In an age where data breaches have become alarmingly common and the consequences increasingly dire, the costs of a data breach for a small or midsized business (SMBs) can be financially devastating. If you believe your business is too small to be of interest to cybercriminals, think again. According to the 2025 Verizon Data Breach Investigations Report, SMBs report almost four times the number of cybersecurity incidents compared with large organizations. The reality is, if your business systems store or process sensitive personal information and you’re involved in a cybersecurity incident, your company could be held responsible for significant damages. And in a worst-case scenario, you may have to close your doors. The stakes have never been higher, and complacency is no longer an option.
If you’re an SMB doing business in Texas, there’s some good news. In June 2025, the state of Texas enacted SB2610, a cybersecurity “safe harbor” law designed to offer companies a shield against certain damages in a cyberbreach lawsuit. The protections are available to companies that have met the guidelines in the statute, and the cause of action occurs on or after its effective date of Sept. 1, 2025.
Understanding SB2610
SB2610 applies to SMBs in Texas that handle computerized data containing sensitive personal information. If your business can demonstrate compliance with SB2610 provisions at the time of a cybersecurity breach, the statute provides protection from claims for exemplary (punitive) damages in a civil action. Compliance can also benefit your business in other ways. In addition to limiting damages in a civil lawsuit, it can:
- Protect your reputation by improving awareness in your organization and strengthening your cybersecurity posture.
- Help you accomplish other cybersecurity goals in your business if stakeholders already require adoption of a framework such as PCI, SOC, HITRUST, etc.
- Provide cost reduction opportunities for your cybersecurity insurance.
To benefit from SB2610 protections, the statute requires your company to adopt a cybersecurity program that:
- Protects against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates.
- Contains administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information.
- Depending on your company size, complies with an industry-recognized cybersecurity framework.
The detailed requirements are based on your company’s size, with the level of obligations scaling up with the number of employees in your business. If your business has:
- Fewer than 20 employees, basic requirements apply such as password policies and employee cybersecurity training.
- 20–99 employees, moderate requirements apply, including adherence to the Center for Internet Security (CIS) Controls Implementation Group 1.
- 100–249 employees, full compliance with a recognized cybersecurity framework listed in SB2610 is required. The statute names specific recognized frameworks for the law to apply. Some of the most commonly used frameworks include NIST, ISO/IEC 27001, HITRUST, PCI, and SOC 2.
If your company has 250 or more employees, the protections in SB2610 don’t apply.
Selecting a framework
If SB2610 requires your company to select a framework, there are several key factors to consider.
- Type of business: The type of your business will impact your choice of framework. For example, if you’re in the healthcare sector, you may be required to use a framework such as NIST CSF or SP 800, CIS, or HITRUST CSF to meet the requirements of the Health Insurance Portability and Accountability Act. If you process credit cards, you may be subject to the Payment Card Industry Data Security Standard (PCI DSS). These frameworks may be able to serve “double duty” to help comply with SB2610.
- Stakeholder preference: Stakeholders such as investors, board members, customers, insurers, or regulators, might drive a selection of one framework over another.
- Cybersecurity insurance: Compliance with a framework that addresses risk factors your insurance provider deems important could improve your cybersecurity insurance rating and lead to discounts on your cybersecurity policy. Involve your insurance carrier early on to understand how various framework alternatives may impact your coverage.
- Cost: From a cost-benefit standard, certain frameworks may be more attractive than others. It’s important to select a framework that meets SB2610 requirements and your business goals at the most affordable price point.
Is certification necessary for your organization?
A subset of SB2610-conformant frameworks has a certification component. These frameworks are often used in situations where your organization needs to demonstrate trust and assurance to external stakeholders such as clients, partners, and regulators. In considering whether to adopt a certification the first question to ask is whether a third party is demanding a certification. If so, ISO/IEC 27001 and PCI DSS frameworks might be considered. If no formal certification is necessary but an attestation report is required, then SOC 2 with an audit conducted by a licensed CPA firm may be a good choice. In some circumstances, a certification can add considerable value to your business even if it’s not required. In this scenario, a more complex framework could be worth the additional expense if it opens up a new avenue of growth to your business.
Establishing compliance
In order to get the benefits of SB2610 protection, a suitable cybersecurity program is required. However, the statute is silent on the steps necessary to confirm compliance. Companies with an internal audit function may be tempted to do an internal self-assessment and “tick the box”; however, in light of the issues, this could raise in a courtroom scenario, it’s recommended that you use an independent assessor to validate compliance with SB2610 requirements. Board members or other stakeholders such as your insurance company may also require some form of third-party assessment or external audit to establish compliance. If your cybersecurity program doesn’t require a formal audit, your advisors can help you design an audit-like framework that creates the necessary governance to establish compliance through an independent third-party assessment.
Get the help you need
There are many nuances to setting up a cybersecurity program. Doing it incorrectly could result in a loss of legal protections offered by SB2610, a lost opportunity to achieve a dual-purpose goal for your business or incurring excessive costs to obtain a certification that may not be beneficial in your circumstances. Many SMBs lack the necessary expertise to create a cybersecurity program meeting the requirements of SB2610, making it essential to hire experienced advisors that understand your type of business and the cybersecurity landscape. A CPA firm brings the expertise needed to provide assessment or audit services that may go along with your program. They’ll help you select a solution that satisfies SB2610 and your business objectives, “right-size” the types of controls needed to match your company with the criteria in your chosen framework, assess and document your compliance posture, and help your company prepare for and certification or attestation required. Choose wisely; the professionals you select can make or break your effort. The right combination of technical expertise and regulatory insight is necessary to ensure you receive proper guidance grounded in best practices and industry standards.
Weighing the benefits
If your company operates in Texas and has fewer than 250 employees, now’s the time to act. SB2610 is a call to action to rethink your approach to data security. Proactive risk management suited to your business type and size will be rewarded with legal protection, potentially lower your cybersecurity insurance costs, and satisfy the demands of present and future stakeholders. With the protections available in SB2610, the question isn’t whether you should invest in improving your cybersecurity standards — it’s whether you can afford not to.
