Texas Cybersecurity Safe Harbor (SB 2610)
The law scales based on your firm's size. Maintain a documented program to gain affirmative defense against punitive damages.
Tier 1: Under 20 Employees
Requires strict access controls (unique accounts + least privilege), documented password policies with mandatory MFA, and regular security awareness training.
Tier 2: 20–99 Employees
Requires active asset & software inventory, continuous automated vulnerability management, endpoint protection, and tested data recovery backups.
Tier 3: 100–249 Employees
Requires full alignment with NIST CSF or ISO 27001, advanced 24/7 threat detection, and rigorous third-party risk management.
The Golden Rule: Document everything and formally review your program annually.