On September 1, 2025, Texas Senate Bill 2610 (SB 2610) went into effect. This new law was designed to support small businesses by creating a legal "safe harbor" for those that proactively adopt strong cybersecurity practices. Here's what you need to know.

What Does SB 2610 Say?

If a small business in Texas maintains a cybersecurity program with administrative, technical, and physical safeguards to protect sensitive personal information, that business is shielded from exemplary (punitive) damages in lawsuits following a data breach. 

What Counts as "Sensitive Personal Information?" 

SB 2610 refers to Texas Law Section 521.002, which defines sensitive personal information as:

  1. An individual's name combined with certain key identifiers, such as:
    1. Social security number (SSN)
    2. Driver's license number or other government-issued ID number
    3. Bank account, credit card, or debit card number with the accompanying security code, access code, or password
  2. Information tied to an individual's:
    1. Physical or mental health conditions
    2. Details about the health care they receive
    3. Payment information for medical care

What Does SB 2610 Require?

The law scales requirements based on business size. 

Size Requirement
Fewer than 20 Employees Simplified requirements, including password policies and cybersecurity training
20 – 99 Employees Moderate requirements, including compliance with CIS Controls Implementation Group 1 (IG1)
100 – 249 Employees Full compliance with an industry-recognized cybersecurity framework

 

What Frameworks Qualify Under SB 2610?

For businesses between 100-249 employees to comply with SB 2610, they must have a cybersecurity program that conforms to a current version of one of the following industry-recognized frameworks. 

  • NIST Cybersecurity Framework (CSF) 
  • NIST SP 800-171 
  • NIST SP 800-53 and 800-53a 
  • FedRAMP Security Assessment Framework 
  • CIS Controls 
  • ISO/IEC 27000 Series 
  • HITRUST Common Security Framework 
  • Secure Controls Framework (SCF) 
  • SOC Type 2 Framework 
  • Other similar recognized industry frameworks 

The law also recognizes compliance with certain federal laws and standards, including:

  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA) 
  • Health Information Technology for Economic and Clinical Health Act (HITECH) 
  • Federal Information Security Modernization Act (FISMA) 
  • Payment Card Industry Data Security Standard (PCI-DSS)

Businesses must update their cybersecurity programs whenever these frameworks are updated, either by the official deadline or within one year.

💡Tip: If you're a Texas community bank or credit union with fewer than 250 employees, your existing GLBA compliance qualifies you under SB 2610.
 

Takeaways & Next Steps

Texas SB 2610 encourages small businesses to strengthen cybersecurity by offering protection from excessive legal penalties after a breach. While it doesn't eliminate all risk, it does reward proactive security measures.

If you're ready to build or enhance your cybersecurity program, check out Tandem, a cybersecurity governance, risk management, and compliance (GRC) platform built for small businesses.

Start with the free Tandem Cybersecurity Assessment product, which lets you complete a cybersecurity control self-assessment based on several of the frameworks recognized in SB 2610. Learn more at Tandem.App/Cybersecurity.