Texas Governor Signs Bill Providing Cybersecurity Safe Harbor for SMBs

Posted By Steve Alder on Jun 26, 2025

Small businesses in Texas have been given protection from liability in data breach lawsuits if they implement and maintain a compliant cybersecurity program. State Governor Greg Abbott signed S.B. 2610 into law last Friday, which establishes a cybersecurity safe harbor for businesses with fewer than 250 employees, provided they implement and maintain a cybersecurity program that meets certain criteria. The new law does not protect businesses from all liability in the event of a security breach, but it does shield businesses from exemplary (punitive) damages arising from a breach of system security, limiting their financial exposure.

If a business can demonstrate that at the time of a breach of system security, they had implemented and maintained a cybersecurity program, a person harmed by that breach may not recover exemplary damages. The cybersecurity program must:

• Contain administrative, technical, and physical safeguards for protecting personal identifying information and sensitive personal information
• Conform to an industry-standard cybersecurity framework
• Be a) designed to protect the security of personal identifying information and sensitive personal information, and b) protect against threats and hazards to the integrity of personal identifying information and sensitive personal information, and c) protect against unauthorized access to or the acquisition of personal identifying information and sensitive personal information

 

The required cybersecurity measures are scaled based on the size of the business. A business with fewer than 20 employees has simplified requirements, such as password policies and cybersecurity training. Businesses with between 20 and 99 employees have moderate requirements, including the Center for Internet Security Controls Implementation Group 1.

Businesses with between 100 and 249 employees must implement a recognized cybersecurity framework, such as the NIST Cybersecurity Framework or the Health Information Trust Alliance’s Common Security Framework. Businesses that are covered entities under the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, or PCI DSS, will be covered if they are in full compliance with those standards. The new law takes effect on September 1, 2025.

The new law mirrors the safe harbor laws introduced in Ohio and Utah and is intended to encourage businesses to implement reasonable cybersecurity measures. Since the safe harbor laws were introduced in Ohio in 2018 and Utah in 2021, there has been a significant increase in investments in cybersecurity by SMBs.