Texas Governor Approves Cybersecurity Safe Harbor Law for SMBs

June 29, 2025HIPAA News0

The Texas state government is protecting small businesses in Texas from data breach lawsuits liability as long as they implement and retain a compliant cybersecurity plan. State Governor Greg Abbott recently approved S.B. 2610 law, which creates a cybersecurity safe zone for enterprises with fewer than 250 staff members, provided they use and retain a cybersecurity program that complies with some criteria. The new legislation doesn’t shield companies from all liability in case of a data breach; however, it shields companies from exemplary (punitive) damages due to a security system breach, confining their financial exposure.

When a business can show that during a system security breach, they had a cybersecurity program in place, an individual hurt by that incident cannot file for exemplary damages. The implemented cybersecurity program should:

  • Include administrative, physical, and technical safety measures for keeping personal identifying information (PII) and sensitive personal data safe
  • Comply with an industry-required cybersecurity system
  • Be created to guard the security of PII and sensitive personal data
  • Safeguard against risks and threats to the integrity of PII and sensitive personal data
  • Secure against unauthorized access to PII and sensitive personal data

The needed cybersecurity steps are scaled in keeping with the company’s size. A company with fewer than 20 staff members has simple requirements, like password guidelines and cybersecurity training (which is also required in HIPAA training). Companies with 20 to 99 staff members have average requirements, such as the Center for Internet Security Controls Implementation Group 1.

Companies with 100 to 249 staff members need to implement an established cybersecurity system, like the Health Information Trust Alliance’s Common Security Framework or the NIST Cybersecurity Framework. Companies that are subject to the Gramm-Leach-bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), or PCI DSS, will be protected when fully compliant with those requirements. The new legislation will be effective starting on September 1, 2025.

The new legislation showcases the safe harbor rules launched in Ohio and Utah and is meant to inspire organizations to use proper cybersecurity measures. Because the safe harbor regulations were released in Ohio and Utah in 2018 and 2021, respectively, investments in cybersecurity by SMBs significantly increased.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.