Effective Date
Max Employees
Damages Blocked
Must Be Active
What Is Texas SB 2610?
Texas Senate Bill 2610 is a new state law that gives small businesses a legal shield — called a "safe harbor" — against certain types of lawsuits that can follow a data breach.
Here's the plain-English version: if your business gets hacked and customer data is exposed, you could get sued. Those lawsuits can include two types of damages: actual damages (the real costs — like paying for credit monitoring for affected customers) and punitive damages (extra money courts award to punish you for being reckless).
SB 2610 says: if you had a documented cybersecurity program in place before the breach, courts cannot award punitive damages against you.
That's it. That's the law. It doesn't make you immune from lawsuits. It doesn't cover your actual costs. But it removes the most financially devastating part of a breach lawsuit — the punishment money.
What Does It Actually Protect You From?
Let's be specific, because this matters.
SB 2610 protects you from exemplary damages — also called punitive damages. These are damages courts award not to compensate victims, but to punish defendants who acted recklessly or negligently. In data breach cases, punitive damages can be enormous — sometimes 2 to 3 times the actual damages.
Imagine a breach costs $200,000 in actual damages (notification letters, credit monitoring, legal fees). A jury could add $400,000 to $600,000 in punitive damages on top of that if they decide you were negligent. SB 2610 blocks that extra punishment — if you qualify.
What it does NOT protect you from: actual damages, breach notification costs, credit monitoring expenses, regulatory fines from HIPAA or PCI-DSS, or any other real costs of the breach. Those are still your responsibility.
SB 2610 is not a "get out of jail free" card. It's a shield against the punishment layer of a lawsuit — not the whole lawsuit. You still need good security to prevent breaches in the first place.
Who Qualifies for the Safe Harbor?
The law applies to Texas businesses that check all three of these boxes:
- You operate in Texas or produce products/services consumed by Texas residents
- You have fewer than 250 total employees
- You own or license computerized data containing sensitive personal information — like Social Security numbers, driver's license numbers, financial account data, or health records
If your business meets all three criteria and you maintain a compliant cybersecurity program appropriate for your size, you qualify.
The "fewer than 250 employees" cap is important — this law was specifically designed for small and mid-sized businesses. Larger enterprises have different legal frameworks and resources.
The Three Tiers Explained in Plain English
SB 2610 doesn't require every business to build a Fortune 500 security program. It scales requirements to your size. Here's what each tier actually means in practice:
Documented password policies
A written policy that says employees must use strong passwords, not share them, and change them when someone leaves. You don't need fancy software — a Google Doc works.
Annual employee security training
Once a year, your team learns how to spot phishing emails, why they shouldn't click suspicious links, and what to do if something looks wrong. Keep a record of who attended.
Written incident response plan
A document that answers: "If we get hacked, who do we call, what do we do first, and how do we notify customers?" It doesn't need to be 50 pages. A clear 2-page plan is fine.
Honestly? Most small businesses can get to this tier in a few weeks with the right guidance. The key word is "documented" — you need to write it down.
CIS Controls Implementation Group 1 (IG1)
This is a set of 56 foundational security safeguards published by the Center for Internet Security. They cover things like keeping an inventory of your devices, configuring them securely, managing who has access to what, protecting email, and backing up your data. Think of it as a comprehensive security checklist designed specifically for businesses without a dedicated IT security team.
Documented and maintained program
You need to show that you're actively running this program — not just that you set it up once and forgot about it. Regular reviews, updated records, and evidence of ongoing activity.
IG1 sounds intimidating but it's designed for exactly this size of business. A managed security provider like Segler.Net can implement and maintain all 56 controls for you.
Full framework compliance
You need to comply with a recognized, comprehensive cybersecurity framework: NIST Cybersecurity Framework (CSF), ISO/IEC 27001, SOC 2, or FedRAMP. These are more rigorous than IG1 and typically require third-party validation.
Continuous monitoring and documentation
Ongoing security monitoring, regular risk assessments, and a complete evidence trail showing your program is active and current.
At this size, you likely already have some IT infrastructure in place. The question is whether it's organized into a documented, defensible program. If not, that's the gap to close.
The "Before the Breach" Rule — This Is the Most Important Part
Here's the thing that trips people up: you cannot apply SB 2610 retroactively.
If a breach happens today and you don't have a cybersecurity program in place, you cannot scramble to build one after the fact and claim the safe harbor. The law requires that your program was implemented and documented before the breach occurred.
This is why the time to act is right now — not after something goes wrong.
Think of it like car insurance. You can't get in an accident and then call to buy insurance. The policy has to be in place before the accident. SB 2610 works the same way.
The law is effective September 1, 2025. If you don't have a compliant program in place before a breach occurs, you get zero protection — regardless of when you implement one afterward.
Already HIPAA or PCI-DSS Compliant? You're Probably Already Covered.
Here's some genuinely good news for businesses in regulated industries: if you're already in full compliance with a recognized federal cybersecurity framework, you automatically qualify for the SB 2610 safe harbor.
That includes:
The catch: you still need to maintain documentation proving your compliance was active at the time of any breach. Compliance that existed on paper but wasn't actually implemented doesn't count.
If you're in one of these industries and you're genuinely compliant, talk to your IT provider about making sure your documentation is current and complete.
- HIPAA — healthcare providers, medical practices, dental offices, mental health providers, and their business associates
- PCI-DSS — any business that processes, stores, or transmits payment card data
- GLBA — financial services firms, accounting firms, insurance companies
- FedRAMP or CMMC — government contractors
What Should You Do Right Now?
Here's a practical action plan based on your situation:
Figure out your tier
Count your employees. Under 20? Tier 1. 20–99? Tier 2. 100–249? Tier 3. 250+? The law doesn't apply to you (but you should still have good security).
Check if you auto-qualify
Are you HIPAA, PCI-DSS, GLBA, or CMMC compliant? If yes, verify your documentation is current. You may already be covered.
Get a gap assessment
If you're not sure where you stand, get a professional assessment. A good cybersecurity provider can tell you exactly what you have, what you're missing, and what it will take to qualify.
Build and document your program
Implement the required controls for your tier. More importantly, document everything — dated policies, training records, risk assessments. The documentation is what you'd use to assert the safe harbor in court.
Keep it current
A cybersecurity program isn't a one-time project. It needs to be maintained, updated, and documented on an ongoing basis. If your framework updates (like NIST CSF 2.0), you have up to one year to align with the new version.
The Bottom Line
Texas SB 2610 is a genuinely useful law for small businesses. It acknowledges that breaches can happen even to businesses that take security seriously, and it rewards those businesses by removing the most punishing layer of legal liability.
But it only works if you act before a breach — not after.
The good news: the requirements are scaled to your size. A 10-person medical practice doesn't need the same security program as a 200-person law firm. The law meets you where you are.
The bad news: "I was planning to get around to it" is not a legal defense.
If you're a Texas small business that handles any kind of sensitive customer data — and that's most businesses — this law is worth taking seriously. The cost of implementing a compliant program is a fraction of what a single breach lawsuit could cost you.
Ready to Get SB 2610 Compliant?
Segler.Net offers a free 30-minute assessment to determine your tier, identify your gaps, and give you a clear action plan — no sales pressure, just honest advice.