United States • Texas State Law

Texas SB 2610

Cybersecurity Safe Harbor Act

Provides liability protection from exemplary (punitive) damages in data breach lawsuits for Texas businesses that maintain a compliant cybersecurity program.

Read Full Bill Text

Safe Harbor Protection

Demonstrate compliance to protect your business from punitive damages

250

Max Employees

Compliance Tiers

Accepted Frameworks

Effective Date

Sept 1, 2025

Applies To

<250 Employees

Protection From

Punitive Damages

Bill Number

SB 2610

What You Need to Know

What the Law Provides

✓Protection from exemplary (punitive) damages in data breach lawsuits
✓Safe harbor if you had a compliant program at the time of the breach
✓Tiered requirements based on company size (more manageable for small businesses)
✓Flexibility to choose from multiple recognized frameworks

What the Law Does NOT Provide

✗Does not prevent lawsuits from being filed
✗Compensatory damages (actual losses) still apply
✗Does not limit Attorney General enforcement
✗Does not affect class action certification

Tiered Compliance Requirements

Requirements scale with your organization's size

Tier 1 - Simplified

Fewer than 20 employees

Required Controls:

Password policies
Employee security training
Basic safeguards (antivirus, backups)

~15 Questions

Tier 2 - Moderate

20 to 99 employees

Required Controls:

All Tier 1 requirements
CIS Controls Implementation Group 1
Asset & software inventory
Vulnerability management

~40 Questions

Tier 3 - Full

100 to 249 employees

Required Frameworks:

NIST CSF / NIST 800-171 / 800-53
ISO 27001 / ISO 27000-series
SOC 2 / FedRAMP / CIS Controls
HITRUST CSF / PCI DSS (if applicable)

~85 Questions

Accepted Industry Frameworks

For Tier 3 compliance, your program must conform to one or more of these frameworks

NIST CSF

Cybersecurity Framework

NIST 800-171

CUI Protection

NIST 800-53

Security Controls

FedRAMP

Federal Cloud Security

CIS Controls

Critical Security Controls

ISO 27001

Information Security

HITRUST CSF

Health Information

SOC 2

Trust Services Criteria

PCI DSS

Payment Card Security

The law also accepts HIPAA, GLBA, FISMA, and HITECH for businesses subject to those regulations.

Ready to Check Your Compliance?

Our free compliance wizard will determine your tier, assess your current security posture, and generate a Safe Harbor Readiness Report.