Texas Gives Small Businesses a
Shield Against Punitive Damages

SB 2610 protects businesses under 250 employees from exemplary damages in data breach lawsuits — if they maintain a cybersecurity program scaled to their size and complexity.

Effective September 1, 2025 · Tex. Bus. & Com. Code Ch. 542

The Law

What SB 2610 Does for You

If your small or mid-sized business suffers a data breach and you end up in court, SB 2610 blocks plaintiffs from recovering exemplary (punitive) damages — as long as you had a qualifying cybersecurity program in place. Three things to know:

Punitive Damages Blocked

Plaintiffs cannot recover exemplary damages if you maintained a compliant cybersecurity program at the time of the breach.

Built for Small Business

The only state safe harbor designed exclusively for businesses under 250 employees — scaled requirements, not enterprise-grade mandates.

Tiered Compliance

Requirements scale with your size: simplified for under 20, moderate for 20–99, and full framework for 100–249 employees.

How to Qualify

Three Tiers, One Goal

Texas scales your cybersecurity requirements to your business size. Find your tier:

1

Under 20 Employees — Simplified

Password policies and cybersecurity awareness training. Basic measures appropriate for the smallest businesses.

2

20–99 Employees — Moderate

CIS Controls Implementation Group 1 (IG1) — foundational cyber hygiene covering the most essential security practices.

3

100–249 Employees — Full Framework

Reasonable conformance to a recognized industry cybersecurity framework from the list below.

NIST CSF
NIST 800-171
NIST 800-53
FedRAMP
CIS Controls
ISO 27000
HITRUST CSF
SOC 2
PCI DSS
HIPAA
GLBA
SCF

Texas also recognizes FISMA, HITECH, and “similar industry standards” — the broadest framework list of any state safe harbor law.

Common Concern

Only Under 250 Employees?

Small Businesses Face the Biggest Risk

Businesses under 250 employees are the most targeted and least resourced in cybersecurity. SB 2610 was designed specifically for this segment — creating a clear incentive to invest in proportionate security. And the program you build for Texas qualifies you under every other state's safe harbor too, regardless of your size.

What the law doesn't cover: compensatory (actual) damages remain available to plaintiffs. The law also does not affect Attorney General enforcement actions or class action certification. Applies only to causes of action accruing on or after September 1, 2025.

How SignumCyber Helps

Every Tier. One Platform.

SB 2610 Requires How We Help

Written cybersecurity program

73-domain assessment + policy creation wizard to build your program

Framework conformance scaled to size

NIST CSF, ISO 27001, SOC 2, HIPAA & PCI DSS

Administrative, technical & physical safeguards

Conditional logic adapts controls to your size, industry & environment

Maintain and update your program

Periodic reassessment, implementation tracking & reporting

Documented evidence of compliance

Evidence management, task tracking & audit-ready reporting

Bigger Picture

A Growing National Movement

Seven states and counting. The program you build for Texas strengthens your defense everywhere.

Ohio 2018
Utah 2021
Connecticut 2021
Iowa 2023
Tennessee 2024
Oregon 2024
Texas 2025

Ready to Build Your Defense?

See how SignumCyber helps you qualify for safe harbor protection — and turn security into a business advantage.

Request a Demo →

30 minutes. No pressure. Just clarity.

This page is general information about Texas's cybersecurity safe harbor law (SB 2610), not legal advice. Consult a qualified attorney for guidance specific to your organization.