Texas Provides Small Businesses With Limited Immunity For Some Data Breaches

Texas Gov. Greg Abbott recently signed a limited immunity bill, S.B. 2610, for companies that suffer a data breach. The law insulates small businesses from "exemplary damages"—e.g., punitive damages or other damages awarded as a penalty—for a data breach if they maintained appropriate security controls. But the law does not foreclose lawsuits or limit compensatory damages for the breach. The law's narrow scope and ambiguities do little to change the risk calculus for Texas businesses. This approach signals a worrying backslide from progress made in other states towards meaningful reform on breach litigation.

Application: Small Businesses

Texas' law applies to businesses "in th[e] state" with fewer than 250 employees that have sensitive personal information (i.e., elements triggering notice under Texas law). But this straightforward provision buries a landmine: What does it mean to be "in" Texas? The law does not say whether this covers those incorporated in the state, offering goods/services there, or something else.

Requirements: Cybersecurity Safeguards

A plaintiff cannot recover exemplary damages for a data breach if the business establishes it maintained an appropriate cybersecurity program at the time of the breach. The program must meet the following requirements:

• Safeguards. Contain administrative, technical and physical safeguards.
• Cybersecurity Framework. Conform to one or more industry-recognized cybersecurity frameworks (e.g., ISO 2700 or Secure Controls Framework) or meet standards set by an applicable regulatory framework (e.g., GLBA or HIPAA).
• Design. Employ measures designed to safeguard personal information (including protecting against threats and unauthorized access).

Depending on the business' size, there are additional requirements:

• 1 to 19 Employees. Meet "simplified requirements, including password policies and appropriate employee cybersecurity training.
• 20 to 99 Employees. Satisfy "moderate requirements, including the requirements of the Center for Internet Security Controls Implementation Group 1.
• 100 to 249 Employees. Comply with (not just conform to) a recognized cybersecurity framework or standards set by an applicable regulator.

Parties will surely tangle over what, if anything, the simplified and moderate standards require beyond the listed measures.

Impact: Limited Help

The law offers little in the way of substantive changes that will reduce Texas businesses' risks from breach litigation. There are a few significant issues that limit the law's impact:

• Narrow Application. The law is limited to businesses that, due to their size, are less likely to be the target of lawsuits.
• Inconsequential Damages. Exemplary damages are rarely an issue in breach litigation.
• Fact Intensive. Plaintiffs will contend the law invites a fact-intensive inquiry that cannot be resolved early in litigation.
• Limited Deterrence. The law is unlikely to deter lawsuits because plaintiffs can still recover damages and are unlikely to have the information necessary to assess the law's application before filing.
• Disputed Standard. Plaintiffs may try to muddy the waters by arguing a business can only show its program "conform[s]" to a cybersecurity framework by establishing 100% compliance.
• Unclear Requirements. The law does not specify what is needed to meet the "simplified" or "moderate" cybersecurity requirements for companies with fewer than 100 employees.

Additionally, the law does not apply to claims that accrued before September 1, 2025.

National Context: Step Backwards from Progress

Texas is the latest state to adopt some immunity for companies in breach litigation, but this version is the weakest. Since 2018, multiple states adopted more meaningful protections. For example, Ohio provided an affirmative defense against tort claims for all companies with appropriate security controls, Utah built on that foundation to cover non-tort claims, and Tennessee went further by foreclosing class-action liability if the breach was not due to willful/wanton conduct or gross negligence. Even the more restrained Connecticut law, which allows tort claims but generally eliminates punitive damages, is more business-friendly because it is not limited to small businesses.

We are tracking legislation to see if Texas' narrow framework is the start of a trend or just an outlier in the march towards common-sense breach legislation. In the meantime, our privacy team stands ready to help you assess your cybersecurity program and defend against breach claims.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.