JD Key Consulting Logo
SB2610

Regular Session

Relating to a limitation on civil liability of business entities in connection with a breach of system security.

Moderate
Medium Cost
Effective:2025-09-01
SB2610
Moderate
Relating to a limitation on civil liability of business entities in connection with a breach of system security.
Moderate Compliance Urgency
Requires near-term attention
Cost Impact
Medium
Effective
2025-09-01
Primary Author: Sen. Cesar Blanco
89th Texas Legislature
jdkey.com
01

Compliance Analysis

Key implementation requirements and action items for compliance with this legislation

Implementation Timeline

  • Effective Date: September 1, 2025
  • Compliance Deadline: Q3 2025. While the law takes effect in September, the defense is only valid if the program is fully operational *at the time of the breach*. Given that implementing frameworks like NIST or CIS takes 6–12 months, gap analysis must begin immediately.
  • Agency Rulemaking: None. This statute is self-executing in civil court. There will be no state agency guidance; businesses must look to the external standards bodies (NIST, CIS, ISO) for updates.

Immediate Action Plan

  • Determine Your Tier: Confirm your exact employee count to identify if you fall under Tier 1 (<20), Tier 2 (20–99), or Tier 3 (100–249).
  • Conduct Gap Analysis: Immediately audit your current IT security against the mandated framework (CIS Controls Group 1 or NIST) to identify deficiencies.
  • Formalize the WISP: Draft and sign a Written Information Security Program that mirrors the statutory requirements.
  • Engage Insurance: Contact your Cyber Liability carrier to determine if SB 2610 compliance will be a prerequisite for future coverage or premium discounts.
  • Review MSP Contracts: Ensure your IT provider is contractually obligated to meet the new statutory standards by mid-2025.

Operational Changes Required

Contracts

  • Managed Service Providers (MSPs): Master Services Agreements (MSAs) must be amended to explicitly require the MSP to maintain the specific framework required by your business size (e.g., CIS Controls Group 1 for 20–99 employees).
  • Vendor Agreements: Contracts with third-party data processors (payroll, cloud storage) must include flow-down clauses ensuring they meet Sec. 542.004 standards.
  • Employment Agreements: Update employee handbooks to make non-compliance with password policies and training a disciplinary offense to demonstrate "maintenance" of the program.

Hiring/Training

  • Tier 1 (<20 Employees): Mandatory implementation of "appropriate" cybersecurity training for all staff.
  • Tier 2 & 3 (20+ Employees): IT leadership or external consultants must be certified or proficient in the specific required framework (CIS or NIST) to conduct valid gap analyses.

Reporting & Record-Keeping

  • Written Information Security Program (WISP): You must create a formal WISP document. An unwritten set of practices will not satisfy the court.
  • Audit Trails: You must retain logs of system updates, patch management, and employee training completion to prove the program was active at the time of a breach.
  • Standard Updates: You must track updates to your chosen standard (e.g., a new version of NIST). You are legally required to implement changes within one year of the update's publication.

Fees & Costs

  • No State Fees: There are no filing fees associated with this law.
  • Operational Costs: Budget for potential increases in MSP fees to meet stricter compliance levels and third-party audit costs to validate the framework.

Strategic Ambiguities & Considerations

  • "Appropriate" Training: For businesses with fewer than 20 employees, the statute requires "appropriate" training but does not define it. Until case law settles this, businesses should default to documented, test-based training modules rather than informal instruction.
  • Judicial Enforcement: Unlike regulatory compliance overseen by an agency, this standard is enforced by judges and juries. A jury will decide if your program was "compliant" enough to warrant the liability shield, making documentation your primary defense.
  • "Material Risk": The requirement to protect against "material risk" is subjective. Businesses should document their risk assessment process to justify why certain controls were (or were not) implemented.

Need Help Understanding Implementation?

Our government affairs experts can walk you through this bill's specific impact on your operations.

Schedule Consultation

Information presented is for general knowledge only and is provided without warranty, express or implied. Consult qualified government affairs professionals and legal counsel before making compliance decisions.

02

Legislative Timeline

This bill's path through the Texas Legislature

Filed
Mar 13, 2025
Passed Senate
Apr 30, 2025
Passed House
May 28, 2025
Signed
Jun 20, 2025
TopicsBusiness & CommerceBusiness & Commerce--generalCivil Remedies & LiabilitiesElectronic Information SystemsProtection of Personal Information
03

Senate Authors

Sen. Cesar BlancoDemocrat · Primary Author
Coauthors (1)

House Sponsor

Rep. Giovanni CapriglioneRepublican · Primary Sponsor

Bill Text(with markup)

View bill text in multiple formats on Texas Legislature website

Fiscal NoteView Original

Related Legislation

Explore more bills from this author and on related topics

More from Sen. Cesar Blanco

View all bills by Sen. Cesar Blanco

Related by Topic

View more Business & Commerce legislation
Quick Reference

Frequently Asked Questions

Common questions about SB2610

Q

What does Texas SB2610 do?

SB 2610 establishes a statutory "Safe Harbor" protecting Texas businesses with fewer than 250 employees from exemplary (punitive) damages in data breach litigation, provided they adopt specific cybersecurity frameworks prior to a breach. This law effectively converts cybersecurity standards (NIST, CIS, ISO) from voluntary best practices into a necessary legal affirmative defense for liability management. Implementation Timeline Effective Date: September 1, 2025 Compliance Deadline: Q3 2025.

Q

Who authored SB2610?

SB2610 was authored by Texas Senator Cesar Blanco during the Regular Session.

Q

When was SB2610 signed into law?

SB2610 was signed into law by Governor Greg Abbott on June 20, 2025.

Q

How urgent is compliance with SB2610?

The compliance urgency for SB2610 is rated as "moderate". Businesses and organizations should review the requirements and timeline to ensure timely compliance.

Q

What is the cost impact of SB2610?

The cost impact of SB2610 is estimated as "medium". This may vary based on industry and implementation requirements.

Q

What topics does SB2610 address?

SB2610 addresses topics including business & commerce, business & commerce--general, civil remedies & liabilities, electronic information systems and protection of personal information.

Legislative data provided by LegiScanLast updated: November 25, 2025

Need Strategic Guidance on This Bill?

Need help with Government Relations, Lobbying, or compliance? JD Key Consulting has the expertise you're looking for.