Texas SB 2610: The Safe Harbor Most Texas Businesses Don't Know They Qualify For

#What Texas lawmakers did for your breach defense

You can tell how much experience someone has with this by whether they treat the control as binary. It isn't.

In 2023, Texas enacted Senate Bill 2610, which took effect September 1, 2025. The short version: if your Texas business implements a recognized cybersecurity framework and suffers a data breach, you get an affirmative defense in civil lawsuits arising from the breach.

That's a big deal. Here's why it matters: in virtually every state, a data breach at your business triggers the possibility of class-action lawsuits by affected individuals, often under negligence theories. Texas businesses can now point to their cybersecurity framework compliance and say, "we implemented reasonable security. The plaintiffs have to prove we didn't."

The practical effect is cheaper and faster resolution of breach lawsuits, lower insurance premiums for businesses that qualify, and. Critically. Clearer guidance on what "reasonable security" means under Texas law.

Most Texas businesses that would qualify have no idea this law exists.

This post explains exactly how the safe harbor works, which frameworks qualify, what documentation you need. And the practical steps to position your business to invoke the defense if you're ever sued after a breach.

#The core mechanism

The essential language of SB 2610, in plain English:

A covered entity (meaning: most Texas businesses that handle personal information) that:

1. Implements a recognized cybersecurity framework,
2. Maintains reasonable and appropriate administrative, technical, and physical safeguards,
3. Can demonstrate that its program is scaled appropriately to the size and type of business,

...receives an affirmative defense against Texas civil actions for damages based on a breach of system security, including class actions.

The defense is affirmative, meaning the defendant (your business) raises it as a defense after being sued. It's not automatic protection from being sued at all. It's a defense that, if properly supported with documentation, can result in the case being dismissed at summary judgment or reduced in damages.

#Which frameworks qualify

SB 2610 explicitly recognizes several frameworks as qualifying:

1. NIST Cybersecurity Framework (including the updated CSF 2.0 released February 2024)

2. NIST Special Publication 800-171 (primarily applicable to federal contractors handling Controlled Unclassified Information)

3. NIST Special Publication 800-53 (the baseline for federal systems, used as the foundation for most other frameworks)

4. FedRAMP (Federal Risk and Authorization Management Program)

5. Center for Internet Security (CIS) Critical Security Controls (v8 is current, comprehensive for SMBs)

6. HITRUST Common Security Framework (CSF) (particularly relevant for healthcare organizations)

7. ISO/IEC 27001 (the international information security management standard)

8. The Service Organization Control 2 (SOC 2) Type 2 examinations (with some qualifications around scope)

9. Texas Cybersecurity Framework (TCSF, administered by the Texas Department of Information Resources)

10. Texas Risk and Authorization Management Program (TX-RAMP) (for cloud services working with Texas state government)

11. Payment Card Industry Data Security Standard (PCI DSS). For organizations that handle payment card data; PCI compliance counts.

12. HIPAA Security Rule. For HIPAA-regulated organizations, demonstrating HIPAA compliance qualifies.

The list is broad by design. Most Texas businesses handling personal information are already working toward, or already compliant with, at least one of these frameworks, whether they realized it or not.

#What "scaled appropriately" means

SB 2610 scales the framework-compliance expectation to the size of the business. The statute recognizes tiers:

Large covered entities (250+ employees or > $25M annual revenue): expected to implement comprehensive framework controls at a mature level. Annual third-party penetration testing, formal risk assessments, dedicated security staff, incident response plans.

Mid-size covered entities (50-249 employees or $5M-$25M revenue): expected to implement framework controls at a reasonable level. Third-party penetration testing at least every two years, documented risk assessments, some dedicated security coverage (internal or outsourced).

Small covered entities (< 50 employees or < $5M revenue): expected to implement framework controls at a basic level. Documented information security program, reasonable technical controls (MFA, endpoint protection, patching), basic employee training. Penetration testing is recommended but not mandatory at this tier.

Very small covered entities (< 20 employees, < $1M revenue): minimum expectations still include written policies, technical baseline controls. And reasonable vendor management.

The "appropriate scaling" language is important because it means a 15-person business doesn't need a Fortune 500-scale security program to qualify. A small business that implements the CIS Critical Security Controls Implementation Group 1 (IG1. The baseline tier designed for small orgs) can legitimately claim compliance with a recognized framework.

#The documentation trail

The safe harbor requires demonstrable compliance. Not a statement that you implement a framework, but documentation that proves it. The documents a Texas court (or your litigation counsel) will want to see:

1. Written Information Security Program (WISP) or equivalent.

A formal document describing your cybersecurity program. Must reference the specific framework you're aligned with. Must be reviewed and updated at least annually. Must be dated and version-controlled.

2. Risk assessment documentation.

Periodic assessments of cybersecurity risks to your organization. NIST-aligned risk assessments, HIPAA §164.308(a)(1) risk analyses, or ISO 27001 risk treatment documents all work.

3. Control implementation evidence.

For each framework control, documentation of how you implement it. Screenshots of MFA configuration, EDR deployment reports, patching logs, training completion records, etc.

4. Policies and procedures.

Data classification policy, access control policy, incident response plan, acceptable use policy, vendor management policy, data retention/destruction policy. At least.

5. Training records.

Employee cybersecurity awareness training completion records. Usually annual.

6. Vendor/third-party risk management.

Evidence that you assess and manage vendor risks. SIG questionnaires, SOC 2 reports from your vendors, contract security clauses, vendor review cadence.

7. Penetration testing / vulnerability assessment reports.

For mid- and large-sized businesses, third-party testing reports. Should be independent (not done by the same team that runs your IT).

8. Incident response documentation.

An incident response plan plus evidence you've tested it. Tabletop exercises, simulated-incident drills, after-action reports from any real incidents.

9. Audit / assessment evidence.

If you've had a third party assess your framework compliance (SOC 2 audit, HITRUST assessment, ISO 27001 certification), the assessor's reports.

10. Changes and improvements log.

Records of security program updates over time. Shows ongoing engagement vs. a one-time compliance exercise.

#Common pitfalls

In the year since SB 2610 took effect (September 2025), patterns have emerged in what blocks Texas businesses from successfully invoking the defense:

#Pitfall 1: framework claim without documentation

A business claims to be "NIST aligned" but has no written security program, no risk assessments, no control evidence. Courts won't accept a bare claim. The safe harbor requires demonstrable compliance.

#Pitfall 2: stale documentation

Your WISP was written in 2021. You haven't touched it since. The breach happens in 2026. That's not a current cybersecurity program.

Fix: annual review, dated updates, version control.

#Pitfall 3: implementation gap

Your documentation says you do annual risk assessments. Your practice is that you did one once four years ago. If plaintiffs' counsel deposes your team and finds the gap, the defense collapses.

Fix: document what you do, not what you aspire to. If the gap between policy and practice is large, narrow the policy until it matches practice, then expand practice over time.

#Pitfall 4: scaling claim that doesn't match reality

A 200-employee business claims "small entity" scaling to avoid the pentest requirement. Plaintiffs' counsel will easily establish the real size. The court will reject the scaling argument.

Fix: honestly categorize your business size and meet the expectations of that tier.

#Pitfall 5: the framework you picked doesn't apply to your business

Claiming HITRUST CSF alignment for a business that doesn't handle healthcare information is both unconvincing and unnecessarily complex. Match the framework to your business type:

• E-commerce: PCI DSS + CIS Controls
• Professional services: NIST CSF + CIS Controls
• Healthcare: HIPAA + HITRUST CSF
• SaaS / technology: SOC 2 + NIST CSF
• Federal contractor: NIST 800-171
• Cloud provider to Texas state government: TX-RAMP
• Generic small business: CIS Controls IG1

#Pitfall 6: incident response gap

You have a framework. You have documentation. You experience a breach. Your response is chaotic, notifications go out late, regulators get upset, plaintiffs file. A bad incident response can undercut even strong pre-breach documentation.

Fix: tabletop-tested incident response plan. Run the drill annually.

#The enforcement landscape

Texas SB 2610 is enforced primarily through civil litigation. Plaintiffs sue your business after a breach, and the affirmative defense is raised in court. The Texas Attorney General can also bring actions under Texas data breach statutes, and SB 2610 compliance affects those as well.

Additional Texas-specific context:

Texas AG cybersecurity enforcement. The Texas Attorney General's office has been aggressive on data privacy enforcement, including:

• $1.375 billion settlement with Google (October 2024) for biometric and privacy violations
• $1.4 billion settlement with Meta (2024) for facial recognition data collection
• Ongoing investigations into multiple healthcare breach notifications

Demonstrable SB 2610 compliance can't protect you from all Texas AG actions (regulatory enforcement isn't the same as private civil litigation). But it substantially improves your posture.

Texas Data Privacy and Security Act (TDPSA). Effective July 2024. Provides individual rights around personal data, requires reasonable security, creates a 30-day cure period for violations. SB 2610 compliance reduces TDPSA liability exposure in tandem.

Class action trends. Texas breach class actions have accelerated in 2024-2026. Plaintiff firms have gotten better at scaling litigation across multiple victims. Large breaches routinely generate multiple class actions. Each one has a significant defense cost regardless of outcome.

SB 2610's practical value: faster dismissal motions, reduced settlement amounts, lower overall breach cost.

#How to position your business

A staged approach, scaled to business size:

#Small business (< 50 employees)

Quarter 1:

• Implement MFA everywhere (starting with email, cloud providers, admin accounts)
• Deploy reputable endpoint protection (CrowdStrike, SentinelOne, Microsoft Defender for Business at minimum)
• Enable automatic OS patching
• Document existing security practices as a Written Information Security Program (WISP)
• Annual employee security awareness training

Quarter 2:

• Adopt CIS Critical Security Controls IG1 as your framework
• Formal risk assessment (internal or lightweight third-party)
• Incident response plan (written, with contact tree)
• Vendor management policy

Quarter 3:

• Tabletop incident response exercise
• Review and update WISP
• First vulnerability assessment (internal or light third-party)

Quarter 4:

• Penetration test (light-scope, third-party)
• Annual review and sign-off

Estimated cost: $5K-$15K for the first year, plus existing tooling. Most of the work is documentation of what you already do.

#Mid-size business (50-249 employees)

All of the small-business recommendations, plus:

• Framework alignment: NIST CSF or SOC 2 Type 2
• Dedicated security leadership (CISO, vCISO, or security-responsible IT lead)
• Annual third-party penetration test
• Formal vendor risk management program with annual vendor assessments
• MDR/XDR service (managed detection and response) if you don't have 24/7 SOC coverage
• Bi-annual risk assessment with documented remediation tracking

Estimated cost: $40K-$150K for the first year including tooling + assessments + training.

#Large business (250+ employees)

Full NIST 800-53 or ISO 27001 alignment, with:

• SOC 2 Type 2 examination
• Dedicated security team
• Continuous monitoring
• Formal incident response retainer with an IR firm
• Annual penetration testing plus quarterly vulnerability scanning
• Annual table-top exercises at executive level
• Formal board-level cybersecurity governance

Estimated cost: $250K-$2M annually depending on complexity.

#Documentation tooling

Getting the evidence trail right is the practical challenge. Useful tools:

• Policy templates: SANS Policy Templates, SANS AUP templates, HHS HIPAA policy templates, CIS Controls policy guide
• GRC platforms: Vanta, Drata, Secureframe, Hyperproof for SOC 2 / ISO 27001 automation
• Risk assessment tools: NIST RMF guidance, HITRUST MyCSF, CISA Cyber Resilience Review
• Evidence collection: Secureframe and Vanta automate evidence collection from AWS, GCP, Azure, Okta, Google Workspace, M365
• Audit trail: a formal document management system (SharePoint, Google Workspace with permissions, Notion with version control)

#What happens when you're sued

The typical sequence, if your business is sued after a breach:

1. Plaintiffs file class action
2. Your counsel answers, raising SB 2610 affirmative defense among others
3. Discovery begins. Plaintiffs request documentation of your security program
4. You produce the WISP, risk assessments, penetration test reports, training records, etc.
5. Plaintiffs depose your security-responsible individual
6. Either:

- Motion to dismiss at summary judgment. If your documentation and testimony show robust framework compliance, the judge may dismiss the case. This is the best outcome.

- Settlement. Most breach class actions settle. Your SB 2610 documentation significantly reduces the settlement amount.

- Trial. Rare, but if the case goes to trial, the jury instruction includes the SB 2610 defense.

In 2025-2026, multiple Texas breach class actions have been dismissed at summary judgment specifically based on SB 2610 safe harbor defenses. The law works when supported by real documentation.

#For Valtik clients in Texas

If you run a Texas-based business that handles customer or employee personal information, SB 2610 compliance is one of the highest-ROI risk-reduction moves available. The cost of framework alignment is measured in thousands to low-hundreds-of-thousands of dollars depending on size. The cost of a breach class action is typically measured in millions.

Valtik's Texas engagements include:

• Framework selection and gap analysis (determining what your business needs)
• WISP development (the foundational documentation)
• Risk assessment (NIST-aligned or framework-specific)
• Penetration testing scoped to SB 2610 documentation requirements
• Vendor risk management program setup
• Annual review and refresh

If you're running operations in DFW, Houston, Austin, San Antonio, or anywhere else in Texas, reach out via https://valtikstudios.com to discuss how we can position your business to qualify for the safe harbor defense if you ever need it.

#Sources

1. Texas Senate Bill 2610. Texas Legislature
2. Texas Cybersecurity Framework. Department of Information Resources
3. NIST Cybersecurity Framework 2.0
4. NIST SP 800-53 Rev 5
5. CIS Critical Security Controls v8
6. HITRUST CSF
7. Texas Data Privacy and Security Act
8. Texas Attorney General Cybersecurity Enforcement Actions
9. ISO/IEC 27001:2022
10. FedRAMP Documentation