Secure Controls Framework
Download The SCF
Start Here
Free Content
GRC Fundamentals
SCF Certified
Marketplace
Home
Blog
Texas SB 2610 - America's New Safe Harbor Law

Texas SB 2610 - America's New Safe Harbor Law

Safe Harbor,SB2610,Texas Cybersecurity Law,Texas SB2610
SCF Council
November 24, 2025

Texas SB 2610 is a state law that goes into effect on September 1, 2025. This new law creates a legal “safe harbor” for certain Small and Medium Businesses (SMBs) in Texas, where it offers legal protection for those SMBs that suffer a data breach. However, those businesses must be able to demonstrate they have taken reasonable cybersecurity actions beforehand to benefit from the protections the law offers.

This law is applicable to SMBs that:

  • Have fewer than 250 employees; and
  • Own or license computerized data containing sensitive personal information (e.g., Social Security Numbers (SSN), financial data, health records, etc.)

Texas SB 2610 Cybersecurity Requirements

The cybersecurity requirements in Texas SB 2610 include these four (4) points:

  1. Contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information (Section 542.004(1));
  2. Protect the security of personal identifying information and sensitive personal information (Section 542.004(3)(a));
  3. Protect against any threat or hazard to the integrity of personal identifying information and sensitive personal information (Section 542.003(4)(b)); and
  4. Protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates (Section 542.004(3)(c)).

SB2610 Protections Are A Double Edged Sword

Not only is Texas SB2610 a safe harbor to protect businesses from lawsuits, it creates a hard set of requirements that will determine the threshold for negligence. This is a “double edged sword” from the perspective that it protects businesses doing the right thing, but can also be used to easily demonstrate negligence if a business fails to implement reasonable practices.

This strikes at the heart of the question, "What are reasonable practices?" that are necessary to demonstrate conformity with this law?

Reasonable Cybersecurity Practices - Defined Frameworks

Texas SMBs seeking SB 2610 protections must conform to at least one (1) of these recognized cybersecurity standards:

Join 25,000+ GRC Professionals

Get the latest SCF updates, cybersecurity insights, and community news delivered to your inbox. You know you want to do it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Controls are your security, compliance & resilience program - A control is the power to influence or direct behaviors and the course of events.

DOWNLOAD THE SCF

Start Here

What Is The SCF?How To Implement (SCRMS)Domains & PrinciplesLaws & Frameworks (LRF)Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations

Free Content

SCF DownloadRisk Management (SCR-RMM)Maturity Model (SCR-CMM)Assessment Standards (CDPAS)Mergers & Acquisitions (MA&D)Privacy Principles (DPMP)Evidence Request List (ERL)Scoping Guide (USG)

Resources

GRC FundamentalsSCF CertifiedMarketplaceFAQAboutBlogSwag - SCF Branded Gear

Support

DonateVolunteer

© 2026 Secure Controls Framework Council, LLC. All rights reserved.

Terms & ConditionsPrivacyCookiesSitemap