Relating to a limitation on civil liability of business entities in connection with a breach of system security.
ModeratePlan for compliance
Medium Cost
Effective:2025-09-01
01
Compliance Analysis
Key implementation requirements and action items for compliance with this legislation
Implementation Timeline
Effective Date: September 1, 2025
Compliance Deadline:Q3 2025. While the law takes effect in September, the defense is only valid if the program is fully operational *at the time of the breach*. Given that implementing frameworks like NIST or CIS takes 6–12 months, gap analysis must begin immediately.
Agency Rulemaking: None. This statute is self-executing in civil court. There will be no state agency guidance; businesses must look to the external standards bodies (NIST, CIS, ISO) for updates.
Immediate Action Plan
Determine Your Tier: Confirm your exact employee count to identify if you fall under Tier 1 (<20), Tier 2 (20–99), or Tier 3 (100–249).
Conduct Gap Analysis: Immediately audit your current IT security against the mandated framework (CIS Controls Group 1 or NIST) to identify deficiencies.
Formalize the WISP: Draft and sign a Written Information Security Program that mirrors the statutory requirements.
Engage Insurance: Contact your Cyber Liability carrier to determine if SB 2610 compliance will be a prerequisite for future coverage or premium discounts.
Review MSP Contracts: Ensure your IT provider is contractually obligated to meet the new statutory standards by mid-2025.
Operational Changes Required
Contracts
Managed Service Providers (MSPs): Master Services Agreements (MSAs) must be amended to explicitly require the MSP to maintain the specific framework required by your business size (e.g., CIS Controls Group 1 for 20–99 employees).
Vendor Agreements: Contracts with third-party data processors (payroll, cloud storage) must include flow-down clauses ensuring they meet Sec. 542.004 standards.
Employment Agreements: Update employee handbooks to make non-compliance with password policies and training a disciplinary offense to demonstrate "maintenance" of the program.
Hiring/Training
Tier 1 (<20 Employees): Mandatory implementation of "appropriate" cybersecurity training for all staff.
Tier 2 & 3 (20+ Employees): IT leadership or external consultants must be certified or proficient in the specific required framework (CIS or NIST) to conduct valid gap analyses.
Reporting & Record-Keeping
Written Information Security Program (WISP): You must create a formal WISP document. An unwritten set of practices will not satisfy the court.
Audit Trails: You must retain logs of system updates, patch management, and employee training completion to prove the program was active at the time of a breach.
Standard Updates: You must track updates to your chosen standard (e.g., a new version of NIST). You are legally required to implement changes within one year of the update's publication.
Fees & Costs
No State Fees: There are no filing fees associated with this law.
Operational Costs: Budget for potential increases in MSP fees to meet stricter compliance levels and third-party audit costs to validate the framework.
Strategic Ambiguities & Considerations
"Appropriate" Training: For businesses with fewer than 20 employees, the statute requires "appropriate" training but does not define it. Until case law settles this, businesses should default to documented, test-based training modules rather than informal instruction.
Judicial Enforcement: Unlike regulatory compliance overseen by an agency, this standard is enforced by judges and juries. A jury will decide if your program was "compliant" enough to warrant the liability shield, making documentation your primary defense.
"Material Risk": The requirement to protect against "material risk" is subjective. Businesses should document their risk assessment process to justify why certain controls were (or were not) implemented.
Need Help Understanding Implementation?
Our government affairs experts can walk you through this bill's specific impact on your operations.
Information presented is for general knowledge only and is provided without warranty, express or implied. Consult qualified government affairs professionals and legal counsel before making compliance decisions.
Cyberattacks impose a staggering financial toll on American businesses, costing billions annually, with small and medium-sized businesses emerging as the most vulnerable targets due to their limited budgets, staff, and technical expertise to implement sophisticated cybersecurity defenses. These attacks�ranging from ransomware and phishing to data breaches�can cripple small businesses through direct losses like stolen funds, indirect costs such as prolonged operational downtime, and lasting reputational harm that erodes customer trust and threatens both short-term functionality and long-term survival. In Texas, small businesses, which form the backbone of the state's economy, face escalating risks as cybercriminals exploit their resource constraints.
S.B. 2610 addresses this crisis by establishing a legal "safe harbor" for businesses that proactively adopt recognized cybersecurity frameworks, such as the NIST Cybersecurity Framework or industry-specific standards, offering them protection from punitive lawsuits in the event of a breach. By incentivizing investment in certain recognized cybersecurity frameworks and best practices, this bill encourages a proactive approach to safeguarding sensitive consumer data, including personal and payment information. This protection is especially vital for small enterprises that often lack the legal resources or insurance to defend against costly claims, leveling the playing field against larger competitors.
Through these measures, S.B. 2610 seeks to bolster Texas' economic resilience, reduce the burden on small businesses, and enhance consumer confidence in the state's marketplace.
As proposed, S.B. 2610 amends current law relating to civil liability of business entities in connection with a breach of system security.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subtitle C, Title 11, Business and Commerce Code, by adding Chapter 542, as follows:
CHAPTER 542. CYBERSECURITY PROGRAM
Sec. 542.001. DEFINITIONS. Defines "breach of system security," "personal identifying information," and "sensitive personal information."
Sec. 542.002. APPLICABILITY OF CHAPTER. Provides that this chapter applies to a business entity in this state that owns or licenses computerized data that includes sensitive personal information.
Sec. 542.003. LIABILITY FOR DATA BREACH. Provides that, if a business entity fails to implement reasonable cybersecurity controls and that failure results in a breach of system security, the business entity is liable to a person whose sensitive personal information was stolen in the breach and who suffered economic harm as a result of the theft of the information.
Sec. 542.004. INDUSTRY STANDARD CYBERSECURITY PROGRAM. (a) Provides that, for purposes of Section 542.003, a business entity has implemented reasonable cybersecurity controls if the entity has created and maintained a cybersecurity program that meets certain requirements.
(b) Provides that a cybersecurity program under this section conforms to industry recognized cybersecurity framework for purposes of this section if the program conforms to certain standards.�
(c) Provides that, if any standard described by Subsection (b)(1) (relating to a current version of certain security standards and programs, as determined by the Department of Public Safety of the State of Texas) is published and updated, a business entity's cybersecurity program continues to meet the requirements of a program under this section if the entity updates the program to meet the updated standard not later than the 180th day after the date on which the standard is published.
(d) Requires that the scale and scope of a cybersecurity program under this section be based on certain factors.
Sec. 542.005. AUTHORITY OF ATTORNEY GENERAL NOT AFFECTED. Prohibits this chapter from being construed to limit the authority of the attorney general to seek any legal or equitable remedy under the laws of this state.
Sec. 542.006. CLASS ACTION CERTIFICATION NOT AFFECTED. Provides that this chapter does not affect the certification of an action as a class action.
SECTION 2. Makes application of Section 542.003, Business and Commerce Code, as added by this Act, prospective.
SB 2610 establishes a statutory "Safe Harbor" protecting Texas businesses with fewer than 250 employees from exemplary (punitive) damages in data breach litigation, provided they adopt specific cybersecurity frameworks prior to a breach. This law effectively converts cybersecurity standards (NIST, CIS, ISO) from voluntary best practices into a necessary legal affirmative defense for liability management. Implementation Timeline Effective Date: September 1, 2025 Compliance Deadline: Q3 2025.
Q
Who authored SB2610?
SB2610 was authored by Texas Senator Cesar Blanco during the Regular Session.
Q
When was SB2610 signed into law?
SB2610 was signed into law by Governor Greg Abbott on June 20, 2025.
Q
How urgent is compliance with SB2610?
The compliance urgency for SB2610 is rated as "moderate". Businesses and organizations should review the requirements and timeline to ensure timely compliance.
Q
What is the cost impact of SB2610?
The cost impact of SB2610 is estimated as "medium". This may vary based on industry and implementation requirements.
Q
What topics does SB2610 address?
SB2610 addresses topics including business & commerce, business & commerce--general, civil remedies & liabilities, electronic information systems and protection of personal information.
Legislative data provided by LegiScanLast updated: November 25, 2025
Need Strategic Guidance on This Bill?
Need help with Government Relations, Lobbying, or compliance? JD Key Consulting has the expertise you're looking for.
