Texas SB 2610: How SMBs Cap Breach-Lawsuit Damages in 2026

SB 2610 does not make your business immune from getting sued after a breach. It does not stop the lawsuit, the headlines, or the breach-notification bill. What it does is create an affirmative defense against exemplary damages, which is the Texas legal term for punitive damages.

That single word is load-bearing. In a breach lawsuit, actual damages compensate the plaintiff for real harm. Exemplary damages are the extra, punishment-driven money a jury can pile on when it decides a defendant was reckless. They are the part of a verdict that turns a manageable loss into a business-ending one, because they are unpredictable, emotionally charged, and uncapped by the underlying loss. SB 2610 lets you take that lever out of the jury's hands.

The mechanism is simple in concept: if your business had a qualifying cybersecurity program in place and documented before the breach, you can raise SB 2610 as an affirmative defense to shut down a claim for exemplary damages. You earn the protection in advance by building and maintaining a reasonable program. You do not get it by reacting after the fact. That structure is the entire design of the law, and it is also where most businesses will fail to benefit.

This is not a theoretical risk you can park for next year. The Texas threat and enforcement environment is hot right now.

In June 2026, a third-party vendor breach tied to the Texas Parks and Wildlife Department exposed sensitive data, including driver's license and passport numbers, for roughly 3 million Texans. Read that again: the exposure came through a vendor, not the primary organization's own walls. If a state agency can get burned through its supply chain, your business can too, and your customers' data is just as litigable.

At the same time, Texas Attorney General Ken Paxton has been aggressive on breach enforcement, including issuing civil investigative demands to large organizations such as Blue Cross Blue Shield of Texas and Conduent over a breach that exposed the data of roughly four million Texans. The AG's office is treating breaches as enforcement events, not paperwork. And here is the nuance owners miss: SB 2610 does nothing to shield you from AG regulatory action or fines. It addresses civil exemplary damages only. So you are facing two separate fronts at once, and SB 2610 helps with exactly one of them.

The practical takeaway: the lawsuits and the regulator are both already in motion. The safe harbor is the one piece of this you can lock in proactively, on your own timeline, before anything goes wrong.

SB 2610 is written specifically for small and mid-sized businesses, and it scales the requirements to your size. There are three tiers, set by employee headcount:

• Fewer than 20 employees — the lightest tier.
• 20 to 99 employees — the middle tier.
• 100 to 249 employees — the most demanding tier.

One eligibility caveat worth stating plainly: the law applies to Texas businesses under 250 employees that own or license computerized data containing sensitive personal information — Social Security numbers, driver's license numbers, financial account details, or health data. If you hold customer or employee records like that, and almost every business does, you are squarely in scope.

The logic is fair: a 12-person accounting firm should not be held to the same control set as a 200-person manufacturer. But "lighter" does not mean "optional." Each tier has a defined floor, and your program has to be reasonably designed, implemented, maintained, and documented to clear it. Businesses with 250 or more employees fall outside this SMB safe harbor framework entirely and should be looking at full enterprise-grade frameworks regardless.

Here is the part the legal explainers gloss over, translated into what you actually deploy.

Fewer than 20 employees. You need a documented password policy plus security awareness training. That sounds modest, but "documented" is doing heavy lifting. A written password policy means an actual policy your people follow, ideally enforced through a password manager and multi-factor authentication, with dated records. Security awareness training means a real, recurring program with completion records, not a one-time hallway conversation. The goal is to prove, with paper, that the basics were genuinely in place.

20 to 99 employees. You need to implement CIS Controls Implementation Group 1 (IG1), the foundational baseline CIS defines as essential cyber hygiene — currently 56 safeguards covering inventory, access control, data protection, malware defense, logging, and more. IG1 is achievable for a mid-sized Texas business without an enterprise budget. We walk through exactly what IG1 includes and how to roll it out in our guide to CIS Controls Implementation Groups for Texas SMBs.

100 to 249 employees. You need a full recognized framework, such as NIST CSF, NIST SP 800-171, ISO/IEC 27001, or SOC 2 (the statute lists several qualifying options). This is a meaningfully bigger lift involving formal risk management, documented controls, and ongoing governance. If you are in this tier, start with our NIST CSF 2.0 implementation roadmap, which lays out a phased path that maps cleanly to the SB 2610 requirement.

Whichever tier you are in, the operative standard is the same: the program must be reasonable, kept current, and provable on the date of the breach. A framework you adopted on paper but let rot does not qualify.

This is the single most important sentence in this entire post, so I am going to be blunt about it. SB 2610 only protects you if your qualifying program existed and was documented before the breach occurred. You cannot bolt it on afterward.

Picture the timeline. A breach hits. You get sued. Your lawyer wants to raise the SB 2610 affirmative defense. To do that, you have to produce evidence that the program was in place on the date of the incident: dated policies, training completion records, control attestations, configuration evidence, audit artifacts. If your "program" was a flurry of activity after the breach scare, you have nothing to point to, and the defense collapses.

This is exactly why documentation matters as much as the controls themselves. Two businesses can run identical security stacks, and the one with the dated paper trail keeps the protection while the one without it loses it. The defense is built on evidence, and evidence has to be created before, not after. Standing up the program and the documentation now, while nothing is on fire, is the whole point of the law.

It is just as important to be honest about the limits, because owners who overestimate this law will under-invest everywhere else. SB 2610 does not protect you from:

• Actual damages. The compensatory part of a breach verdict is fully on the table.
• Breach-notification costs. The legal and operational expense of notifying affected individuals is yours.
• Credit-monitoring expenses. Often a major line item, not covered.
• Regulatory fines. Action from the Texas Attorney General is a separate track the safe harbor does not touch.
• The lawsuit itself. You can still be dragged through litigation. SB 2610 caps a category of damages; it is not a get-out-of-court card.

Think of it as a liability ceiling you earn in advance on the most explosive, jury-driven slice of the risk, not a force field. That is precisely why a qualifying SB 2610 program should sit alongside, not replace, your other defenses, including solid cyber insurance in 2026 and a tested incident response plan. The safe harbor and the insurance policy cover different parts of the same disaster.

Here is the concrete, do-this-now version, regardless of tier:

• Confirm your employee count and tier. Know which control floor applies to you before you build anything.
• Pick your framework target. Password policy plus training for under 20, CIS Controls IG1 for 20 to 99, or NIST CSF / ISO 27001 / SOC 2 for 100 to 249.
• Implement the controls for real. Deployed and enforced, not written and ignored.
• Document everything with dates. Policies, training records, control attestations, configuration evidence. The dated paper trail is the defense.
• Maintain and review it. The program has to be current on the date of any breach, so schedule recurring reviews and keep the evidence rolling.
• Add vendor risk to the picture. The June 2026 TPWD incident came through a third party; your safe-harbor posture means little if a vendor is your weak link.
• Coordinate with counsel and your insurer. Make sure your documentation is structured so it can actually be produced and relied on in litigation.

This is the work we do every day for Texas SMBs, and the reason SB 2610 is squarely in our lane: the law's three tiers map directly onto the tiered security programs we already build. For the smallest businesses, we stand up enforced password policy, MFA, and a recurring security awareness training program with real completion records. For the 20-to-99 group, we implement CIS Controls IG1 end to end. For the largest SMB tier, we run full NIST CSF, ISO 27001, or SOC 2 programs through our compliance readiness services and broader managed cybersecurity services.

Just as important, we produce the pre-incident documentation that makes the defense hold up: dated policies, attestations, training logs, and control evidence, maintained over time so that on the worst day of your business's life, your attorney has something solid to put in front of a judge. The controls keep the breach from happening. The documentation keeps the breach from bankrupting you. SB 2610 rewards businesses that did the work and can prove it, and that proof is the part you cannot generate retroactively.

Does Texas SB 2610 mean my business can't be sued after a data breach?

No. SB 2610 is an affirmative defense against exemplary (punitive) damages only. It does not stop a lawsuit, and it does not shield you from actual damages, breach-notification costs, credit-monitoring expenses, or regulatory fines from the Texas AG. What it does is cap the most explosive, jury-driven part of a breach verdict, but only if you had a qualifying cybersecurity program documented before the incident. Think of it as a liability ceiling you earn in advance, not immunity.

Which security framework does my Texas business need to qualify for the SB 2610 safe harbor?

It scales with your headcount. Businesses under 20 employees need a documented password policy plus security awareness training. Businesses with 20 to 99 employees need to implement CIS Controls Implementation Group 1 (the 56-safeguard CIS baseline). Businesses with 100 to 249 employees need a full recognized framework such as NIST CSF, ISO/IEC 27001, or SOC 2. The key word is "documented" — the controls have to be reasonably designed, implemented, maintained, and provable on the date of the breach.

We adopted security controls after a breach scare. Does SB 2610 still cover us?

No, and this is the trap that defeats most businesses. SB 2610 only helps if your qualifying program was in place and documented before the breach occurred. You cannot bolt it on afterward and claim the defense. That is why the documentation matters as much as the controls themselves: if you can't produce dated evidence (policies, training records, control attestations) showing the program existed pre-incident, the affirmative defense won't hold up. Standing up the program and the paper trail now is the entire point.

SB 2610 is one of the few cybersecurity moves a Texas SMB owner can make entirely on offense, on your own schedule, before a breach forces your hand. But it only counts if the program is real and the documentation is dated. LayerLogix builds and documents the exact tiered programs the law requires, from password policy and training to CIS IG1 to full NIST CSF, ISO 27001, and SOC 2. Contact our team to scope a qualifying program for your tier and get the pre-incident paper trail in place while it still costs you nothing but a little planning.