New SB 2610 Law Protects Small Texas Businesses (See If You Qualify)

Does Texas SB 2610 protect your business after a data breach — and what cybersecurity requirements do you need to meet to qualify?

Starting September 1, 2025, a new Texas law — Senate Bill 2610 (SB 2610) — offers small businesses a legal safety net in the event of a data breach. But to qualify, your cybersecurity program must meet specific standards that scale with your business size.

In short: only businesses that meet the requirements will benefit from SB 2610’s safe harbor provision.

Here’s what Texas business owners need to know and how to qualify for this protection.

Who Does This Law Apply To?

SB 2610 applies to businesses in Texas that:

• Have fewer than 250 employees
• Own or license computerized data that contains sensitive personal information (like Social Security numbers, government IDs, or health records).

If your business collects, stores, or manages data tied to individuals, especially customers, patients, or employees, this law likely applies to you. This applies whether your business directly owns the data or has permission to use/manage it as part of your operations.

 

What Protections Does SB 2610 Offer?

If your business experiences a breach of system security and you can demonstrate that a compliant cybersecurity program was in place at the time, SB 2610 protects you from punitive damages in related lawsuits.

However, the law does not protect you from:

• Compensatory damages (e.g., covering real losses)
• Court orders (injunctive relief)
• Investigations or penalties from the Texas Attorney General, FTC, or other agencies
• Breach notification requirements under Texas Business & Commerce Code §521.053
• Class action lawsuits (this law does not affect certification of a class)

What Does a “Compliant Cybersecurity Program” Look Like?

To qualify for safe harbor, your cybersecurity program must:

• Include administrative, technical, and physical safeguards for protecting sensitive information
• Be designed to detect, prevent, and respond to risks like identity theft and fraud
• Be scaled appropriately based on the size and complexity of your business
• Conform to industry-recognized cybersecurity frameworks

Requirements Based on Company Size

 Each tier comes with its own expectations — and only businesses that meet the controls appropriate to their size will be eligible for SB 2610’s safe harbor protection. Smaller businesses aren’t off the hook; even the simplest tier requires documented safeguards and active cybersecurity training.

 

Approved Cybersecurity Frameworks

For businesses with 100–249 employees (or any business opting for full compliance), accepted frameworks include:

• NIST Cybersecurity Framework
• NIST SP 800-171, 800-53, and 800-53a
• ISO/IEC 27000-series
• Center for Internet Security Critical Security Controls
• FedRAMP
• HITRUST CSF
• Secure Controls Framework
• SOC 2 Framework
• HIPAA, GLBA, FISMA, HITECH, PCI DSS (if applicable)

If a framework is updated, businesses must update their program by the published implementation date or within 1 year — whichever comes later.

 

What Counts as “Sensitive Personal Information”?

!Per Texas law, this includes unencrypted digital data that combines a person’s name with:

• Social Security number
• Driver’s license or ID number
• Financial account numbers with access credentials
• Health information, diagnoses, care received, or payment data

Public records and information legally made public are not covered under this definition.

In Texas breach investigations, regulators routinely examine whether security controls were enforced at the time of the incident—not just available. Public breach enforcement actions show that failures such as optional MFA, inconsistent identity controls, and missing documentation often determine liability. This enforcement pattern explains why SB 2610 ties safe harbor protection to provable, enforced safeguards rather than the mere presence of security tools.

What This Means for Your Business

Whether you’re a 10-person startup or a growing business with 200 employees, SB 2610 incentivizes cybersecurity preparedness. If you’re not actively maintaining and updating a framework-based program, a breach could leave you fully exposed, not just to reputational damage, but also financial liability.

For current GCS clients, many of these protections may already be partially in place through Secure Cloud. However, eligibility still depends on whether required cybersecurity training is enforced, and whether your controls align with your size category. 

 

Don’t Wait Until It’s Too Late

SB 2610 goes into effect on September 1, 2025, and it only protects businesses that are compliant at the time of a breach.

Whether you’re already working with us or just starting to explore your options, we can assess your current cybersecurity posture and show you exactly what’s needed to meet the new requirements.

Contact us today for a security assessment and find out where you stand — and what steps are needed to qualify.

 

Disclaimer: This post is for informational purposes only and does not constitute legal advice. GCS Technologies is not a law firm, and we do not provide legal services.

FAQ: Texas SB 2610 Cybersecurity Safe Harbor Law