Texas SB 2610 creates a "safe harbor" for businesses with fewer than 250 employees. Demonstrate cybersecurity compliance and shield your business from punitive damages in data breach lawsuits.
Protection from Punitive Damages
Avoid 2-4x multipliers on breach damages
Legal Defense Documentation
Evidence package for court proceedings
Tiered Requirements
Simplified compliance for smaller businesses
Industry-Standard Frameworks
CIS Controls, NIST CSF, ISO 27001 alignment
Senate Bill 2610, also known as the Texas Cybersecurity Safe Harbor Act, was signed into law by Governor Greg Abbott on June 20, 2025. It adds Chapter 542 to the Texas Business and Commerce Code, creating a legal shield for small and mid-sized businesses that take cybersecurity seriously.
SB 2610 operates as an affirmative defense against punitive damages in data breach lawsuits. If your business suffers a breach but can prove it had a compliant cybersecurity program in place, the court cannot award punitive (exemplary) damages against you.
The law shields qualifying businesses from exemplary (punitive) damages only. Punitive damages are penalties imposed by courts to punish negligent behavior and can be2 to 4 times the amount of actual damages, potentially devastating a small business.
The safe harbor does not provide immunity from all liability. Compensatory damages for actual losses can still be awarded. It also does not affect enforcement actions by the Texas Attorney General or other regulatory bodies.
Jun 20
2025
Signed into law by Governor Greg Abbott
Sep 1
2025
Law becomes effective across Texas
Ongoing
Annual
Must update program within 1 year of framework changes
Texas businesses with fewer than 250 employees
Businesses that own or license computerized data containing sensitive personal information
Must maintain a documented cybersecurity program conforming to recognized frameworks
Program must include administrative, technical, and physical safeguards
Businesses under HIPAA, GLBA, or PCI DSS qualify if in full compliance
Small and mid-sized businesses are increasingly targeted by cybercriminals, yet many lack the resources for comprehensive security programs. SB 2610 levels the playing field.
43%
of all cyber attacks target small businesses
$165
average cost per compromised record (IBM 2024)
60%
of small businesses close within 6 months of a breach
2-4x
punitive damages multiplier that safe harbor eliminates
Texas joins Ohio (2018) and Utah (2021) in enacting cybersecurity safe harbor legislation. In both states, these laws have driven a significant increase in cybersecurity investment by SMBs, proving that incentive-based approaches work better than punitive mandates alone.
Unlike traditional regulations that impose penalties for non-compliance, SB 2610 takes areward-based approach: do the right thing, and the law will protect you.
Consider a Texas business with 50 employees and 10,000 customer records. Without safe harbor protection, a data breach could result in:
SB 2610 requires your cybersecurity program to conform to an industry-standard framework. The specific framework depends on your business size and industry.
The gold standard for cybersecurity risk management. Covers Identify, Protect, Detect, Respond, and Recover functions. Recommended for Tier 3 businesses (100-249 employees).
Prioritized set of cybersecurity best practices. Implementation Group 1 (IG1) is specifically designed for small businesses and is the baseline for Tier 2 (20-99 employees).
International standard for information security management systems (ISMS). Widely recognized globally and accepted for Tier 3 compliance under SB 2610.
If your business is already subject to HIPAA (healthcare), GLBA (financial services), or PCI DSS (payment card processing), you may already qualify for safe harbor protection. Full compliance with these existing regulatory frameworks satisfies SB 2610's requirements. Our assessment can help verify your compliance status.
The law creates three compliance tiers based on your company size, making it easier for smaller businesses to qualify.
See how much safe harbor protection could save your business in the event of a data breach.
Tier 2 - Moderate
Your Potential Savings
$3.8M
Est. Compliance Cost
$8K/year
ROI
7400%
Texas SB 2610, also known as the Texas Cybersecurity Safe Harbor Act, is a law that provides protection from punitive (exemplary) damages in data breach lawsuits for Texas businesses that maintain a compliant cybersecurity program. It becomes effective September 1, 2025.
Texas businesses with fewer than 250 employees that handle sensitive personal information and maintain a cybersecurity program that conforms to recognized frameworks (like NIST CSF, CIS Controls, or ISO 27001) may qualify for safe harbor protection.
Safe harbor protects against exemplary (punitive) damages only. Compensatory damages for actual losses can still be awarded. It also does not affect enforcement actions by the Texas Attorney General.
You need to demonstrate that your cybersecurity program was in place at the time of the breach. Our Safe Harbor Documentation Package generates a comprehensive evidence binder with timestamps that you can use in legal proceedings.
Yes, the law requires you to update your cybersecurity program within one year of any updates to the framework you're following (e.g., NIST, CIS Controls). We'll notify you when updates are released.
Businesses with 250 or more employees are not covered by this safe harbor provision. However, maintaining a strong cybersecurity program is still essential for risk management and may provide other legal benefits.