By Tom Cloud, Founder, 48 Technologies Published May 14, 2026
In September 2025, a new Texas cybersecurity law took effect that quietly gave every small business in the state a legal shield against the worst kind of breach lawsuit. Eight months later, almost no DFW SMB owner I talk to has heard of it.
The law is Texas SB 2610, and if you run a business in Texas with fewer than 250 employees, you should know three things about it: what it does, what it doesn’t do, and what you need to put in place to qualify.
What SB 2610 actually does
SB 2610 is a safe harbor law. It says that if your business has implemented and maintains a documented cybersecurity program that conforms to a recognized framework — and you still get breached — you cannot be hit with punitive damages in the resulting civil lawsuit.
That’s a meaningful protection. In data breach litigation, punitive damages are the multiplier that turns a $200,000 case into a $2 million case. They’re the open-ended liability that scares insurance carriers and forces settlements. SB 2610 caps your downside.
Texas is the fifth state with this kind of law, after Connecticut, Iowa, Ohio, and Utah.
What SB 2610 does not do
This part matters. SB 2610 does not protect you from:
- Compensatory damages — the actual financial losses of breach victims
- Regulatory enforcement — the Texas Attorney General can still fine you under the Deceptive Trade Practices Act ($50,000 per violation)
- Class actions for compensatory relief
- The breach itself — it’s a legal posture, not a security control
It’s a shield against the worst outcome, not all bad outcomes. You still need actual cybersecurity. SB 2610 just makes sure that if you have it and a breach happens anyway, the lawsuit can’t turn into a company-killer.
Who qualifies, and what you have to do
SB 2610 applies to Texas businesses with fewer than 250 employees that handle sensitive personal information — Social Security numbers, driver’s license data, health records, financial account information. That covers virtually every Dallas SMB.
The requirements scale with size:
Under 20 employees: Basic measures — password policies, employee security awareness training.
20–99 employees: Implement the CIS Critical Security Controls Implementation Group 1 (IG1) — about 20 foundational practices including asset inventory, secure configurations, malware defenses, access controls, and basic incident response. Most well-run MSPs deploy IG1 by default.
100–249 employees: Implement a cybersecurity program aligned with at least one recognized framework. The statute names: NIST Cybersecurity Framework, NIST SP 800-53, ISO/IEC 27001, CIS Critical Security Controls, SOC 2 Trust Services Criteria, Secure Controls Framework, or industry-specific frameworks like HIPAA, GLBA, or PCI DSS where applicable.
The point isn’t which framework you pick. The point is that you’ve picked one, you’ve implemented it, and you can prove both in court.
The breach notification clock most SMBs don’t know about
Worth pairing with SB 2610 — because most Texas SMB owners don’t know this either: Texas already has a breach notification statute on the books (Business & Commerce Code §521.053). If you have a breach affecting Texas residents, you must:
- Notify affected individuals within 60 days of discovering the breach
- Notify the Texas Attorney General within 30 days if the breach affects 250 or more Texas residents
Penalties under the Deceptive Trade Practices Act run up to $50,000 per violation. The clock starts when you discover the breach — not when you decide what to do about it. Most SMBs that mishandle this fail because they delay reporting while they investigate. The statute doesn’t give you that grace.
What to do this week
If you’re a DFW small business with fewer than 250 employees, here’s the order of operations:
- Figure out which tier you fall into. Under 20, 20–99, or 100–249 employees.
- Document what you already have. Most SMBs already deploy more cybersecurity than they realize — EDR, MFA, backups, basic patching, password policies. You don’t always need to start from zero; you may need to formalize what’s there.
- Pick a framework if you’re in the 100+ tier. NIST CSF is the most practical default for a Dallas SMB. ISO 27001 is the most rigorous. CIS Controls is the simplest to operationalize.
- Get your incident response plan in writing. Not a binder. A real one-page document that names who calls the lawyer, who notifies the AG, who notifies customers, in what order, on what clock.
- Make sure your MSP or IT team can attest in writing that your program meets the SB 2610 requirements for your tier. In a lawsuit, that attestation is your shield.
Want to know if your current cybersecurity program qualifies for SB 2610 safe harbor? 48 Technologies offers a free 30-minute SB 2610 Compliance Check for DFW small and mid-sized businesses. We’ll review what you have against the statute’s requirements for your tier and produce a 1-page memo showing whether you’d qualify, and what’s missing if not. No cost. No obligation. No pitch. Book the compliance check →
The bottom line
Texas SB 2610 is one of the most consequential pieces of cybersecurity legislation for small businesses in the country, and you’ve probably never heard of it. It doesn’t stop you from being breached. It doesn’t immunize you from real damages. But it caps the legal downside of a breach in a way that, until 2025, Texas SMBs simply didn’t have.
The catch is that the protection isn’t automatic. You have to actually implement the controls, document the program, and be ready to prove it. For most DFW SMBs, that’s a week of work with a competent MSP — not a transformation project.
It’s also worth doing before something goes wrong, not after.
Tom Cloud is the founder of 48 Technologies, a Dallas-based managed IT and cybersecurity firm serving small and mid-sized businesses across DFW.
