From attorneys at Jackson Lewis:
On June 20, 2025, Texas Governor Greg Abbott signed SB 2610 into law, joining a growing number of states that aim to incentivize sound cybersecurity practices through legislative safe harbors. Modeled on laws in states like Ohio and Utah, the new Texas statute provides that certain businesses that “demonstrate[] that at the time of the breach the entity implemented and maintained a cybersecurity program” meeting the requirements in the new law may be shielded from exemplary (punitive) damages in the event of a data breach lawsuit.
… SB 2610 erects a shield from liability to protect certain businesses (those under 250 employees) from exemplary damages in a tort action resulting from a data breach. That shield applies only if the business demonstrates that at the time of the breach the entity implemented and maintained a cybersecurity program that meets certain requirements, which may include compliance with a recognized framework (e.g., NIST, ISO/IEC 27001). This is not immunity from all liability—it applies only to punitive damages—but it can be a significant limitation on financial exposure.
Read more at Workplace Privacy, Data Management & Security Report.