Skip to main content
DL Cyber
Back to Blog
Compliance & Governance

What Texas SB 2610 Means for Small Businesses: A Clear Guide and Action Plan

6 min read
Madison Newman
What Texas SB 2610 Means for Small Businesses: A Clear Guide and Action Plan

On September 1, 2025, Texas enacted Senate Bill 2610 (SB 2610). The law introduces a "safe harbor" for many small businesses in Texas that manage sensitive personal information. In practice, it limits certain legal liabilities—but only for businesses that meet specific cybersecurity standards before a breach occurs. We've broken down the bill, and what steps your business needs to take in response to reduce your risk.

What is SB 2610 in Plain Terms

  • SB 2610 adds a new Chapter 542 to the Texas Business & Commerce Code.
  • It applies only to business entities in Texas that:
    1. have fewer than 250 employees, and
    2. own or license computerized data that includes sensitive personal information.
  • The main benefit: if your business suffers a breach of system security, and you had a qualifying cybersecurity program in place at the time of the breach, then a harmed party cannot recover exemplary damages (punitive damages) from you. Actual damages still apply.
  • The law requires that your cybersecurity program meet certain standards:
    1. Meet administrative, technical, and physical safeguards
    2. Conform to "industry-recognized cybersecurity frameworks"
    3. Designed to protect personal identifying information and sensitive personal information from threats, hazards, unauthorized access, or theft.
  • Read the full bill here: Texas Legislature Online

What Counts as a "Compliant Cybersecurity Program"

The law is tiered: the required level of cybersecurity depends on the size of your business. Here's the breakdown:

Business Size Requirements Under SB 2610

Fewer than 20 employees

  • Password policies and cybersecurity training

20-99 employees

  • CIS Controls Implementation Group 1

100-249 employees

  • Full recognized frameworks like NIST Cybersecurity Framework 2.0

Once a framework is updated, the law requires you to update your program to stay compliant no later than either the framework's implementation date or within one year of the update.

How the Bill Impacts Small Businesses by Size

Micro businesses (less than 20 employees)

These businesses need fundamental protections. While highly complex frameworks aren't necessary, failure to have even basic training, password hygiene, and documented safeguards leaves them fully exposed to exemplary damages if a breach occurs.

Small businesses (20-99 employees)

Small businesses of this size will require more structured steps: controls in line with a framework that aligns with your business, formal documentation of roles and policies, regular training, and some monitoring tools. The cost and effort are higher, but the legal protection from punitive damages becomes available.

Upper small / lower medium (100-249 employees)

These businesses are expected to have more mature programs. Full implementation of industry-standard frameworks, external audits or formal compliance, and investment in more robust tools. The benefit is significant: protection from punitive damages in lawsuits related to data breaches, which could otherwise be crippling.

What Counts as "Sensitive Personal Information"

The law refers to "personal identifying information" and "sensitive personal information" as defined under existing Texas law. These usually include things like:

  • Social Security numbers
  • Driver's license or state IDs
  • Financial account numbers with credentials
  • Health- or payment-related info
  • Other data that, in combination with identifying data, could lead to identity theft or fraud

If your business processes, stores, or transmits that kind of data, SB 2610 likely applies.

What Small Businesses Should Do to Mitigate Risk

To take full advantage of the safe harbor this bill provides, and to reduce general cyber risk, here are 8 steps we would advise our clients to take:

1. Conduct a Gap Analysis / Risk Assessment (ASAP)

  • Inventory what kinds of sensitive personal information you collect, store, and transmit.
  • Review your current cybersecurity practices: are there formal policies? Training? Technical controls (password hygiene, access controls, encryption)?

2. Choose the Right Framework

  • Based on your employee count, pick one of the approved frameworks (e.g., CIS IG1 for 20-99 employees; NIST CSF, ISO 27001, etc., for larger businesses).
  • If you already comply with HIPAA, PCI-DSS, or similar, map those requirements to SB 2610 to see what additional gaps remain.

3. Implement Administrative, Technical, and Physical Safeguards

  • Administrative: define roles & responsibilities, create and update policies, build an incident response plan, vet your vendors security practices.
  • Technical: utilize strong passwords and multi-factor authentication (MFA) to enforce strong authentication, encrypt sensitive data, keep systems up to date, protect networks and devices, and back up data often and at regular intervals
  • Physical: secure hardware, limit physical access to servers/devices, protect backups by storing securely.

4. Train Employees Regularly

  • All employees should receive awareness training: phishing, safe handling of sensitive data, recognizing suspicious activity.
  • Document when training is done and maintain records of the training

5. Monitor, Audit, and Update

  • Continuous or regular reviews of how well your cybersecurity program is working: internal audits, and third-party assessments if feasible.
  • Stay alert to updates in the frameworks you follow; update policies and tools accordingly before deadlines.

6. Incident Response Planning

  • Plan for when a breach happens, not if. Define roles, communication plans, and how to contain damage.
  • Ensure you can demonstrate the existence and maintenance of this plan if ever needed in litigation.

7. Maintain Documentation

  • Keep records of what you have implemented, when, and how. Implementation dates, training logs, system changes. These will be crucial if you need to prove compliance under SB 2610.

8. Review Insurance and Legal Counsel

  • Verify whether your cyber liability insurance takes into account your program's maturity. Some insurers may offer better rates if you can show you meet recognized frameworks.
  • Consult with legal counsel to understand exactly how SB 2610 interacts with your other legal obligations (state and federal).

Why Acting Soon Matters

  • The law takes effect September 1, 2025. To get the safe harbor protection, your cybersecurity program must be implemented before any breach.
  • If you delay, a breach that occurs before you meet the requirements means you will not receive the safe harbor protection.

How DL Cyber Can Help

As cybersecurity experts and fellow entrepreneurs we are positioned to help you understand how this bill impacts your business, what steps to take, and ultimately feel confident in your compliance with it.

Bottom Line

SB 2610 gives Texas small businesses a legally enforceable incentive to adopt strong cybersecurity practices. If you are under 250 employees and deal with sensitive personal data, you have both the opportunity and responsibility to protect your business by establishing and maintaining a qualifying cybersecurity program.

By acting now—assessing your risks, implementing a framework, training your team, and documenting everything—you can leverage SB 2610 to reduce your legal exposure, build trust with stakeholders, and strengthen your overall cybersecurity resilience. Our team will help you feel more confident, educated, and resilient in your cybersecurity posture.

Tags:Texas SB 2610cybersecurity compliancesmall business securitysafe harbor protectionNIST CSFCIS Controlsregulatory compliancedata breach liabilityTexas legislationSMB compliance