BILL ANALYSIS Senate Research Center S.B. 2610 89R9729 SCR-D By: Blanco Business & Commerce 4/16/2025 As Filed AUTHOR'S / SPONSOR'S STATEMENT OF INTENT Cyberattacks impose a staggering financial toll on American businesses, costing billions annually, with small and medium-sized businesses emerging as the most vulnerable targets due to their limited budgets, staff, and technical expertise to implement sophisticated cybersecurity defenses. These attacksranging from ransomware and phishing to data breachescan cripple small businesses through direct losses like stolen funds, indirect costs such as prolonged operational downtime, and lasting reputational harm that erodes customer trust and threatens both short-term functionality and long-term survival. In Texas, small businesses, which form the backbone of the state's economy, face escalating risks as cybercriminals exploit their resource constraints. S.B. 2610 addresses this crisis by establishing a legal "safe harbor" for businesses that proactively adopt recognized cybersecurity frameworks, such as the NIST Cybersecurity Framework or industry-specific standards, offering them protection from punitive lawsuits in the event of a breach. By incentivizing investment in certain recognized cybersecurity frameworks and best practices, this bill encourages a proactive approach to safeguarding sensitive consumer data, including personal and payment information. This protection is especially vital for small enterprises that often lack the legal resources or insurance to defend against costly claims, leveling the playing field against larger competitors. Through these measures, S.B. 2610 seeks to bolster Texas' economic resilience, reduce the burden on small businesses, and enhance consumer confidence in the state's marketplace. As proposed, S.B. 2610 amends current law relating to civil liability of business entities in connection with a breach of system security. RULEMAKING AUTHORITY This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency. SECTION BY SECTION ANALYSIS SECTION 1. Amends Subtitle C, Title 11, Business and Commerce Code, by adding Chapter 542, as follows: CHAPTER 542. CYBERSECURITY PROGRAM Sec. 542.001. DEFINITIONS. Defines "breach of system security," "personal identifying information," and "sensitive personal information." Sec. 542.002. APPLICABILITY OF CHAPTER. Provides that this chapter applies to a business entity in this state that owns or licenses computerized data that includes sensitive personal information. Sec. 542.003. LIABILITY FOR DATA BREACH. Provides that, if a business entity fails to implement reasonable cybersecurity controls and that failure results in a breach of system security, the business entity is liable to a person whose sensitive personal information was stolen in the breach and who suffered economic harm as a result of the theft of the information. Sec. 542.004. INDUSTRY STANDARD CYBERSECURITY PROGRAM. (a) Provides that, for purposes of Section 542.003, a business entity has implemented reasonable cybersecurity controls if the entity has created and maintained a cybersecurity program that meets certain requirements. (b) Provides that a cybersecurity program under this section conforms to industry recognized cybersecurity framework for purposes of this section if the program conforms to certain standards. (c) Provides that, if any standard described by Subsection (b)(1) (relating to a current version of certain security standards and programs, as determined by the Department of Public Safety of the State of Texas) is published and updated, a business entity's cybersecurity program continues to meet the requirements of a program under this section if the entity updates the program to meet the updated standard not later than the 180th day after the date on which the standard is published. (d) Requires that the scale and scope of a cybersecurity program under this section be based on certain factors. Sec. 542.005. AUTHORITY OF ATTORNEY GENERAL NOT AFFECTED. Prohibits this chapter from being construed to limit the authority of the attorney general to seek any legal or equitable remedy under the laws of this state. Sec. 542.006. CLASS ACTION CERTIFICATION NOT AFFECTED. Provides that this chapter does not affect the certification of an action as a class action. SECTION 2. Makes application of Section 542.003, Business and Commerce Code, as added by this Act, prospective. SECTION 3. Effective date: September 1, 2025.
BILL ANALYSIS
Senate Research Center S.B. 2610
89R9729 SCR-D By: Blanco
Business & Commerce
4/16/2025
As Filed
Senate Research Center
S.B. 2610
89R9729 SCR-D
By: Blanco
Business & Commerce
4/16/2025
As Filed
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Cyberattacks impose a staggering financial toll on American businesses, costing billions annually, with small and medium-sized businesses emerging as the most vulnerable targets due to their limited budgets, staff, and technical expertise to implement sophisticated cybersecurity defenses. These attacksranging from ransomware and phishing to data breachescan cripple small businesses through direct losses like stolen funds, indirect costs such as prolonged operational downtime, and lasting reputational harm that erodes customer trust and threatens both short-term functionality and long-term survival. In Texas, small businesses, which form the backbone of the state's economy, face escalating risks as cybercriminals exploit their resource constraints.
S.B. 2610 addresses this crisis by establishing a legal "safe harbor" for businesses that proactively adopt recognized cybersecurity frameworks, such as the NIST Cybersecurity Framework or industry-specific standards, offering them protection from punitive lawsuits in the event of a breach. By incentivizing investment in certain recognized cybersecurity frameworks and best practices, this bill encourages a proactive approach to safeguarding sensitive consumer data, including personal and payment information. This protection is especially vital for small enterprises that often lack the legal resources or insurance to defend against costly claims, leveling the playing field against larger competitors.
Through these measures, S.B. 2610 seeks to bolster Texas' economic resilience, reduce the burden on small businesses, and enhance consumer confidence in the state's marketplace.
As proposed, S.B. 2610 amends current law relating to civil liability of business entities in connection with a breach of system security.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subtitle C, Title 11, Business and Commerce Code, by adding Chapter 542, as follows:
CHAPTER 542. CYBERSECURITY PROGRAM
Sec. 542.001. DEFINITIONS. Defines "breach of system security," "personal identifying information," and "sensitive personal information."
Sec. 542.002. APPLICABILITY OF CHAPTER. Provides that this chapter applies to a business entity in this state that owns or licenses computerized data that includes sensitive personal information.
Sec. 542.003. LIABILITY FOR DATA BREACH. Provides that, if a business entity fails to implement reasonable cybersecurity controls and that failure results in a breach of system security, the business entity is liable to a person whose sensitive personal information was stolen in the breach and who suffered economic harm as a result of the theft of the information.
Sec. 542.004. INDUSTRY STANDARD CYBERSECURITY PROGRAM. (a) Provides that, for purposes of Section 542.003, a business entity has implemented reasonable cybersecurity controls if the entity has created and maintained a cybersecurity program that meets certain requirements.
(b) Provides that a cybersecurity program under this section conforms to industry recognized cybersecurity framework for purposes of this section if the program conforms to certain standards.
(c) Provides that, if any standard described by Subsection (b)(1) (relating to a current version of certain security standards and programs, as determined by the Department of Public Safety of the State of Texas) is published and updated, a business entity's cybersecurity program continues to meet the requirements of a program under this section if the entity updates the program to meet the updated standard not later than the 180th day after the date on which the standard is published.
(d) Requires that the scale and scope of a cybersecurity program under this section be based on certain factors.
Sec. 542.005. AUTHORITY OF ATTORNEY GENERAL NOT AFFECTED. Prohibits this chapter from being construed to limit the authority of the attorney general to seek any legal or equitable remedy under the laws of this state.
Sec. 542.006. CLASS ACTION CERTIFICATION NOT AFFECTED. Provides that this chapter does not affect the certification of an action as a class action.
SECTION 2. Makes application of Section 542.003, Business and Commerce Code, as added by this Act, prospective.
SECTION 3. Effective date: September 1, 2025.