On June 20, 2025, Governor Greg Abbott signed Senate Bill 2610 into law, adding Texas to the growing roster of jurisdictions that extend a statutory “safe harbor” to businesses that adopt and maintain robust cybersecurity programs.  The new measure, which becomes effective on September 1, 2025, amends the Business and Commerce Code to provide businesses with fewer than 250 employees a shield against exemplary damages in civil litigation arising out of a data breach, provided that the organization can demonstrate compliance with the requirements set forth in the statute.  While S.B. 2610 does not insulate covered entities from compensatory damages or other forms of relief, the prospect of eliminating punitive-type exposure materially recalibrates litigation risk and, by extension, may influence the settlement posture of plaintiffs’ lawyers, insurers, and indemnified counterparties in the wake of a cyber incident.

To invoke the safe harbor, a qualifying organization that “owns or licenses” computerized personal identifying information or sensitive personal information must implement, document, and reasonably maintain a cybersecurity program that incorporates administrative, technical, and physical safeguards commensurate with the organization’s size, complexity, and resources.  The program must conform to an industry-recognized framework—examples expressly referenced in the bill include the National Institute of Standards and Technology (NIST) frameworks, the Center for Internet Security (CIS) Critical Security Controls, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (when otherwise applicable), and the Payment Card Industry Data Security Standard (PCI DSS)—and it must be designed to accomplish three core objectives: protecting the confidentiality, integrity, and availability of personal and sensitive data; detecting and mitigating threats or hazards that could compromise that information; and preventing unauthorized access or acquisition that would create a material risk of identity theft or other fraud for the affected individuals.

Recognizing that a “one-size-fits-all” mandate could impose unreasonable burdens on micro-enterprises, the Texas Legislature adopted a sliding-scale approach keyed to headcount.  Businesses with fewer than twenty employees may satisfy the statute by implementing baseline controls such as password policies and appropriate employee  cybersecurity training.  Organizations employing between twenty and ninety-nine individuals must implement the controls identified in CIS Controls Implementation Group 1, a curated subset of cybersecurity best practices designed for entities with modest IT resources.  Finally, companies with one hundred to two hundred forty-nine employees must adhere to a comprehensive, industry-recognized framework such as the NIST Cybersecurity Framework; an applicable federal framework such as the HIPAA Security standards when the entity is otherwise subject to HIPAA; or if applicable, PCI DSS when the entity processes cardholder data. Importantly, the program must be tailored to the organization’s operational profile and must be re-evaluated as material changes in risk, technology, or regulatory expectations occur.

S.B. 2610 distinguishes itself from other state safe harbor regimes in several ways.  The Utah Cybersecurity Affirmative Defense Act, for example, prohibits reliance on its safe harbor if the business had actual notice of a specific vulnerability, failed to act within a “reasonable” time, and that lapse precipitated a breach.  Texas imposes no analogous “actual notice” disqualifier, thereby affording a more forgiving pathway to protection so long as the baseline framework requirements remain in force.  By contrast, Ohio’s Cybersecurity Safe Harbor Act confers an affirmative defense to any tort claim alleging that failure to implement reasonable cybersecurity controls proximately caused a data breach.  Texas stopped short of that broader shield, limiting the defense to exemplary damages only—a legislative compromise that preserves the deterrent and compensatory functions of ordinary damages while rewarding organizations that invest in preventive controls.  Notably, the Texas statute also applies solely to small entities, whereas Ohio’s safe harbor extends to businesses of any size that adopt a recognized cybersecurity framework.

For small organizations operating in Texas, the new law offers both an incentive and a roadmap.  To maximize the protective value of the statute, covered entities should undertake a data inventory to confirm that the personal or sensitive information in their possession falls within the scope of the statute, assess current controls against the applicable framework benchmarks, remediate any identified gaps, and establish documented governance processes—policies, procedures, training programs, vendor management protocols, and incident response playbooks—that evidence ongoing compliance.  Because the safe harbor is contingent on the cybersecurity program being “reasonably designed” and “reasonably implemented,” mere adoption of a policy manual or purchase of off-the-shelf software will not suffice.  Continuous monitoring, periodic risk assessments, and board- or owner-level oversight will be essential to sustain eligibility. Although S.B. 2610 cannot eliminate all litigation or regulatory exposure stemming from a data breach, it materially enhances the risk-benefit calculus for small businesses willing to adopt recognized best practices.  Given the statute’s September 1, 2025, effective date, small organizations should engage counsel, cybersecurity professionals, and insurance advisors now to align their practices with the new statutory criteria and to preserve evidence of compliance that can be deployed defensively should a breach occur.  By operationalizing the framework requirements in advance, businesses can not only avail themselves of the new exemplary-damage shield but also materially reduce the likelihood and severity of a breach in the first instance.