Bill > SB2610

This bill establishes a cybersecurity safe harbor for small businesses in Texas with fewer than 250 employees that own or license computerized data containing sensitive personal information. The bill provides that if a business implements and maintains a comprehensive cybersecurity program that meets specific requirements, it cannot be liable for exemplary (punitive) damages in the event of a system security breach. The cybersecurity program must include administrative, technical, and physical safeguards that protect personal identifying information, conform to recognized industry cybersecurity frameworks (such as NIST, ISO, or Payment Card Industry standards), and be scaled according to the business's size. For businesses with fewer than 20 employees, the requirements are simplified and focus on password policies and employee training, while larger businesses must meet more comprehensive standards. Importantly, the bill explicitly states that it does not create a private cause of action or change existing legal duties. The provisions will apply to causes of action that accrue on or after September 1, 2025, providing small businesses with a clear incentive to develop robust cybersecurity protocols to limit potential legal liability.

Business and Industry, Government Affairs

https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=SB2610