As a reminder for all businesses with 250 or fewer employees and entities that own or license computerized data containing sensitive personal information, Texas Senate Bill 2610 establishes a cybersecurity safe harbor.

A qualifying business that implements and maintains a cybersecurity program conforming to recognized frameworks may avoid exemplary damages following a data breach.

Summary of Provisions:

1) Definitions (Sec. 542.001): Incorporates existing Texas definitions for “breach of system security” (Bus. & Com. Code §521.053), “exemplary damages” (CPRC §41.001), and “personal identifying” / “sensitive personal information” (Bus. & Com. Code §521.002).

2) Who Qualifies (Sec. 542.002)

• Texas business entities with fewer than 250 employees; and
• Entities that own or license computerized data containing sensitive personal information.

3) What the Law Does (Sec. 542.003 & Sec. 542.005)

• Creates a safe harbor: If, at the time of a breach, a qualifying business had implemented and maintained a cybersecurity program that meets Sec. 542.004, punitive (exemplary) damages may not be recovered in a civil action.

• Does not eliminate all liability: Compensatory damages, regulatory penalties, and other remedies under existing law may still apply.

• No new private right of action: The chapter does not create additional grounds for lawsuits or change existing statutory/common‑law duties.

4) Cybersecurity Program Requirements (Sec. 542.004(a) & (b)): A qualifying program must:

• Include administrative, technical, and physical safeguards.

• Be designed to protect data integrity and prevent unauthorized access or acquisition that could result in a material risk of identity theft or other fraud.

• Conform to an industry‑recognized framework, such as:
  
  • NIST Cybersecurity Framework — National Institute of Standards and Technology Cybersecurity Framework.
  • ISO/IEC 27000 series — International Organization for Standardization / International Electrotechnical Commission 27000‑series Information Security Standards.
  • CIS Controls — Center for Internet Security Critical Security Controls.
  • HITRUST CSF — Health Information Trust Alliance Common Security Framework.
  • FedRAMP — Federal Risk and Authorization Management Program.
  • PCI DSS (if applicable) — Payment Card Industry Data Security Standard.
  • HIPAA or GLBA (if applicable) — Health Insurance Portability and Accountability Act or Gramm‑Leach‑Bliley Act.

• Flexibility: May use a current version of, or any combination of current versions of the listed frameworks (or similar industry frameworks).

5) Scaled Requirements by Business Size (Sec. 542.004(4)(A))

• Less than 20 employees: Simplified measures (e.g., password policies, appropriate employee training).

• Between 20–99 employees: Moderate measures, including CIS Controls Implementation Group 1.

• Between 100–249 employees: Full conformance with a recognized framework under Sec. 542.004(b).

6) Compliance Maintenance (Sec. 542.004(c))

• When a listed standard is updated, the program remains compliant if the business updates by:
  • the implementation date in the updated standard, or
  • the first anniversary of the update’s publication—whichever is later.

• Documentation is critical: Maintain policies, training records, risk assessments, incident response plans, and update/change logs to prove the program was implemented and maintained at the time of a breach.

Section 2 — Applicability to Causes of Action: The limitation on exemplary damages in Sec. 542.003 applies only to causes of action accruing on or after the effective date.

For additional information:

• Texas SB 2610 – Relating to a limitation on civil liability of business entities in connection with a breach of system security
• Texas Cybersecurity Framework

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.