US (TX) - SB 2610

LAW OVERVIEW

Texas SB 2610

This “carrot, not stick” approach is designed to empower Texas’s SMBs to invest in meaningful cybersecurity without fear of crippling litigation, even in the face of unfortunate breaches.

The law shields qualifying businesses from exemplary (punitive) damages in data breach lawsuits, provided they can demonstrate an active cybersecurity program aligned with recognized standards at the time of the breach. It does not grant immunity from compensatory (actual) damages, class actions, or regulatory enforcement.

Name

Texas Senate Bill 2610 — Chapter 542, Texas Business & Commerce Code

Type

Statutory (State Law — Texas)

Authoritative
Source

89th Texas Legislature — SB 2610

Enacted

June 20, 2025 (Governor’s signature)

Effective Date

September 1, 2025

Applies To

Texas businesses with fewer than 250 employees that own or license computerized data containing sensitive personal information

Certification
Available

No mandatory certification. The SCF Conformity Assessment Program (SCF-CAP) offers third-party validation of SCF CORE Fundamentals conformity, which can be valuable for demonstrating safe harbor eligibility.

TL / DR — Too Long / Didn’t Read

Texas Senate Bill 2610 establishes a novel and pragmatic approach to bolstering cybersecurity among small businesses that otherwise could not afford extensive defenses or litigation costs. By offering legal protection from punitive damages, Texas created a clear incentive structure that aligns legal risk reduction with best-practice security governance.

The caveat is that Texas businesses must prove an appropriate, maintained cybersecurity program is in place. Texas SB 2610 encourages businesses to take concrete steps: evaluate risk, adopt a recognized framework scaled to their size, implement layered safeguards and document every facet of their program. Those that do so not only stand to gain legal protection in the event of a breach but also enhance operational resilience, customer trust and compliance posture.

Note: Texas SB 2610 listed the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage.

Background

Legislative Context

Texas SB 2610 establishes Chapter 542 in the Texas Business and Commerce Code to create a safe harbor for small businesses regarding exemplary (punitive) damages in cybersecurity breach lawsuits. It was enacted in June 2025 and became effective September 1, 2025.

The legislative analysis notes that penalties for data breaches — particularly for small businesses with limited legal and compliance resources — can threaten long-term survival. Texas SB 2610 addresses this by offering a legal safe harbor: small businesses that adopt sufficient cybersecurity measures are protected from punitive damages, even if a breach occurs.

Supporters including the National Federation of Independent Business (NFIB) framed the bill as a crucial support for economic resilience, calling it a “carrot not a stick” that encourages investment in cybersecurity without imposing regulatory mandates. Texas SB 2610 aligns Texas with earlier state efforts in Ohio (2018) and Utah (2021), which demonstrated increased cybersecurity investment following similar safe harbor legislation.

Program Requirements for Safe Harbor

To qualify for safe harbor protection, a cybersecurity program must: contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information (Sec 542.004(1)); protect the security of personal identifying information (Sec 542.004(3)(A)); protect against any threat or hazard to the integrity of personal identifying information (Sec 542.004(3)(B)); and protect against unauthorized access or acquisition that would result in a material risk of identity theft or other fraud (Sec 542.004(3)(C)).

Recognized Frameworks

The program must conform to at least one recognized cybersecurity standard, including: NIST Cybersecurity Framework (CSF); NIST SP 800-53; ISO/IEC 27001; CIS Critical Security Controls; SOC 2 Trust Services Criteria; Secure Controls Framework (SCF) — named explicitly by the law; or industry-specific frameworks such as HIPAA, GLBA, or PCI DSS if subject to those requirements.

Tiered Compliance

Requirements by Business Size

Texas SB 2610 adopts a tiered approach, requiring different levels of compliance depending on employee count.

Tier 1 — Fewer than 20 Employees

Simplified requirements. A basic cybersecurity program with administrative, technical, and physical safeguards aligned to a recognized framework is sufficient.

Tier 2 — 20–99 Employees

Standard requirements. A more formal cybersecurity program with documented policies, procedures, and controls aligned to a recognized framework.

Tier 3 — 100–249 Employees

Full program requirements. Comprehensive cybersecurity program with documented implementation, ongoing monitoring, and version-controlled records demonstrating continuous compliance.

Documentation & Proof

The Documentation Imperative

Texas SB 2610’s liability protection is conditional on demonstrable compliance. If a breach occurs, a company must show that at the time of the breach, a program aligned with the law was implemented and maintained; the program followed administrative, technical and physical safeguards; and adoption of an appropriate framework was active and up-to-date.

This means organizations must retain documentation such as audit trails, access review records and vendor assessments. Without comprehensive records, an organization cannot credibly assert its eligibility for safe harbor and that puts it at full exposure to punitive damages. Documentation must be maintained continuously, version-controlled and readily available for legal defense or compliance reviews.

Double-Edged Sword

Not only is Texas SB 2610 a safe harbor to protect businesses from lawsuits, it creates a hard set of requirements that will determine the threshold for negligence. If a business fails to implement reasonable practices, the law can easily be used to demonstrate that negligence in litigation.

SCF & SB 2610

SCF CORE Fundamentals — Built for SB 2610

The concept for SCF CORE Fundamentals came directly from Texas SB 2610, which named the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage.

The SCF CORE Fundamentals is a tailored set of 68 controls specifically designed for smaller organizations to protect People, Processes, Technologies, Data and Facilities (PPTDF) against common threats. These controls are built into the full SCF release and are designed to meet the requirements in Texas SB 2610.

Leveraging the Creative Commons licensing model, there is no cost for organizations to use SCF content. This further removes barriers to entry for businesses to improve their cybersecurity capabilities.

SCF CAP Third-Party Certification

The SCF Conformity Assessment Program (SCF CAP) has published an assessment guide for the SCF CORE Fundamentals, so a business can obtain a third-party certification to demonstrate conformity. For laws such as Texas SB 2610, having third-party validated conformity can be valuable in case there is an incident and it is necessary for the business to prove it was compliant with expected security practices at the time of the incident.

Texas Senate Bill 2610 — Cybersecurity Safe Harbor