Senate Bill 2610

SB 2610 is a Texas cybersecurity safe harbor law that takes effect September 1, 2025. It provides legal protections to businesses that maintain a qualifying cybersecurity program. If your business suffers a data breach but has a documented security program in place, you are shielded from punitive damages in civil lawsuits. This makes proactive cybersecurity not just good practice — it becomes a legal safeguard for your organization.

Most Texas small and mid-sized businesses that handle personal or sensitive data qualify. This includes nonprofits, professional services firms, healthcare practices, financial advisors, real estate companies, and virtually any organization that stores customer or employee data. The key requirement is implementing and documenting a cybersecurity program that reasonably conforms to recognized standards such as NIST 800-171, CIS Controls, or ISO 27001.

SB 2610 does not mandate a single framework. It allows your program to conform to any recognized standard including NIST 800-171, CIS Critical Security Controls, ISO/IEC 27001, PCI DSS, or HIPAA Security Rules. The important factor is that your program is documented, actively maintained, and reasonably designed to protect the data you handle. Avert Network Services helps Texas businesses select and implement the right framework for their specific industry and risk profile.

Without a qualifying cybersecurity program in place at the time of a breach, your business loses safe harbor protection. This means plaintiffs can seek punitive damages in addition to actual and compensatory damages, significantly increasing your financial exposure. Regulatory penalties from the Texas Attorney General and breach notification costs also apply regardless of safe harbor status, making a documented program essential for risk management.

The law takes effect September 1, 2025, so businesses should begin preparation immediately. Building a documented cybersecurity program takes time — typically 60 to 90 days for a basic NIST 800-171 alignment. Starting early ensures your program is fully implemented and documented before the effective date, giving you complete protection from day one. Avert Network Services offers expedited assessment and implementation services for Texas businesses on tight timelines.

You need documented evidence of a formal cybersecurity program including written policies and procedures, risk assessments, security control implementations, employee training records, incident response plans, and regular audit documentation. The program must show that security measures were in place at the time of any breach. Avert Network Services creates comprehensive documentation packages that satisfy SB 2610 requirements and stand up to legal scrutiny.

No. SB 2610 safe harbor protection and cyber insurance serve different purposes. Safe harbor reduces your liability exposure in lawsuits by blocking punitive damages. Cyber insurance covers costs like breach response, forensics, customer notification, credit monitoring, and business interruption. Most Texas businesses should have both a qualifying cybersecurity program for safe harbor protection and a robust cyber insurance policy for financial recovery after an incident.

Avert Network Services provides end-to-end SB 2610 readiness services for Texas businesses. We start with a comprehensive cybersecurity assessment against NIST 800-171 or your chosen framework, identify gaps, implement required controls, create all necessary documentation, train your staff, and establish ongoing monitoring. Our managed security services ensure your program stays current and compliant long after the initial implementation, giving you continuous safe harbor protection.