Senate Bill 2610
Understanding Texas's Cybersecurity Safe Harbor Law
Effective September 1, 2025 — Learn how this law protects organizations that adopt strong cybersecurity practices.
Texas Senate Bill 2610 Overview
A cybersecurity safe harbor law that incentivizes organizations to adopt strong cybersecurity practices.
What Is SB 2610?
Texas Senate Bill 2610 is a new cybersecurity safe harbor law aimed at small and mid-sized businesses that handle personal or sensitive data. Many Texas businesses — including nonprofits — qualify as "business entities" under the law.
The law offers limited legal protection after a breach if organizations meet certain cybersecurity requirements. It's designed to reward proactive security measures and reduce legal risk for organizations that document and follow industry standards.
Effective Date
September 1, 2025
How It Works
With Qualifying Program
If your organization has a documented cybersecurity program in place at the time of a breach, punitive damages are prohibited in related civil lawsuits.
What Still Applies
Actual damages, compensatory awards, breach notification requirements, and regulatory penalties can still apply — but large punitive fines are avoided.
Who Qualifies for Safe Harbor Protection?
To be eligible for safe harbor protection under SB 2610, your organization must meet these criteria.
Employee Count
Your organization must employ fewer than 250 employees to qualify for safe harbor protection.
Most businesses meet this requirement
Data Handling
Your organization must own or license computerized data containing sensitive personal information.
Includes customer, client, or employee data
Do Texas Businesses Qualify?
Yes! Texas businesses with employees who handle customer, client, or employee data often meet these criteria.
Based in Texas
Your business operates in Texas
<250 Employees
Fewer than 250 staff members
Handles Sensitive Data
Stores personal information
What a Compliant Cybersecurity Program Means
To qualify for safe harbor protection, your organization must implement and maintain a documented cybersecurity program.
Core Requirements
Administrative Safeguards
Policies, procedures, and governance for data protection
Technical Safeguards
Security tools, encryption, access controls, and monitoring
Physical Safeguards
Physical security measures to protect systems and data
Recognized Framework
Alignment with industry-standard cybersecurity frameworks
Tiered Requirements by Organization Size
The requirements scale with your organization size, making compliance achievable for businesses of all sizes.
<20 Employees
Basic Safeguards
- Password policies
- Employee cybersecurity training
- Basic access controls
- Data backup procedures
20–99 Employees
Moderate Protections
- CIS Controls Implementation Group 1
- Multi-factor authentication (MFA)
- Security awareness training
- Incident response planning
100–249 Employees
Full Compliance
- NIST Cybersecurity Framework
- ISO/IEC 27001 compliance
- CIS Controls or SOC 2
- Comprehensive security program
Recognized Cybersecurity Frameworks
Your cybersecurity program must conform to a recognized framework. Accepted frameworks include:
What This Means for Your Business
Understanding the implications and opportunities of SB 2610 for Texas businesses and organizations.
Is Compliance Mandatory?
No — SB 2610 doesn't mandate that businesses adopt a cybersecurity framework or meet specific controls. It doesn't impose fines or enforcement if you don't comply.
Without a Program
A business that suffers a breach could still face punitive damages if sued.
With a Qualifying Program
The business may avoid punitive damages after a breach — a powerful incentive and protection.
So it's optional in form, but very strategic and protective in practice.
Big Picture for Texas Businesses
Proactive Protection
Rewards proactive security and reduces legal risk for organizations that document and follow industry standards.
Grant Readiness
Aligning with NIST or CIS Controls positions Texas businesses well for federal grants, partners, and institutional requirements.
Donor Confidence
Demonstrates to boards, donors, and grant providers that you take data protection and IT stewardship seriously.
Request a Free SB 2610 Consultation
Speak with our cybersecurity team about how SB 2610 affects your Texas business and what steps you need to take.
Ready to Prepare for SB 2610?
Avert Network Services helps Texas businesses align with cybersecurity requirements and build strong, documented security programs.
Let's work together to protect your mission and meet compliance standards.