Understanding the new cybersecurity safe harbor

Texas Senate Bill 2610 (SB 2610), which became effective September 1, 2025, creates a “safe harbor” for certain small and medium Texas businesses in civil lawsuits involving data breaches. This safe harbor limits exposure to punitive damages as long as the businesses meet certain cybersecurity requirements. The key is to understand those requirements.

Texas lawmakers recognized that the state’s small- and medium-sized businesses are especially vulnerable to cyberattacks, due to limited budgets, staff and expertise. The safe harbor law requires these companies to raise their security standards without imposing heavy regulations. While SB 2610 limits punitive (“exemplary”) damages in civil actions, it provides no relief for actual damages and other claims.

How It Works

The law sets up a sized-based tier system in which each tier must meet certain criteria.

Fewer than 20employees: If you’re a very small business, you only need to maintain a “reasonable” cybersecurity program that includes basic administrative, technical, and physical safeguards appropriate for your size and operations. You’ll have flexibility with baseline-level protection. (What this really means, and what Guardian can do for you)

20 to 99 employees: If your business falls in this range, you must go beyond basic safeguards and “reasonably conform” to a formal, industry-recognized cybersecurity framework for the National Institute of Standards and Technology (NIST), the International Organization of Standardization (ISO), or the Center for Internet Security (CIS). the goal is to get you on the path toward structured standards without overwhelming them. (What this really means, and what Guardian can do for you)

100 to 249 employees: At this level you must implement a comprehensive cybersecurity program that fully conforms to a format industry framework. You’re required to update your programs when frameworks change, either by the implementation data or within one year of publication. This ensures your firm maintains current, enterprise-level cybersecurity practices. (What this really means, and what Guardian can do for you)

How Guardian Can Help

Guardian experts understand and can explain SB 2610 in detail. We offer two flat-rate, scalable solutions in a small business bundle that ensures you’re not just meeting the law’s requirements but building robust security that scales with your business. 

Guardian Lumen: Performs automated assessments and creates a prioritized task list to achieve and maintain compliance, all while tracking progress. Lumen helps decide where to spend resources for maximum results. It also automates and accelerates manual work, like assessments and remediation plans, freeing your time to focus on your business. 

Guardian Glass: Prepares you for attack from any angle, protecting vulnerable digital assets. Glass doesn’t just check the perimeter and endpoints – it monitors everything to see what the attacker sees. Its AI-driven analytics all report into a single dashboard, making notification and remediation real-time and always on. 

Learn more in depth, what it really means in practice, and what Guardian can do for you.

Let us help guide you into the SB 2610 safe harbor.