Video explainer

Texas SB 2610 isn’t just for law firms. It took effect on September 1, 2025, and lets any Texas business with fewer than 250 employees that owns or licenses Texans’ sensitive personal information earn an affirmative defense against punitive (exemplary) damages in a data-breach lawsuit — provided it maintained a documented cybersecurity program aligned with a recognized framework at the time of the breach. (It’s a defense against punitive damages only — not immunity from actual damages, class actions, or regulatory enforcement.) Nearly a year on, many Texas small businesses still miss the basics.

What Businesses Still Get Wrong

  • No documentation. Having controls isn’t enough — SB 2610 rewards a documented, reviewed program.
  • Email authentication left unenforced. SPF, DKIM, and DMARC are present but not enforcing.
  • No annual review. The program is set up once and never revisited.
  • No security awareness training. The most-required control across every framework.

Where to Start

Run a free scan at audit.emailmenow.com/?industry=texas-small-business to see your email and web security posture, then close the gaps and document the program. Work through our law firm cybersecurity audit checklist — the same controls apply to any Texas business under 250 employees.

The Golden Rule

Document everything and formally review your program annually — that’s the difference between “we had controls” and a defensible Safe Harbor posture.


Get into Safe Harbor. Contact EmailMeNow IT Consulting for a right-sized, documented cybersecurity program for your business.


Sources: Texas Cybersecurity Safe Harbor for Small and Mid-Sized Businesses — Spencer Fane · Avoiding Punitive Damages After a Data Breach — Texas Bar