JD Key Consulting Logo
Signed Into Law
Signed June 20, 2025Effective 2025-09-01
SB2610

Regular Session

Relating to a limitation on civil liability of business entities in connection with a breach of system security.

Government Affairs & Regulatory Compliance Analysis

SB2610: Government Affairs Overview

SB 2610 establishes a statutory "Safe Harbor" protecting Texas businesses with fewer than 250 employees from exemplary (punitive) damages in data breach litigation, provided they adopt specific cybersecurity frameworks prior to a breach. This law effectively converts cybersecurity standards (NIST, CIS, ISO) from voluntary best practices into a necessary legal affirmative defense for liability management.

Sen. Cesar Blanco·Senate Bill·Regular Session

Moderate
Medium Cost
Effective:2025-09-01
Business Impact

Who SB2610 Affects

This legislation has regulatory implications for the following Texas businesses and organizations:

Regulatory Priority: moderate

Notable regulatory updates (effective 2025-09-01). Consider how these changes may affect your operations.

🏭

Manufacturing & Business

Affected business types:

  • Manufacturers
  • Industrial facilities
  • Supply chain companies
  • Logistics providers
View all manufacturing & business legislation

Key Operational Considerations

  • 1Vendor Agreements: Contracts with third-party data processors (payroll, cloud storage) must include flow-down clauses ensuring they meet Sec. 542.004 standards.
  • 2Employment Agreements: Update employee handbooks to make non-compliance with password policies and training a disciplinary offense to demonstrate "maintenance" of the program.
  • 3Tier 1 (<20 Employees): Mandatory implementation of "appropriate" cybersecurity training for all staff.

Estimated Cost Impact

mediumModerate costs expected for implementation.

Need Government Relations Support?

JD Key Consulting provides government affairs and regulatory strategy services. We help businesses navigate Texas agencies, understand legislative impacts, and advocate for their interests.

Need Help Navigating This Legislation?

JD Key Consulting provides strategic guidance on Texas regulatory compliance and legislative impact for your business.

SB2610
Moderate
Relating to a limitation on civil liability of business entities in connection with a breach of system security.
Moderate Compliance Urgency
Requires near-term attention
Cost Impact
Medium
Effective
2025-09-01
Primary Author: Sen. Cesar Blanco
89th Texas Legislature
jdkey.com
01

Compliance Analysis

Key implementation requirements and action items for compliance with this legislation

Implementation Timeline

  • Effective Date: September 1, 2025
  • Compliance Deadline: Q3 2025. While the law takes effect in September, the defense is only valid if the program is fully operational *at the time of the breach*. Given that implementing frameworks like NIST or CIS takes 6–12 months, gap analysis must begin immediately.
  • Agency Rulemaking: None. This statute is self-executing in civil court. There will be no state agency guidance; businesses must look to the external standards bodies (NIST, CIS, ISO) for updates.

Immediate Action Plan

  • Determine Your Tier: Confirm your exact employee count to identify if you fall under Tier 1 (<20), Tier 2 (20–99), or Tier 3 (100–249).
  • Conduct Gap Analysis: Immediately audit your current IT security against the mandated framework (CIS Controls Group 1 or NIST) to identify deficiencies.
  • Formalize the WISP: Draft and sign a Written Information Security Program that mirrors the statutory requirements.
  • Engage Insurance: Contact your Cyber Liability carrier to determine if SB 2610 compliance will be a prerequisite for future coverage or premium discounts.
  • Review MSP Contracts: Ensure your IT provider is contractually obligated to meet the new statutory standards by mid-2025.

Operational Changes Required

Contracts

  • Managed Service Providers (MSPs): Master Services Agreements (MSAs) must be amended to explicitly require the MSP to maintain the specific framework required by your business size (e.g., CIS Controls Group 1 for 20–99 employees).
  • Vendor Agreements: Contracts with third-party data processors (payroll, cloud storage) must include flow-down clauses ensuring they meet Sec. 542.004 standards.
  • Employment Agreements: Update employee handbooks to make non-compliance with password policies and training a disciplinary offense to demonstrate "maintenance" of the program.

Hiring/Training

  • Tier 1 (<20 Employees): Mandatory implementation of "appropriate" cybersecurity training for all staff.
  • Tier 2 & 3 (20+ Employees): IT leadership or external consultants must be certified or proficient in the specific required framework (CIS or NIST) to conduct valid gap analyses.

Reporting & Record-Keeping

  • Written Information Security Program (WISP): You must create a formal WISP document. An unwritten set of practices will not satisfy the court.
  • Audit Trails: You must retain logs of system updates, patch management, and employee training completion to prove the program was active at the time of a breach.
  • Standard Updates: You must track updates to your chosen standard (e.g., a new version of NIST). You are legally required to implement changes within one year of the update's publication.

Fees & Costs

  • No State Fees: There are no filing fees associated with this law.
  • Operational Costs: Budget for potential increases in MSP fees to meet stricter compliance levels and third-party audit costs to validate the framework.

Strategic Ambiguities & Considerations

  • "Appropriate" Training: For businesses with fewer than 20 employees, the statute requires "appropriate" training but does not define it. Until case law settles this, businesses should default to documented, test-based training modules rather than informal instruction.
  • Judicial Enforcement: Unlike regulatory compliance overseen by an agency, this standard is enforced by judges and juries. A jury will decide if your program was "compliant" enough to warrant the liability shield, making documentation your primary defense.
  • "Material Risk": The requirement to protect against "material risk" is subjective. Businesses should document their risk assessment process to justify why certain controls were (or were not) implemented.

Need Compliance Guidance on This Legislation?

JD Key Consulting specializes in Texas regulatory compliance strategy. Work directly with James Dickey—former Chairman of the Republican Party of Texas—to understand this bill's impact on your operations and develop an actionable compliance plan.

Schedule a Consultation

Information presented is for general knowledge only and is provided without warranty, express or implied. Consult qualified government affairs professionals and legal counsel before making compliance decisions.

02

Legislative Timeline

This bill's path through the Texas Legislature

Filed
Mar 13, 2025
Passed Senate
Apr 30, 2025
Passed House
May 28, 2025
Signed
Jun 20, 2025
Effective
Sep 1, 2025
TopicsBusiness & CommerceBusiness & Commerce--generalCivil Remedies & LiabilitiesElectronic Information SystemsProtection of Personal Information
03

Senate Authors

Sen. Cesar BlancoDemocrat · Primary Author
Coauthors (1)

House Sponsor

Rep. Giovanni CapriglioneRepublican · Primary Sponsor

Bill Text(with markup)

View bill text in multiple formats on Texas Legislature website

Fiscal NoteView Original

Related Legislation

Explore more bills from this author and on related topics

More from Sen. Cesar Blanco

View all bills by Sen. Cesar Blanco

Related by Topic

View more Business & Commerce legislation
Quick Reference

Frequently Asked Questions

Common questions about SB2610

Q

What does Texas SB2610 do?

SB 2610 establishes a statutory "Safe Harbor" protecting Texas businesses with fewer than 250 employees from exemplary (punitive) damages in data breach litigation, provided they adopt specific cybersecurity frameworks prior to a breach. This law effectively converts cybersecurity standards (NIST, CIS, ISO) from voluntary best practices into a necessary legal affirmative defense for liability management.

Q

Who authored SB2610?

SB2610 was authored by Texas Senator Cesar Blanco during the Regular Session.

Q

When was SB2610 signed into law?

SB2610 was signed into law by Governor Greg Abbott on June 20, 2025.

Q

How significant are the changes in SB2610?

The regulatory priority for SB2610 is rated as "moderate". Businesses and organizations should review the legislation to understand potential impacts.

Q

What is the cost impact of SB2610?

The cost impact of SB2610 is estimated as "medium". This may vary based on industry and implementation requirements.

Q

What topics does SB2610 address?

SB2610 addresses topics including business & commerce, business & commerce--general, civil remedies & liabilities, electronic information systems and protection of personal information.

Q

What are the key dates for SB2610?

Key dates for SB2610: Effective date is 2025-09-01. Consult with legal counsel regarding applicability.

Q

Which Texas businesses are affected by SB2610?

SB2610 primarily affects Texas businesses and commercial enterprises. These businesses should review the legislation with their legal and compliance teams to understand potential impacts.

Need Strategic Guidance on This Legislation?

JD Key Consulting is an Austin, Texas-based government affairs firm led by James Dickey, former Chairman of the Republican Party of Texas. We specialize in Texas regulatory compliance and legislative strategy for data centers, energy, banking, and manufacturing.

Legislative data provided by LegiScanLast updated: January 11, 2026