Texas Data Storage Compliance Deadline: A Checklist for Texas SMBs

Texas SB 2610 took effect September 1, 2025. It shields Texas businesses with fewer than 250 employees from punitive damages after a data breach, but only if a documented cybersecurity program was already running when the breach hit. Missing that program leaves you fully exposed.

TL;DR. SB 2610 is not a data storage mandate with fines attached. It is a safe harbor that went live on September 1, 2025, and it caps your legal exposure after a breach when you can prove a recognized cybersecurity program was in place first. The requirements scale by headcount, from basic password policies at the smallest shops to full NIST or ISO alignment for firms approaching 250 staff. The checklist below shows what your tier needs to have ready.

What the Texas SB 2610 compliance deadline actually is

SB 2610 added Chapter 542 to the Texas Business and Commerce Code. It creates a cybersecurity safe harbor that stops a plaintiff from recovering exemplary (punitive) damages after a breach, as long as your business had a qualifying cybersecurity program running at the time. Governor Abbott signed it on June 20, 2025, and it became enforceable on September 1, 2025.

Here is the honest read most vendors skip. This is not a regulation you get fined for ignoring, and there is no form to file. If your Texas business handles customer records and you have not built a documented compliance program yet, the deadline already passed. Every day without one is a day your company carries the full weight of a lawsuit that a compliant competitor would have capped. That is the real cost, and it is why we treat September 1 as a line that is already behind us, not ahead.

Legal contract, gavel, and a calendar with a circled date, illustrating the SB 2610 compliance deadline

Does SB 2610 apply to your business?

The law covers any business entity operating in Texas that has fewer than 250 employees and owns or licenses computerized data containing sensitive personal information. If you store Social Security numbers, driver's license numbers, financial account numbers with their access codes, or health records, you are in scope. That definition pulls in far more companies than owners expect.

Think about a 15-person accounting firm in Houston, a Dallas medical practice, a San Antonio law office, or a home services company that keeps customer payment data on file. All of them handle at least one covered data type. According to the 2025 Verizon Data Breach Investigations Report, small and mid-sized businesses report roughly four times the cybersecurity incidents that large organizations do, so the exposure is not hypothetical.

Small business owner reviewing sensitive customer records, the kind of data SB 2610 covers

What SB 2610 protects, and what it leaves on the table

This is where a lot of coverage gets it wrong, so read this part twice. The safe harbor is narrow. It removes one category of damages, not your whole liability picture.

Here is what the safe harbor takes off the table.

  • Exemplary damages, also called punitive damages, in a private breach lawsuit. These are the awards a court hands down to punish, and they are the numbers that turn a survivable claim into a business-ending one.

And here is what stays fully in play.

  • Compensatory damages. If a customer loses money that traces back to your breach, they can still recover it.
  • Regulatory penalties. The Texas Attorney General can still pursue civil penalties for the underlying breach under separate Texas law, and SB 2610 does nothing to stop that.
  • Breach notification and recovery costs. Credit monitoring, forensics, and customer notice still land on you.

The statute is explicit that it creates no private cause of action and changes no existing legal duty. So the value is real but bounded. It caps your worst-case courtroom exposure in exchange for doing the security work you should be doing anyway.

The Texas SB 2610 compliance checklist for SMBs

A qualifying program under SB 2610 is a written set of administrative, technical, and physical safeguards that conform to a recognized framework and scale to your size. Here is the sequence we walk Texas clients through.

  1. Confirm you are covered. Texas entity, under 250 employees, and you store sensitive personal information.
  2. Find your tier by headcount using the table below. Your tier sets the bar you have to clear.
  3. Adopt a recognized framework that matches that tier and write down which one you chose.
  4. Document the program. Policies, procedures, and dated evidence that each control is actually running, not just planned.
  5. Turn on the non-negotiables. Multifactor authentication, patching, encrypted backups, access control, and annual security awareness training.
  6. Timestamp everything. The program has to exist before a breach, so your paper trail needs dates a court will accept.
  7. Refresh within one year of any framework revision. When NIST or CIS updates a standard, you have until the published deadline or one year, whichever is later, to realign.
  8. Store the proof somewhere your attorney can reach in minutes. A program you cannot document is a program that will not hold up.

What each tier has to have in place

Your headcountWhat your program must includeExample frameworks
Fewer than 20 employeesDocumented password policy, multifactor authentication, employee security awareness training, and reliable backupsBasic recognized safeguards
20 to 99 employeesCIS Controls v8 Implementation Group 1, the 56 foundational safeguards, documented and maintainedCIS Controls IG1
100 to 249 employeesFull alignment with an advanced framework, audited and version controlledNIST CSF, NIST SP 800-171, ISO/IEC 27001, SOC 2, FedRAMP

The frameworks named in and around the law go wider than most owners realize. Alongside the ones above, the recognized list includes NIST SP 800-53, HITRUST CSF, and industry rules like HIPAA, GLBA, and PCI DSS. If you already follow one of those for another reason, you are closer to SB 2610 alignment than you think.

Cybersecurity compliance checklist with checkmarks beside a digital shield, representing the SB 2610 SMB checklist

What happens if you skip the deadline?

Nothing, right up until the moment it matters. No inspector shows up. No fine arrives in the mail. That is exactly why so many Texas owners will ignore this until a breach forces the issue.

Then the picture flips. A breach hits, a customer sues, and their attorney asks for the exemplary damages that dwarf the actual loss. If you had a documented program, your counsel invokes Chapter 542 and that category is off the table. If you did not, you defend the full claim. We have watched businesses with decent security lose this argument anyway because the controls were real but the documentation was not, and safe harbor rewards proof, not good intentions. For a deeper look at the threat side of this, our guide on protecting your SMB from cyberthreats covers the attacks these programs are built to survive.

How to get compliant before your next breach or audit

IT consultant helping a Texas small business team review a cybersecurity compliance plan on screen

Most Texas SMBs are not starting from zero. They have antivirus, some backups, maybe MFA on email. The gap is usually structure and evidence, not raw tooling. Closing it is a project you can finish in weeks, not years.

Start by mapping your current controls against your tier, then fix the holes and document what you already do well. A framework does not have to mean a binder nobody reads. It means a living program with an owner, a review date, and proof it runs. If you would rather not run that project alone, our cybersecurity solutions and managed security services teams build and document SB 2610 aligned programs for Houston, Dallas, and San Antonio businesses every week.

Not sure if your business would qualify for the SB 2610 safe harbor?

We will map your tier, flag your gaps, and get your safe harbor documentation in place before you need it in a courtroom. Call (866) 570-3065 or request an assessment.

Talk to our Texas team

Texas SB 2610 questions Texas SMBs keep asking

Is SB 2610 mandatory for Texas businesses?

No. It is a voluntary safe harbor, not a mandate, so there is no fine for skipping it. The catch is that only businesses with a documented program get the punitive damages protection when a breach lawsuit lands.

When did the Texas SB 2610 deadline pass?

September 1, 2025. That is the date the law took effect. Because the protection only applies if your program was already running when a breach occurs, any business without one is already past the point where the safe harbor would have helped.

Which cybersecurity framework should a small Texas business use?

It depends on your headcount. Shops under 20 need documented basics like MFA, training, and backups. Firms of 20 to 99 should adopt CIS Controls Implementation Group 1. Companies from 100 to 249 need full alignment with NIST CSF, ISO 27001, or a similar recognized framework.

Does SB 2610 protect us from all data breach lawsuits?

Not entirely. It only removes exemplary, or punitive, damages. Customers can still sue for actual losses, and the Texas Attorney General can still pursue regulatory penalties. Think of it as capping your worst case, not erasing your liability.

What counts as sensitive personal information under the law?

Data tied to a person that could enable fraud or identity theft. That includes Social Security numbers, driver's license numbers, financial account numbers paired with their access codes, and health information, as defined in the Texas Business and Commerce Code.

How long does it take to get SB 2610 compliant?

For most SMBs, a few weeks. The heavy lift is usually documentation and closing a handful of control gaps, not buying new tools. A managed security partner can assess your tier, remediate, and produce court-ready evidence faster than an internal team starting cold.

Sources. Texas Legislature, SB 2610 Bill Analysis; Texas Business and Commerce Code, Chapter 542; State Bar of Texas, Avoiding Punitive Damages After a Data Breach; NIST Cybersecurity Framework; CIS Critical Security Controls; 2025 Verizon Data Breach Investigations Report.

About Author

Learn More