Defensive Security

Texas Cybersecurity Safe Harbor Law (SB 2610): 10 Things Small and Mid-Sized Businesses Must Know Before September 1, 2025

Posted on Aug 27 / 2025

Summary 

On June 20, 2025, Governor Greg Abbott signed the Texas Cybersecurity Safe Harbor Law (SB 2610). This law takes effect on September 1, 2025, and brings major changes for small and mid-sized Texas businesses that handle sensitive personal information.

If your organization has fewer than 250 employees, this law could protect you from punitive damages after a data breach - but only if you maintain a documented, compliant cybersecurity program.

 

Signed Into Law June 20, 2025 — Effective September 1, 2025

Governor Greg Abbott signed the Texas Cybersecurity Safe Harbor Law (SB 2610) on June 20, 2025. The law takes effect on September 1, 2025, giving small and mid-sized businesses only a short window to become compliant.

What Is the Texas Cybersecurity Safe Harbor Law?

SB 2610 establishes a legal safe harbor from punitive damages following a data breach, but only if the business has implemented and maintained a recognized cybersecurity framework.

Who's Impacted? - Texas Businesses With Fewer Than 250 Employees

The law applies exclusively to Texas businesses under 250 employees that own or license sensitive personal information. This makes it especially relevant for small businesses and SMBs across Texas.

What is Considered "Sensitive Personal Information"?

Covered data includes:

  • Social Security numbers
  • Driver’s license or government ID numbers
  • Financial account information and login credentials
  • Personal health information (PHI)

Tiered Cybersecurity Requirements Based on Business Size

The law scales compliance requirements by headcount:

  • Fewer than 20 employees: Basic cybersecurity measures like password policies and employee awareness training.
  • 20–99 employees: Must adopt CIS Controls Implementation Group 1 (foundational cyber hygiene).
  • 100–249 employees: Must fully comply with advanced frameworks such as NIST CSF, NIST SP 800-53/171, CIS Controls, ISO/IEC 27001, or FedRAMP.

Documentation and Maintenance Are Mandatory

To qualify for safe harbor, businesses must document their cybersecurity program and show it was active at the time of a breach. This includes:

  • Written security policies
  • Training records
  • Risk assessments and incident response planning
  • Updates within 180 days of framework revisions

What the Texas Safe Harbor Law Does Not Cover

SB 2610 only shields against punitive damages. It does not protect against:

  • Compensatory damages
  • Regulatory fines or penalties
  • Attorney general enforcement actions
  • Class action lawsuits

Texas Joins a National Trend in Cybersecurity Law

With SB 2610, Texas becomes the fifth state to pass a cybersecurity safe harbor law and the sixth to define “reasonable cybersecurity” in law. This trend shows that cybersecurity frameworks like NIST and CIS Controls are quickly becoming legal expectations for SMBs.

Why SB 2610 Is a Big Win for Texas SMBs

This law is a “carrot, not a stick” approach. Instead of imposing penalties, Texas rewards businesses that proactively invest in cybersecurity by reducing legal risk. Benefits include:

  • Stronger resilience to cyberattacks
  • Reduced downtime after incidents
  • Increased trust from customers, partners, and insurers
  • A competitive advantage in regulated industries

How to Get Compliant Before the September 1, 2025 Deadline

The clock is ticking. To ensure compliance with SB 2610, Texas businesses must act now by:

  • Choosing the right cybersecurity framework for their size
  • Implementing and documenting controls
  • Training employees and running risk assessments
  • Preparing for audits or breach responses

Why This Matters and How Echelon Risk + Cyber Can Help

At Echelon Risk + Cyber, we specialize in helping Texas SMBs:

  • Identify the right cybersecurity framework (NIST, CIS, ISO/IEC)
  • Build and document compliant security programs
  • Provide employee training, risk assessments, and incident response planning
  • Maintain compliance with framework updates

Don’t wait until the September 1, 2025 deadline.  Contact Echelon Risk + Cyber
today for a Cybersecurity Posture Assessment and ensure your business is prepared to qualify for safe harbor protections under SB 26110.

 

 

Echelon Risk + Cyber is equipped to help Texas small and mid-sized businesses navigate the requirements of the new Texas Cybersecurity Safe Harbor Law (SB 2610) by providing expert guidance on selecting and implementing the right cybersecurity framework. Whether your business needs to adopt NIST CSF, CIS Controls, ISO/IEC 27001, or CISA CPGs, our team builds and documents programs that meet compliance standards while strengthening resilience against cyber threats.

As one of the Top 10% fastest-growing private companies on the 2025 Inc. 5000 list, Echelon has a proven track record of helping organizations in regulated industries — including financial institutions, healthcare providers, and technology companies - reduce risk, meet compliance obligations, and earn customer trust.

Are you ready to get started?