BILL ANALYSIS Senate Research Center C.S.S.B. 2610 89R25951 SCR-D By: Blanco Business & Commerce 4/23/2025 Committee Report (Substituted) AUTHOR'S / SPONSOR'S STATEMENT OF INTENT Cyberattacks impose a staggering financial toll on American businesses, costing billions annually, with small and medium-sized businesses emerging as the most vulnerable targets due to their limited budgets, staff, and technical expertise to implement sophisticated cybersecurity defenses. These attacksranging from ransomware and phishing to data breachescan cripple small businesses through direct losses like stolen funds, indirect costs such as prolonged operational downtime, and lasting reputational harm that erodes customer trust and threatens both short-term functionality and long-term survival. In Texas, small businesses, which form the backbone of the state's economy, face escalating risks as cybercriminals exploit their resource constraints. S.B. 2610 addresses this crisis by establishing a legal "safe harbor" for businesses that proactively adopt recognized cybersecurity frameworks, such as the NIST Cybersecurity Framework or industry-specific standards, offering them protection from punitive lawsuits in the event of a breach. By incentivizing investment in certain recognized cybersecurity frameworks and best practices, this bill encourages a proactive approach to safeguarding sensitive consumer data, including personal and payment information. This protection is especially vital for small enterprises that often lack the legal resources or insurance to defend against costly claims, leveling the playing field against larger competitors. Through these measures, S.B. 2610 seeks to bolster Texas' economic resilience, reduce the burden on small businesses, and enhance consumer confidence in the state's marketplace. (Original Author's/Sponsor's Statement of Intent) C.S.S.B. 2610 amends current law relating to a limitation on civil liability of business entities in connection with a breach of system security. RULEMAKING AUTHORITY This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency. SECTION BY SECTION ANALYSIS SECTION 1. Amends Subtitle C, Title 11, Business and Commerce Code, by adding Chapter 542, as follows: CHAPTER 542. CYBERSECURITY PROGRAM Sec. 542.001. DEFINITIONS. Defines "breach of system security," "exemplary damages," "personal identifying information," and "sensitive personal information." Sec. 542.002. APPLICABILITY OF CHAPTER. Provides that this chapter applies only to a business entity in this state that has fewer than 250 employees and owns or licenses computerized data that includes sensitive personal information. Sec. 542.003. CYBERSECURITY PROGRAM SAFE HARBOR: EXEMPLARY DAMAGES PROHIBITED. Prohibits a person harmed as a result of a breach of system security, notwithstanding any other law, in an action arising from the breach, from recovering exemplary damages from a business entity to which this section applies if the entity demonstrates that at the time of the breach the entity implemented and maintained a cybersecurity program in compliance with Section 542.004. Sec. 542.004. CYBERSECURITY PROGRAM. (a) Requires that a cybersecurity program, for purposes of Section 542.003, meet certain standards. (b) Provides that a cybersecurity program under this section conforms to an industry-recognized cybersecurity framework for purposes of this section if the program conforms to certain standards. (c) Provides that, if any standard described by Subsection (b)(1) (relating to a current version of certain security standards and programs) is published and updated, a business entity's cybersecurity program continues to meet the requirements of a program under this section if the entity updates the program to meet the updated standard not later than the later of: (1) the implementation date published in the updated standard; or (2) the first anniversary of the date on which the updated standard is published. Sec. 542.005. AUTHORITY OF ATTORNEY GENERAL NOT AFFECTED. Prohibits this chapter from being construed to limit the authority of the attorney general to seek any legal or equitable remedy under the laws of this state. Sec. 542.006. CLASS ACTION CERTIFICATION NOT AFFECTED. Provides that this chapter does not affect the certification of an action as a class action. SECTION 2. Makes application of Section 542.003, Business and Commerce Code, as added by this Act, prospective. SECTION 3. Effective date: September 1, 2025.
BILL ANALYSIS
Senate Research Center C.S.S.B. 2610
89R25951 SCR-D By: Blanco
Business & Commerce
4/23/2025
Committee Report (Substituted)
Senate Research Center
C.S.S.B. 2610
89R25951 SCR-D
By: Blanco
Business & Commerce
4/23/2025
Committee Report (Substituted)
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Cyberattacks impose a staggering financial toll on American businesses, costing billions annually, with small and medium-sized businesses emerging as the most vulnerable targets due to their limited budgets, staff, and technical expertise to implement sophisticated cybersecurity defenses. These attacksranging from ransomware and phishing to data breachescan cripple small businesses through direct losses like stolen funds, indirect costs such as prolonged operational downtime, and lasting reputational harm that erodes customer trust and threatens both short-term functionality and long-term survival. In Texas, small businesses, which form the backbone of the state's economy, face escalating risks as cybercriminals exploit their resource constraints.
S.B. 2610 addresses this crisis by establishing a legal "safe harbor" for businesses that proactively adopt recognized cybersecurity frameworks, such as the NIST Cybersecurity Framework or industry-specific standards, offering them protection from punitive lawsuits in the event of a breach. By incentivizing investment in certain recognized cybersecurity frameworks and best practices, this bill encourages a proactive approach to safeguarding sensitive consumer data, including personal and payment information. This protection is especially vital for small enterprises that often lack the legal resources or insurance to defend against costly claims, leveling the playing field against larger competitors.
Through these measures, S.B. 2610 seeks to bolster Texas' economic resilience, reduce the burden on small businesses, and enhance consumer confidence in the state's marketplace.
(Original Author's/Sponsor's Statement of Intent)
C.S.S.B. 2610 amends current law relating to a limitation on civil liability of business entities in connection with a breach of system security.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subtitle C, Title 11, Business and Commerce Code, by adding Chapter 542, as follows:
CHAPTER 542. CYBERSECURITY PROGRAM
Sec. 542.001. DEFINITIONS. Defines "breach of system security," "exemplary damages," "personal identifying information," and "sensitive personal information."
Sec. 542.002. APPLICABILITY OF CHAPTER. Provides that this chapter applies only to a business entity in this state that has fewer than 250 employees and owns or licenses computerized data that includes sensitive personal information.
Sec. 542.003. CYBERSECURITY PROGRAM SAFE HARBOR: EXEMPLARY DAMAGES PROHIBITED. Prohibits a person harmed as a result of a breach of system security, notwithstanding any other law, in an action arising from the breach, from recovering exemplary damages from a business entity to which this section applies if the entity demonstrates that at the time of the breach the entity implemented and maintained a cybersecurity program in compliance with Section 542.004.
Sec. 542.004. CYBERSECURITY PROGRAM. (a) Requires that a cybersecurity program, for purposes of Section 542.003, meet certain standards.
(b) Provides that a cybersecurity program under this section conforms to an industry-recognized cybersecurity framework for purposes of this section if the program conforms to certain standards.
(c) Provides that, if any standard described by Subsection (b)(1) (relating to a current version of certain security standards and programs) is published and updated, a business entity's cybersecurity program continues to meet the requirements of a program under this section if the entity updates the program to meet the updated standard not later than the later of:
(1) the implementation date published in the updated standard; or
(2) the first anniversary of the date on which the updated standard is published.
Sec. 542.005. AUTHORITY OF ATTORNEY GENERAL NOT AFFECTED. Prohibits this chapter from being construed to limit the authority of the attorney general to seek any legal or equitable remedy under the laws of this state.
Sec. 542.006. CLASS ACTION CERTIFICATION NOT AFFECTED. Provides that this chapter does not affect the certification of an action as a class action.
SECTION 2. Makes application of Section 542.003, Business and Commerce Code, as added by this Act, prospective.
SECTION 3. Effective date: September 1, 2025.