Texas Senate Bill 2610

Small business owners need to know this….

Starting September 1, 2025, Texas Senate Bill 2610 (SB 2610) takes effect, creating new requirements — and protections — for small businesses that experience a data breach.

The measure creates a legal safe harbor that protects small businesses from punitive damages if they become victims of a data breach, provided they have adopted an industry-recognized cybersecurity framework. The bill encourages Main Street businesses to invest in cybersecurity while reducing their legal exposure.

Here’s a simple checklist to make sure you’re covered.

1. Confirm Your Business Is Covered.

SB 2610 applies to businesses in Texas that:

• Have fewer than 250 employees, and

• Collect, store, or manage personal information (such as Social Security numbers, driver’s licenses, financial data, or health records).

--> If you store employee, customer, or patient data, this likely applies to you.

--> There 3 different levels of mandates, depending upon size of company. Download this checklist from RIATA that provides an overview of requirements for less than 20, 20-99, and 100-249 employees.

2. Establish a Documented Cybersecurity Program.

Your program must include:

• Administrative safeguards (policies, employee training).

• Technical safeguards (firewalls, antivirus, encryption).

• Physical safeguards (secured devices, controlled access).

The program should be written down, reviewed regularly, and kept current.

3. Align With a Recognized Cybersecurity Framework

To qualify for safe harbor, your program should follow an accepted framework, such as:

• NIST Cybersecurity Framework

• ISO/IEC 27000 Series

• SOC 2

• CIS Critical Security Controls

• HIPAA, PCI DSS, GLBA, or other industry-specific standards

Frameworks must be updated as new versions are published.

4. Train Employees Regularly

Even the best security program fails if employees don’t follow it.

• Conduct annual training on phishing, password security, and data handling

• Document attendance and participation

• Reinforce policies through ongoing reminders

5. Review and Test Your Safeguards

• Schedule annual risk assessments.

• Test backups and recovery plans.

• Update controls as your business grows or as frameworks change.

Being able to prove you’ve maintained these protections is what ensures SB 2610’s safe harbor applies.

The Bottom Line

SB 2610 came into law on September 1, 2025.  Businesses that prepare now will be in the best position to protect themselves legally and financially if a data breach occurs.

If you’re not sure whether your cybersecurity program qualifies for avoiding lawsuits and penalties — or if you don’t have one in place — now is the time to act.

At RIATA Technologies, we help small businesses:

• Assess their current cybersecurity readiness.

• Build framework-aligned programs.

• Deliver ongoing training and compliance support.

At RIATA Technologies, we help Texas businesses assess their current cybersecurity posture, implement the right protections, and stay compliant with laws like SB 2610.

* * * * *

Contact RIATA today to schedule a cybersecurity review and make sure your business qualifies for safe harbor in the event of a cyber-attack.

About the Author:Tommy Wald is the CEO of RIATA Technologies, a Managed IT Services Provider headquartered in Austin, TX. He can be reached at TWald@RiataTechnologies.com or (737) 249-9697.