Texas Senate Bill 2610: Cybersecurity Safe Harbor for SMBs
A Major Win for Texas SMBs
SB2610, authored by Senator César J. Blanco and co-sponsored by Senator Kelly Hancock, passed the Senate unanimously (31-0) on April 30, 2025, and the House on May 28, 2025. It offers a legal “safe harbor,” protecting businesses from exemplary damages in data breach lawsuits if they maintain a compliant cybersecurity program. This is a critical step for Texas’s 3 million SMBs, which employ nearly half our workforce and face 43% of cyberattacks, costing an average of $200,000 per breach. Cybercrime cost Texas $1 billion in 2023, underscoring the need for these protections.
SB2610 Cybersecurity Requirements
SB2610 adds Chapter 542 to the Business & Commerce Code, encouraging businesses to adopt cybersecurity programs with tiered requirements based on employee count. Compliance ensures protection from punitive damages, effective September 1, 2025. Here’s what businesses need to do:
Businesses with Fewer than 20 Employees
- Simplified Measures: Implement basic cybersecurity practices, including strong password policies (e.g., unique passwords, regular updates) and employee training on topics like phishing awareness and secure data handling.
- Update Timeline: Update your program within 270 days of new framework standards being published.
Businesses with 20 to 99 Employees
- Moderate Requirements: Comply with the Center for Internet Security (CIS) Controls Implementation Group 1 (IG1), which includes ~20 foundational practices such as asset inventory, secure configurations, malware defenses, and access controls.
- Update Timeline: Update your program within 270 days of new standards.
Businesses with 100 to 249 Employees
- Full Compliance: Adopt one or a combination of industry-recognized frameworks, including:
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- NIST Special Publications 800-171, 800-53, or 800-53a
- Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework
- CIS Critical Security Controls
- ISO/IEC 27000-series standards
- Health Information Trust Alliance Common Security Framework
- Sector-specific standards like HIPAA, Gramm-Leach-Bliley Act, or PCI DSS (if applicable)
- Other Similar Frameworks or Standards
- NIST CSF
- COBIT
- Update Timeline: Update your program within 180 days of new standards.
Additional Provisions
- Program Goals: Your cybersecurity program must include administrative, technical, and physical safeguards to protect personal and sensitive personal information, prevent threats, and reduce risks of identity theft or fraud.
- Applicability: Applies to businesses owning or licensing computerized data with sensitive personal information.
- Attorney General and Class Actions: SB2610 does not limit the attorney general’s legal remedies or affect class action certifications.
Why SB2610 Matters
SB2610 aligns with successful safe harbor models like Ohio’s 2018 law, which drove 76% of SMBs to increase cybersecurity budgets, and Utah’s 2021 law, which saw 65% adopt multi-factor authentication. By encouraging voluntary adoption without mandates, SB2610 protects Texas SMBs—99% of our businesses, per Senator Blanco—while fostering a secure digital economy.
Partner with ALCON DTS for Compliance
At ALCON DTS, we’re committed to helping SMBs meet SB2610’s cybersecurity standards affordably. Whether you need to implement password policies, CIS Controls, or NIST frameworks, our managed IT and cybersecurity services ensure compliance while securing your business. Let us help you leverage these new protections! Our team of cloud experts can help you.
Contact us today to schedule your consultation.