On June 20, 2025, Texas Governor Greg Abbott signed SB 2610 into law, joining a growing number of states that aim to incentivize sound cybersecurity practices through legislative safe harbors. Modeled on laws in states like Ohio and Utah, the new Texas statute provides that certain businesses that “demonstrate[] that at the time of the breach the entity implemented and maintained a cybersecurity program” meeting the requirements in the new law may be shielded from exemplary (punitive) damages in the event of a data breach lawsuit.
This development comes amid a clear uptick in data breach class action litigation across the country. Notably, plaintiffs’ attorneys are no longer just targeting large organizations following breaches that expose millions of records. Recent cases have been filed against small and midsize businesses, even when the breach affected relatively few individuals.
What the Texas Law Does
SB 2610 erects a shield from liability to protect certain businesses (those under 250 employees) from exemplary damages in a tort action resulting from a data breach. That shield applies only if the business demonstrates that at the time of the breach the entity implemented and maintained a cybersecurity program that meets certain requirements, which may include compliance with a recognized framework (e.g., NIST, ISO/IEC 27001). This is not immunity from all liability—it applies only to punitive damages—but it can be a significant limitation on financial exposure.
This is a carrot, not a stick. The law does not impose new cybersecurity obligations or penalties. Instead, it encourages proactive investment in cybersecurity by offering meaningful protection when incidents occur despite those efforts.
Why the Size of the Entity Isn’t the Whole Story
A unique aspect of the Texas law is that it scales cybersecurity expectations in part based on business size. Specifically, for businesses with fewer than 20 employees, a “reasonable” cybersecurity program may mean something different than it does for one between 100 and 250 employees. But here’s the problem: Many businesses with small employee counts handle large volumes of sensitive data.
Consider:
- A 10 employee law firm managing thousands of client files, including Social Security numbers and health records;
- A small dental practice storing patient health histories and billing information;
- A title or insurance agency processing mortgage, escrow, or policy documents for hundreds of customers each month.
These entities may employ fewer than 20 people but process exponentially more personal information than a 250-employee manufacturing plant. In this context, determining what qualifies as “reasonable” cybersecurity must focus on data risk, not just employee headcount.
Takeaways for Small and Midsize Organizations
- Don’t assume you’re too small to be a target: Plaintiffs’ firms are increasingly focused on any breach with clear damages and weak safeguards—regardless of business size.
- Adopt a framework: Implementing a recognized cybersecurity framework not only enhances your defense posture but could also help limit damages in litigation.
- Document, document, document: The presumption under SB 2610 is available only if the business can demonstrate it created and followed a written cybersecurity program at the time of the breach.
- Review annually: As threat landscapes evolve, your security program must adapt. Static programs are unlikely to satisfy the “reasonable conformity” standard over time.
Final Thought
Texas’s new law reinforces a growing national trend: states are rewarding—not just punishing—cybersecurity efforts. But the law also raises the bar for smaller businesses that may have historically viewed cybersecurity as a lower priority. If your organization handles personal data, no matter how many employees you have, it’s time to treat cybersecurity as a critical business function—and an essential legal shield.