.png)
August 15, 2025
Andres Ruz, CISO
Starting September 1, 2025, a new Texas law—Senate Bill 2610—will give certain small businesses extra legal protection if they experience a cyberattack or data breach.The idea is simple: if you follow strong, recognized cybersecurity practices before an incident happens, you can avoid some of the harshest financial penalties in court.
S.B. 2610 applies to small and mid-sized Texas businesses that:
- Have fewer than 250 employees
- Store or manage sensitive personal information in a computer system
This includes engineering companies, financial service firms, and other professional service providers that keep client or employee data.
If your business qualifies and follows the law’s cybersecurity requirements, you cannot be ordered to pay punitive damages in a lawsuit after a breach.
You could still be responsible for actual damages (like paying for credit monitoring for affected customers), but this protection can help you avoid the much larger penalties that can sink a small business.
To get this protection, your business needs to have a cybersecurity program that:
1. Has written rules, training, and technology in place to protect sensitive information.
2. Follows a recognized cybersecurity framework (examples below).
3. Is set up to stop, detect, and respond to cyber threats.
4. Meets requirements based on your company size:
- Under 20 employees: Basic password rules and cybersecurity training.
- 20–99 employees: Follow the Center for Internet Security (CIS) basic controls.
- 100–249 employees: Fully comply with a recognized framework.
Some options that qualify include:
- NIST Cybersecurity Framework
- NIST 800-171 or 800-53
- CIS Critical Security Controls
- ISO/IEC 27000 standards
- SOC 2
- PCI-DSS (if you handle credit card data)
- Gramm-Leach-Bliley Act or FISMA (if applicable)
These frameworks get updated over time, so you’ll need to keep your program current.
AEC firms handle high-value data every day—data that cybercriminals see as a goldmine.
- Engineering firms manage detailed project plans, CAD files, and proprietary designs that, if stolen, could be sold to competitors or used to sabotage bids.
- Construction companies store confidential bid proposals, vendor contracts, and financial records that can be exploited for fraud or ransomware attacks.
- Architecture practices safeguard unique design concepts, client presentations, and building specifications that could be misused or leaked before project approval.
Following S.B. 2610’s guidelines isn’t just about compliance—it’s about protecting your intellectual property, winning bids, and maintaining your reputation in a competitive market.
Financial institutions are prime targets for cybercrime because of the sensitive nature of the data they manage.
- Banks and credit unions store account details, loan applications, and personally identifiable information (PII) that can be used for identity theft.
- Investment firms protect client portfolios, transaction records, and strategic investment plans that could be exploited for fraud or insider trading.
- Insurance companies maintain detailed claim histories and personal data that, if compromised, could lead to large-scale regulatory violations.
S.B.2610 compliance not only reduces legal and financial risk—it builds client trust, safeguards customer assets, and reinforces your reputation for security.
No matter your industry, your business likely stores sensitive data—whether it’s client information, employee records, or proprietary work, meeting S.B. 2610 requirements help protect your bottom line, keeps operations running smoothly, and shows your clients and partners that you take security seriously.
At 5 Factor, we make it easy for all Texas businesses to meet S.B. 2610 requirements by:
- Reviewing your current cybersecurity against NIST and CIS standards.
- Designing a program that matches your size and risk level.
- Setting up technical protections like MFA, network monitoring, and encryption.
- Training your team to spot and avoid cyber threats.
- Keeping your program up to date so you stay compliant.
Contact 5 Factor today to schedule your Assessment and protect your business from both hackers and costly lawsuits.
.png)