Texas SB 2610: the breach lawsuit shield most SMBs don’t know they have.
Since September 1, 2025, Texas law blocks punitive damages in data-breach lawsuits against businesses under 250 employees — but only those that can prove a real cybersecurity program existed before the breach. Here’s exactly how the safe harbor works, what your tier requires, and how to qualify.
What the safe harbor actually does.
After a breach, lawsuits follow — and the damages that kill small businesses are the punitive ones, awarded to punish rather than compensate. SB 2610 amends the Texas Business & Commerce Code so that a qualifying business cannot be hit with exemplary damages in a breach suit, provided it implemented and maintained a cybersecurity program conforming to a recognized framework before the incident. What it does not do matters just as much: actual damages, notification costs, regulatory enforcement, and class actions all remain. And there’s a sharp edge hidden in the carrot — the law’s tiers are rapidly becoming the benchmark for what counts as negligent security in Texas litigation. A business that ignores them isn’t just missing a shield; it’s handing the other side a yardstick.
Your tier, your requirements.
The program you must maintain scales with headcount:
Industry frameworks you may already follow — HIPAA, PCI-DSS, GLBA — can satisfy the requirement where they apply. And when a chosen framework is updated, your program must follow it by the published implementation date or within a year, whichever is later. Compliance isn’t a one-time project; it’s a maintained state.
The catch: it’s an affirmative defense.
The safe harbor doesn’t apply automatically — your lawyers must prove, with evidence, that the program existed before the breach. That means dated policies, deployment records, training logs, risk assessments, and third-party testing reports. “We always took security seriously” is not evidence; a dated penetration test report with documented remediation is. This is where most businesses will fail to qualify: they have controls but no paper trail, or a paper trail written after the incident — which counts for nothing. Build the file before you need it.
How we get you qualified.
This is exactly the work we do for Texas SMBs. Tier & gap assessment: we determine your tier, map your current controls against it, and hand you the gap list. Penetration testing: dated, third-party proof that your controls hold against a real adversary — the strongest single artifact in a safe-harbor defense (see our complete DFW pentest guide). Program documentation: policies, training evidence, and remediation records assembled into the defense file your attorneys would need on day one. And annual maintenance: retesting and documentation updates that keep the program — and the shield — current. One engagement, and the next breach headline in your industry becomes someone else’s problem.
Frequently asked questions.
What is Texas SB 2610?
Texas's cybersecurity safe harbor law, effective September 1, 2025. It bars punitive (exemplary) damages in data-breach lawsuits against businesses under 250 employees that implemented and maintained a recognized cybersecurity framework before the breach.
Who qualifies for the SB 2610 safe harbor?
Texas businesses with fewer than 250 employees that own or license computerized data containing sensitive personal information, and that maintained a documented, framework-aligned cybersecurity program at the time of the breach.
What are the SB 2610 tiers?
Under 20 employees: basic measures like password policies and security awareness training. 20–99 employees: CIS Controls Implementation Group 1. 100–249 employees: full compliance with a recognized framework such as NIST CSF, ISO/IEC 27001, or CIS Controls.
Does SB 2610 make my business immune after a breach?
No. It only blocks punitive damages. Actual damages, breach notification costs, regulatory enforcement, and class actions remain. It's a shield against the most devastating layer of liability, not blanket immunity.
How do I prove compliance under SB 2610?
The safe harbor works as an affirmative defense: you must demonstrate with dated evidence — policies, deployment records, training logs, assessment and penetration test reports — that the program existed and was maintained before the breach. Documentation built after the incident doesn't count.
This guide is general information, not legal advice — talk to your attorney about how SB 2610 applies to your specific situation. We’ll handle the security evidence side.
Get the shield before the breach.
Book a scoping call. We’ll tell you your tier, your gaps, and exactly what evidence your defense file is missing.