As this year’s Cybersecurity Awareness Month comes to an end, we wanted to highlight a recently enacted piece of legislation that may provide protection for your business in the event of a data breach and remind you to include your cybersecurity policies in your end-of-year policy reviews and updates.
A safe harbor for certain small businesses that have suffered a data breach became effective on September 1, 2025. The recent consumer data protections adopted by some states have generally not distinguished between the penalties a small business, such as one having fewer than 250 employees, may be subject to after a data breach versus the penalties applicable to a much larger company. Texas recognized the detrimental effects a “one size fits all” policy could cause for small businesses, and this newly effective legislation provides a safe harbor for certain businesses when it adopted Texas Senate Bill 2610. This safe harbor does not absolve a small business from all liability if a data breach occurs, but it does provide protection so long as such business is in compliance with the law’s cybersecurity criteria in effect at the time the breach occurred. The law recognizes that the cybersecurity program appropriate for a business with fewer than 100 employees is typically simpler in scale and scope than that of a much larger company. Texas Senate Bill 2610 recognizes that businesses have a varied number of employees and establishes requirements for companies having (1) fewer than 20 employees, (2) between 20 and 99 employees, (3) between 100 and 249 employees, and (4) over 250 employees.
Contacts:
Elizabeth Rogers I 512.370.2834 I [email protected]
Tave Doty I 817.420.8206 I [email protected]