Texas SB 2610 creates a legal safe harbor that prohibits plaintiffs from recovering exemplary damages in lawsuits arising from data breaches - but only when the business can demonstrate it had a compliant cybersecurity program running at the time of the incident. The bill was authored by Senator Cesar J. Blanco and co-sponsored by Senator Kelly Hancock.

Think of it this way. Two identical Houston businesses get hit by the same type of ransomware attack. Both lose customer data. One had documented cybersecurity policies, employee training, and a recognized framework in place. The other had a firewall and good intentions. In a lawsuit, the first business is shielded from punitive damages. The second one isn't.

That difference can be worth hundreds of thousands of dollars - or more. Punitive damages often exceed actual damages by significant multiples. For a 50-person company, that gap can be the difference between surviving an incident and closing the doors.

Why This Matters for Houston SMBs

Data breach class action lawsuits aren't just targeting Fortune 500 companies anymore. Plaintiffs' attorneys are filing against small and mid-sized businesses, even when a breach affects a relatively small number of people. Cybercrime cost Texas $1 billion in 2023. Small businesses face 43% of all cyberattacks. In my 30 years working in IT the pattern is always the same: businesses don't take security seriously until after an incident. SB 2610 gives you a financial reason to act before that happens.

SB 2610 safe harbor protection applies to Texas business entities that meet all three of these conditions:

• Fewer than 250 employees. This covers the vast majority of Houston-area businesses - from a 12-person law firm in Sugar Land to a 180-employee construction company in Katy.
• Owns or licenses computerized data containing sensitive personal information. If you store employee Social Security numbers, customer financial data, health records, or government-issued ID numbers in digital form, this applies to you.
• Had a compliant cybersecurity program implemented and maintained at the time of the breach. This is the critical qualifier. You cannot implement a program after an incident and claim retroactive protection.

If your business collects, stores, or manages data tied to individuals - whether those are customers, patients, employees, or vendors - SB 2610 probably applies to your operations. The question is whether you're positioned to claim the protection it offers.

One of the smartest aspects of SB 2610 is its tiered approach. The law recognizes that a 15-person accounting practice in Cypress doesn't have the same IT resources as a 200-employee manufacturing company in West Houston. Requirements are matched to what's realistic for each size category.

Even the simplest tier requires documented safeguards and active training. "We have antivirus software" is not a cybersecurity program. We see this at least twice a month with businesses in the Katy and Sugar Land area - they assume basic IT tools equal compliance, and they're wrong.

For businesses with 100-249 employees (or any business choosing to adopt a full framework), SB 2610 lists specific recognized frameworks. The program must conform to at least one of these:

• NIST Cybersecurity Framework (CSF) - The most widely adopted general-purpose framework, and a strong choice for Houston-area businesses of all types
• NIST SP 800-171 and NIST SP 800-53/800-53a - More detailed controls, common with government contractors
• CIS Critical Security Controls - Practical, prioritized actions with clear implementation groups
• ISO/IEC 27000-series - Globally recognized information security management standards
• FedRAMP Security Assessment Framework - Required for cloud service providers working with federal agencies
• HITRUST CSF - Common in healthcare and financial services
• Secure Controls Framework (SCF) - A meta-framework mapping to multiple standards
• SOC 2 Framework - Trust services criteria covering security, availability, and confidentiality

Businesses already subject to HIPAA, Gramm-Leach-Bliley (GLBA), FISMA, HITECH, or PCI DSS will qualify if they maintain current compliance with those standards. If your CPA firm in Richmond is already handling GLBA requirements, or your medical practice in Missouri City is HIPAA-compliant, you may already meet the threshold.

Framework Updates: What You Need to Know

When a recognized framework publishes an update, SB 2610 gives businesses time to adapt. You must update your cybersecurity program by whichever comes later: the published implementation date in the updated standard, or one year from the date the update is published. This is a reasonable grace period that prevents businesses from falling out of compliance overnight.

SB 2610 is not a get-out-of-jail-free card. It specifically shields businesses from exemplary (punitive) damages only. You're still fully exposed to several categories of liability and enforcement:

• Compensatory damages - Real losses including breach notification costs, data recovery expenses, credit monitoring services, and direct financial losses suffered by affected individuals
• Texas Attorney General enforcement - The AG retains full authority to investigate and pursue legal or equitable remedies under Texas law
• Federal regulatory investigations - FTC enforcement actions and other federal agency penalties remain unaffected
• Breach notification requirements - Texas Business & Commerce Code Section 521.053 still requires timely notification of affected individuals
• Class action certification - SB 2610 explicitly states it does not affect the certification of a class action lawsuit
• Court injunctions - Courts can still issue injunctive relief requiring specific actions or changes

Existing penalties of $2,000 to $50,000 per violation for notification failures also remain in effect. SB 2610 removes one specific - but potentially devastating - category of financial exposure. The rest of the liability picture stays the same.

Getting compliant isn't a one-weekend project, but it doesn't need to be a six-figure consulting engagement either. For most Houston-area SMBs in the 10-100 employee range, the path is clear and manageable with the right support.

Step 1: Determine Your Tier

Count your employees and identify which tier applies to your business. This determines the minimum standard you need to meet. A 35-person engineering firm in The Woodlands falls into Tier 2 (CIS Controls IG1). A 150-employee construction company in Katy needs a full framework under Tier 3.

Step 2: Assess Your Current Posture

Run a gap analysis against the framework that matches your tier. Where do you already have controls in place? Where are the gaps? If you've been working with an IT provider, you may have more coverage than you realize. If you haven't, this step gives you the honest picture.

Step 3: Implement the Gaps

Prioritize the missing controls based on risk. Don't try to do everything at once - start with the highest-impact items: multi-factor authentication, employee training, documented access controls, regular patching, and encrypted backups. These cover the most common attack vectors that hit small businesses.

Step 4: Document Everything

Written policies. Training records. Configuration screenshots. Audit logs. Risk assessment reports. Date every document. Version-control every update. This is the evidence that proves your program existed before a breach - and without it, safe harbor means nothing.

Step 5: Maintain and Update Continuously

A cybersecurity program that was compliant in 2025 won't necessarily pass review in 2027. Threats change. Frameworks get updated. Review your program at least annually, and update it when your framework publishes revisions or when your business changes significantly.