TX SB2610

Prohibits recovery of exemplary (punitive) damages against Texas businesses with fewer than 250 employees that experience a data breach, provided the business maintained a qualifying cybersecurity program at the time of the breach

Establishes tiered cybersecurity program requirements based on company size: businesses with fewer than 20 employees need simplified requirements (password policies and training); 20-99 employees must follow CIS Controls Implementation Group 1; 100-249 employees must comply with full industry-recognized frameworks

Recognizes compliance with major cybersecurity frameworks as qualifying programs, including NIST Cybersecurity Framework, ISO/IEC 27000-series, FedRAMP, CIS Critical Security Controls, and SOC 2, among others

Accepts compliance with federal laws such as HIPAA, Gramm-Leach-Bliley Act, FISMA, and HITECH Act as satisfying cybersecurity program requirements for businesses subject to those regulations

Takes effect September 1, 2025, and applies only to causes of action arising on or after that date; does not create any new private cause of action