Let Guardian guide you into the new cybersecurity safe harbor.

In our blog New Texas Law Limits Damages for SMBs in Cybersecurity Breaches, we summarized the Texas Senate Bill 2610 (SB 2610), which creates a “safe harbor” for certain small and medium Texas businesses in civil lawsuits involving data breaches. Using a size-based tier system, this safe harbor limits exposure to punitive (“exemplary”) damages if the businesses meet certain cybersecurity requirements.

Here, we go deeper in depth as to what these tier requirements mean in practice, and how Guardian can guide you to safe harbor protection.

Navigate to the right category for your business, based on number of employees: (Fewer than 20), (20 to 99), (100 to 249).

Fewer than 20 employees in practice:

You must maintain a “reasonable” cybersecurity program that includes basic administrative, technical, physical safeguards and monitoring. 

* Administrative Safeguards: Establish basic security policies, designate someone responsible for cybersecurity (even part-time), and provide basic security awareness training to employees.

* Technical Safeguards: Install and maintain antivirus software, enable automatic software updates, use strong passwords and multi-factor authentication where possible, and secure your Wi-Fi networks.

* Physical safeguards: Lock devices when not in use, secure paper records containing sensitive data, and control physical access to systems and data

* External threat monitoring: Monitor for compromised credentials and external threats  

* Key actions: Start with a basic risk assessment to identify your most critical data and systems, then implement proportionate protections based on your actual business needs and budget constraints 

Your “reasonable” cybersecurity program starts with understanding what you have and what you need to protect. Guardian Lumen performs an initial assessment of your current security posture and creates a simple, prioritized task list tailored to your size and budget. It identifies the most critical gaps in your administrative and technical safeguards without overwhelming your limited resources. Guardian Glass monitors your external presence – watching for compromised credentials on the dark web and identifying potential attack points that cybercriminals could exploit. Together, these solutions give you enterprise-level visibility and protection at a scale that works for very small businesses. 

20 to 99 employees in practice:

You must go beyond basic safeguards and “reasonably conform” to a formal, industry-recognized cybersecurity framework, like NIST, ISO, or CIS. 

* Choose your framework: NIST Cybersecurity Framework is often the most accessible for mid-sized businesses, while CIS Controls provide specific, actionable security measures

* Document your approach: Create written policies and procedures that align with your chosen framework, even if simplified for your business size  

* Implement systematically: Focus on the framework’s core functions – Identify (asset inventory), Protect (access controls, training), Detect (monitoring), Respond (incident response plan), and Recover (backup and recovery procedures) 

* Monitor external threats: Understand your attack surface from an outsider’s perspective  

* Key actions: Conduct a formal risk assessment, implement employee security training programs, establish incident response procedures, maintain regular data backups, and create an asset inventory of all systems and data 

Your requirement to “reasonably conform” to formal frameworks (NIST, ISO, CIS) means you need structured guidance and ongoing compliance tracking. Guardian Lumen automatically assesses your security posture against these exact frameworks, translating complex compliance requirements into actionable steps your team can implement. It prioritizes tasks based on impact and shows your progress toward reasonable conformance. Guardian Glass adds the external perspective that frameworks require – continuous monitoring of your attack surface, dark web surveillance, and threat intelligence. This combination ensures you’re building toward structured standards without the complexity of full enterprise compliance. 

100 to 249 employees in practice

You must implement a comprehensive cybersecurity program that fully conforms to a formal industry framework 

* Full framework compliance: Implement all applicable controls from your chosen framework (NIST, ISO 27001, or CIS), not just reasonable conformance  

* Governance structure: Create a formal cybersecurity governance structure with defined roles, responsibilities, and reporting 

* Stay current: Monitor framework updates and implement changes within required timelines – this means dedicating resources to cybersecurity management (Guardian Lumen automatically updates assessments when frameworks change) 

* External attack surface management: Continuously monitor your entire digital footprint for vulnerabilities and compromised data  

* Key actions: Deploy comprehensive security tools (SIEM, endpoint detection and response), establish a formal incident response team, conduct regular third-party security assessments, implement advanced access controls and network segmentation, and maintain detailed security documentation and metrics 

Your comprehensive cybersecurity program requires full framework conformance and continuous updates as standards evolve. Guardian Lumen provides AI-driven assessments that track your complete compliance posture across all framework requirements. When NIST, ISO, or CIS standards change, Lumen automatically updates your assessments and creates new remediation plans within the law’s required timeframes. Guardian Glass delivers the advanced external monitoring capabilities that comprehensive programs demand – real-time attack surface management, perpetual vulnerability assessment, and immediate correlation of external threats. For your organization size, these solutions provide the continuous oversight and enterprise-level capabilities needed to maintain full SB 2610 compliance. 

In total, Guardian delivers your integrated, tier compliance solution:

• Assessment and Planning – Guardian Lumen evaluates your current posture against your specific tier requirements 

• External Protection – Guardian Glass monitors threats and vulnerabilities from the attacker’s perspective 

• Ongoing Compliance – Automated monitoring ensures you maintain compliance as your business and threat landscape evolve 

Let us guide you into the SB 2610 safe harbor with solutions that scale precisely to your business size and compliance tier. Connect with us today.