative Cybersecurity Team | Last Updated: March 30, 2026 | Reviewed by Dusty Burris, vCISO

Texas Senate Bill 2610 is now law. If your Texas business has fewer than 250 employees and handles sensitive personal data, you can qualify for legal protection from punitive damages in data breach lawsuits – but only if your cybersecurity program is in place before a breach occurs.

Get a Free Assessment

See the 5 Compliance Steps

5th

State in the U.S. to pass a cybersecurity safe harbor law

250

Employee threshold for SB 2610 applicability

Punitive damages if you qualify for safe harbor protection

Sept 1

2025. Law in effect. Program must predate any breach

SECTION 1

What Is Texas SB 2610?

Texas Senate Bill 2610 – also known as the Texas Cybersecurity Safe Harbor Act – was signed into law by Governor Greg Abbott on June 20, 2025, and took effect on September 1, 2025. It is one of the most significant cybersecurity laws for small businesses in Texas history.

The law creates a legal safe harbor from punitive damages for Texas businesses that proactively adopt and maintain a recognized cybersecurity framework. In plain terms: if your business is sued after a data breach and you had a compliant cybersecurity program in place before the breach occurred, the court cannot award punitive damages against you.

This “carrot, not stick” approach mirrors successful safe harbor laws in Ohio (2018) and Utah (2021) – both of which saw measurable increases in cybersecurity investment by small businesses after passage.

Legislative Context

SB 2610 was introduced by Senator César J. Blanco and passed the Texas Senate unanimously on April 30, 2025. It was co-sponsored by Sen. Kelly Hancock and Rep. Giovanni Capriglione, and signed into law on June 20, 2025. Texas is now the fifth state with a cybersecurity safe harbor law.

The Legal Mechanism

SB 2610 amends Subtitle C, Title 11 of the Texas Business and Commerce Code by adding Chapter 542. It modifies damage exposure in existing tort actions – it does not create new regulations or a new cause of action.

The Core Incentive

Rather than penalizing businesses for poor cybersecurity, Texas rewards those that invest in it. If you implement and maintain a recognized cybersecurity framework, you are shielded from punitive damages – even if a breach still occurs despite your efforts.

SECTION 2

Who Qualifies for the Texas SB 2610 Safe Harbor?

Three conditions must all be true for your business to be eligible.

Texas Business Entity

You must be a business entity operating in Texas. This includes corporations, LLCs, partnerships, sole proprietorships, and professional associations headquartered or operating in the state.

Fewer Than 250 Employees

The safe harbor applies exclusively to businesses with fewer than 250 employees. Larger enterprises do not qualify, though they may still benefit from adopting recognized frameworks for other legal and compliance reasons.

Handle Sensitive Personal Data

Your business must own or license computerized data containing sensitive personal information – such as Social Security numbers, driver’s license numbers, financial account numbers, or health records.

What Counts as “Sensitive Personal Information”?

Under Texas law (Section 521.002), sensitive personal information includes an individual’s name combined with any of the following:

Social Security number
Driver’s license or government-issued ID number
Bank account, credit card, or debit card number (with security code or password)
Date of birth combined with other identifying information
Health or medical information (including mental health records)
Insurance policy numbers
Employee ID numbers combined with security access data

Quick Qualification Check

If you answered YES to all three: (1) Your business operates in Texas, (2) You have fewer than 250 employees, and (3) You store or process any of the data types above – SB 2610 applies to you. The next step is implementing the right cybersecurity framework for your size.

SECTION 3

What SB 2610 Protects – And What It Doesn’t

Understanding the exact scope of safe harbor protection is critical. Many businesses misunderstand what this law does and doesn’t cover.

What You ARE Protected From

Punitive (exemplary) damages in data breach lawsuits
Financially ruinous jury awards designed to punish your business
Damages above actual compensatory losses in civil suits

What You Are NOT Protected From

Compensatory (actual) damages – breach notification costs, credit monitoring, etc.
Regulatory penalties from state or federal agencies
Injunctive relief ordered by a court
Post-breach implementations – the program must predate the incident
HIPAA, GLBA, or PCI enforcement actions (separate from civil suits)

Critical: Your Program Must Predate the Breach

You cannot implement a cybersecurity framework after a breach and claim safe harbor protection retroactively. The law is explicit: the qualifying program must be “implemented and maintained” before the security incident occurs. This means acting now – not after an incident forces your hand.

BREACH RESPONSE

What Happens After a Breach: Texas Notification Requirements

Qualifying for SB 2610’s safe harbor does not exempt your business from Texas’s breach notification obligations. Understanding both laws together is critical for any DFW business handling sensitive personal information.

Texas Breach Notification Law (Section 521.053, Business & Commerce Code)

Texas law requires any business that owns or licenses computerized data containing sensitive personal information to notify affected individuals when a breach occurs. Here is what the law requires:

60-Day Notification Deadline

You must notify affected individuals no later than 60 days after discovering the breach. This clock starts the moment you determine (or reasonably should have determined) that a breach involving sensitive personal information has occurred. Delays beyond 60 days can result in enforcement action by the Texas Attorney General, including civil penalties of $100 to $50,000 per violation.

Attorney General Notification

If the breach affects 250 or more Texas residents, you must also notify the Texas Attorney General. This notification must be submitted electronically through the AG’s online portal and must be sent within the same 60-day window.

DKBinnovative cybersecurity professionals helping DFW businesses qualify for Texas SB 2610 safe harbor protection

The Overlap That Works in Your Favor

Having a documented incident response plan is both an SB 2610 compliance requirement AND the fastest way to meet Texas’s 60-day breach notification deadline. Businesses with tested IR plans consistently identify breaches faster, contain them sooner, and complete notification well within the statutory window. Businesses without one scramble – and often miss the deadline entirely.

What Must Be Included in the Notification

Texas law requires breach notifications to include:

A description of the breach in general terms
The types of sensitive personal information that were or are reasonably believed to have been compromised (Social Security numbers, financial account data, health information, etc.)
Steps the business has taken in response to the breach
Contact information for the business, including a phone number or address where affected individuals can get additional details
Information about identity theft protection resources, including contacts for major credit bureaus and the FTC

Engineer implementing cybersecurity controls to help Texas business qualify for SB 2610 safe harbor

IT consultant reviewing cybersecurity framework requirements for Texas SB 2610 safe harbor compliance

How SB 2610 Safe Harbor Interacts With Notification Requirements

This is a distinction many businesses miss: SB 2610’s safe harbor protects you from punitive damages in a lawsuit, but it does not reduce or eliminate your obligation to notify affected individuals and the Attorney General. These are separate legal requirements under separate statutes.

In practice, this means a compliant business will still need to:

Investigate and document the breach
Notify all affected individuals within 60 days
Report to the AG if 250+ individuals are affected
Cooperate with any resulting investigation

The difference is that a business with documented SB 2610 compliance will face compensatory damages only in any resulting civil litigation, while a business without it faces both compensatory and punitive damages.

SECTION 4

Qualifying Cybersecurity Frameworks Under SB 2610

SB 2610 requires adherence to a “current version” of a recognized framework. Requirements scale based on your business size.

NIST Cybersecurity Framework (CSF)

The most widely adopted framework in the U.S. Covers Identify, Protect, Detect, Respond, and Recover. Recommended for businesses with 100–249 employees. NIST CSF 2.0 is the current version.

100–249 Employees

CIS Controls (Implementation Groups)

Scalable implementation groups from the Center for Internet Security. IG1 (basic cyber hygiene) applies to 20–99 employees. IG2 and IG3 apply to larger or higher-risk organizations. Practical and well-documented.

20–249 Employees

HIPAA / GLBA / PCI DSS

Industry-specific frameworks. Healthcare entities in full HIPAA compliance qualify automatically. Financial institutions complying with GLBA are covered. Retailers processing card payments can use PCI DSS. ISO 27001 and FedRAMP also qualify.

Industry-Specific

SECTION 5

Cybersecurity Requirements by Business Size

SB 2610 scales requirements to your organization’s capacity. Find your tier and understand exactly what’s required.

Business Size	Employees	Required Level	Key Controls
Micro Business	<20	Basic Measures	Password policies, security awareness training, basic access controls
Small Business	20–99	CIS Controls IG1	Hardware/software inventory, secure configs, email protections, malware defenses, data recovery, training
Mid-Size Business	100–249	Full Framework	Complete framework: administrative, technical, and physical safeguards across all domains
Healthcare	Any (<250)	HIPAA	HIPAA Security Rule administrative, physical, and technical safeguards
Financial	Any (<250)	GLBA / PCI DSS	Gramm-Leach-Bliley Safeguards Rule or PCI DSS compliance

SECTION 6

5 Steps to Qualify for the Texas SB 2610 Safe Harbor

Follow these steps in order. Each one builds on the last – and all must be completed before any breach occurs.

Confirm SB 2610 Applies to Your Business

Verify that (1) you operate in Texas, (2) you have fewer than 250 employees, and (3) your business stores or processes sensitive personal information as defined by Texas law. Document this determination – it becomes part of your compliance record.

Time: 1 day

Select the Right Cybersecurity Framework for Your Size

Use the size table above to identify which framework applies. Micro businesses (<20) need documented basic measures. Small businesses (20–99) must implement CIS Controls IG1. Mid-size businesses (100–249) must comply with a full recognized framework.

Time: 1 week

Conduct a Risk Assessment and Gap Analysis

Assess your current security posture against the chosen framework. Identify which controls are in place, partially implemented, or missing. Prioritize gaps based on likelihood and impact. This assessment must be documented and date-stamped as baseline evidence.

Time: 2–4 weeks

Implement Administrative, Technical, and Physical Safeguards

Administrative: written security policies, employee training, incident response plan, vendor management. Technical: access controls, encryption, MFA, patching, logging, endpoint protection. Physical: server room access controls, clean desk policy, device management. Each safeguard must be documented and actively maintained.

Time: 1-12 weeks

Document Everything and Conduct Annual Reviews

Maintain: dated written policies and procedures, evidence of implementation, training completion records, risk assessment reports, vendor security agreements, and audit logs. Establish an annual review cycle to update controls as threats evolve and frameworks release updates.

Ongoing – Annual Cycle

SECTION 7

Documentation You Need to Prove Compliance

If you ever need to assert safe harbor protection in a lawsuit, your documentation is your only evidence. Courts will require proof that your program was in place before the breach occurred.

Written Policies & Procedures

Information Security Policy (master policy)
Acceptable Use Policy (AUP)
Data Classification and Handling Policy
Incident Response Plan (with dated version history)
Password and Access Control Policy
Vendor / Third-Party Risk Management Policy
Remote Work / BYOD Security Policy

Training & HR Records

Security awareness training completion records (all employees)
Phishing simulation results and remediation
New employee security onboarding records
Offboarding / access revocation records
Annual training refresher completions

Implementation Evidence

Timestamped screenshots of security tool deployments
Software deployment and patching logs
MFA enrollment records
Firewall and endpoint protection configuration records
Network diagram (current, dated)
Asset inventory (hardware and software)
Encryption deployment records

Assessment & Audit Records

Initial risk assessment (dated, signed)
Gap analysis reports
Annual review reports (with date and sign-off)
Vulnerability scan results
Penetration test results (if applicable)
Framework self-assessment against chosen standard
Third-party audit or assessment reports

Pro Tip: Date-Stamp Everything

Every document in your compliance file should be explicitly dated at the time of creation and any significant update. Use document management systems that preserve version history with timestamps. In a breach lawsuit, your attorney will need to prove your program was active before the incident – undated documents offer no protection.

SECTION 8

Texas SB 2610 vs. Other State Cybersecurity Safe Harbor Laws

Feature	Texas SB 2610	Ohio HB 57	Utah SB 287	Connecticut
Effective Date	Sept 1, 2025	Nov 2, 2018	May 5, 2021	Oct 1, 2021
SMB-Focused (Size Limit)	Yes (<250)	No (All sizes)	No (All sizes)	No (All sizes)
Scaled Requirements by Size	Yes (3 tiers)	No	No	No
Punitive Damages Protection	Yes	Yes	Yes	Partial
NIST CSF Accepted	Yes	Yes	Yes	Yes
HIPAA/GLBA Qualifies	Yes	Yes	Yes	Yes
Current Version Required	Yes	No	Yes	Yes
Micro-Business Path	Yes (<20)	No	No	No

SECTION 9

Industry-Specific Guidance for Texas SB 2610

Certain industries face heightened exposure and may already have compliance obligations that overlap with SB 2610.

Healthcare & Medical Practices

Texas medical offices, dental practices, and business associates handling PHI are already subject to HIPAA. Full HIPAA Security Rule compliance automatically qualifies under SB 2610. Ensure documentation is current and employee training is up to date.

Framework: HIPAA Security Rule

Law Firms & Legal Practices

Law firms handle highly sensitive client information. SB 2610 aligns with Texas Rule 1.01’s duty of technological competence. Firms under 250 employees should implement at minimum CIS Controls IG1 and document their program.

Framework: CIS Controls or NIST CSF

Financial Services & Accounting

Texas-based financial advisors, insurance agencies, CPAs, and community banks handling financial account data qualify. GLBA-covered entities in full compliance with the Safeguards Rule are automatically protected. DKBinnovative works extensively with investment and professional firms on compliance.

Framework: GLBA / NIST CSF

Construction & Real Estate

Texas construction firms and real estate companies collect significant PII – employee records, client financial data, subcontractor information. Most lack formal cybersecurity programs and represent high-risk targets. CIS Controls IG1 is the recommended starting point.

Framework: CIS Controls IG1+

Retail & E-Commerce

Texas retailers processing credit and debit card payments are subject to PCI DSS, which qualifies under SB 2610. Businesses that also store customer PII should ensure their PCI compliance extends to all sensitive personal data, not just payment card data.

Framework: PCI DSS / CIS Controls

Technology & MSPs

Texas technology companies and managed service providers often process client data that triggers SB 2610 obligations. MSPs serving Texas SMBs are well-positioned to help clients implement qualifying frameworks. ISO/IEC 27001 or NIST CSF recommended.

Framework: ISO 27001 / NIST CSF

SECTION 10

Frequently Asked Questions About Texas SB 2610

What exactly is Texas SB 2610 and when did it take effect?

Texas SB 2610, the Cybersecurity Safe Harbor Act, was signed by Governor Greg Abbott on June 20, 2025, and took effect September 1, 2025. It creates a legal safe harbor from punitive (exemplary) damages for Texas businesses with fewer than 250 employees that implement and maintain a recognized cybersecurity framework before a data breach occurs. Texas is the fifth state to pass such a law.

Does SB 2610 apply to my business if I have more than 250 employees?

No. SB 2610’s safe harbor protection applies exclusively to Texas business entities with fewer than 250 employees. Larger organizations are not eligible for the safe harbor under this law. However, adopting recognized cybersecurity frameworks is still strongly advisable for all businesses – both for security and to demonstrate reasonable care in litigation.

What happens if we get breached even after implementing a cybersecurity program?

If your qualifying cybersecurity program was in place before the breach, you are protected from punitive (exemplary) damages in any resulting lawsuit. You remain liable for actual compensatory damages – which may include breach notification costs, credit monitoring for affected individuals, and other direct losses. The safe harbor does not make you immune from all consequences; it prevents the most financially devastating judgment: punitive damages.

Can I implement a cybersecurity framework after a breach and still qualify?

No. The law is explicit that your cybersecurity program must be “implemented and maintained” before the security incident occurs. Post-breach implementation does not qualify for safe harbor protection retroactively. This is one of the most important reasons to act now – waiting until after an incident eliminates the legal protection entirely.

As a small business under 20 employees, what do I actually need to do?

For businesses with fewer than 20 employees, SB 2610 requires “basic cybersecurity measures” – including documented password policies and cybersecurity awareness training for all employees. The key word is “documented.” You need written policies, training completion records, and evidence that controls are actually being followed. While the bar is lower than larger businesses, the documentation requirement is the same.

Does SB 2610 create any new regulations or compliance obligations?

No. SB 2610 does not impose new regulatory mandates, create new penalties, or establish a new private cause of action. It is purely a “carrot” law – it modifies existing damage exposure in tort actions to reward businesses that proactively adopt cybersecurity standards. Businesses that choose not to implement a qualifying program face no new penalties; they simply lose the safe harbor protection if sued after a breach.

How does SB 2610 interact with HIPAA or other federal regulations?

SB 2610 expressly recognizes HIPAA, GLBA, and PCI DSS as qualifying compliance programs. If your business is in full compliance with one of these federal regulations, you automatically qualify for the SB 2610 safe harbor without needing to implement a separate framework. The key word is “full” compliance – partial compliance does not qualify.

FREQUENTLY ASKED QUESTIONS

SB 2610 Questions Texas Business Owners Ask Most

How much does SB 2610 compliance cost for a small business?

The cost of SB 2610 compliance depends on your business size and current security posture. For micro-businesses with fewer than 20 employees, expect to invest $2,000 to $8,000 per year. Small businesses with 20 to 99 employees typically spend $8,000 to $25,000 per year, while mid-size companies (100-249 employees) may invest $25,000 to $75,000 annually. These costs cover risk assessments, policy development, technical controls, employee training, and ongoing monitoring. Businesses that already have some security measures in place will fall toward the lower end. DKBinnovative offers a free SB 2610 readiness assessment so you can understand your specific costs before committing to anything.

What is the penalty for not complying with SB 2610?

There is no direct penalty, fine, or enforcement action for not complying with SB 2610. The law does not mandate compliance – it creates a voluntary incentive. If your business does not implement a recognized cybersecurity framework, you simply do not qualify for the safe harbor protection. That means if a data breach occurs and a lawsuit follows, your business remains exposed to both compensatory and punitive damages. Punitive damages can be several times the compensatory amount, which is where breach lawsuits become financially devastating for small businesses. Compliance is not required, but the protection it provides is substantial.

Do I need a lawyer to comply with SB 2610?

You do not need a lawyer to implement the technical and operational requirements of SB 2610 compliance. The law requires implementing a recognized cybersecurity framework – which is a technical and procedural effort, not a legal one. A managed IT provider like DKBinnovative handles the framework selection, risk assessment, technical control deployment, policy creation, and documentation that make up the bulk of the work. That said, having an attorney review your final documentation – particularly your incident response plan and data breach notification procedures – is a smart investment. Many DFW businesses use their MSP for implementation and their attorney for a final compliance review.

How long does it take to become SB 2610 compliant?

Timeline depends entirely on where you are starting from. Businesses that already comply with an industry framework like HIPAA or GLBA can often achieve safe harbor status in as little as 2 weeks – the work is primarily documentation and gap-filling. Businesses with some security measures but no formal framework typically need 4 to 6 weeks. Organizations starting from scratch with no documented security program should plan for 60 to 90 days to implement a framework like CIS Controls IG1 from the ground up. The key variable is not the size of your business but the maturity of your existing security posture.

Does SB 2610 apply to sole proprietors and freelancers?

Yes. SB 2610 applies to any business operating in Texas with fewer than 250 employees – and that includes sole proprietors, freelancers, and independent contractors. If you handle sensitive personal information such as Social Security numbers, financial account data, or health records in the course of your business, you are exposed to the same breach liability as a larger company. The safe harbor is available to you on the same terms: implement a recognized cybersecurity framework appropriate to your size, maintain it, and document it. For sole proprietors, a basic implementation of NIST CSF or CIS Controls IG1 can often be accomplished for under $3,000 and provides the same legal protection as a large enterprise program.

What is the difference between SB 2610 and the Texas Data Privacy and Security Act (TDPSA)?

SB 2610 and the TDPSA are separate Texas laws that address different aspects of data protection. The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, regulates how businesses collect, process, store, and share consumer personal data. It gives Texas residents rights over their data (access, deletion, opt-out of sale) and applies primarily to larger businesses that process data of 100,000+ consumers. SB 2610, effective September 1, 2025, does not regulate data handling at all. Instead, it creates a litigation safe harbor that protects businesses from punitive damages in breach lawsuits – but only if they maintain a recognized cybersecurity framework. The two laws are complementary: TDPSA governs what you do with data, while SB 2610 rewards how you protect it. A business may need to comply with both depending on its size and data practices.

Can a managed IT provider help with SB 2610 compliance?

Absolutely. In fact, working with a managed IT provider is one of the most efficient paths to SB 2610 safe harbor compliance for small and mid-size businesses. A qualified MSP like DKBinnovative can handle every technical and operational requirement: framework selection based on your industry and size, comprehensive risk assessment, deployment of technical controls (MFA, endpoint protection, encryption, patch management), policy and procedure documentation, employee security awareness training, incident response planning, and ongoing monitoring to maintain compliance over time. For businesses without a dedicated IT security team – which describes most companies under 250 employees – an MSP provides the expertise and documentation discipline that SB 2610 requires without the cost of building an internal security program from scratch.

Is Your Texas Business Ready for SB 2610?

Get a free cybersecurity assessment from DKBinnovative to find out where you stand, which framework applies to your business, and exactly what you need to qualify for safe harbor protection – before a breach forces your hand.

Get My Free Assessment

Texas SB 2610: Cybersecurity Safe Harbor Compliance Guide for Texas Small Businesses