Back to Texas

SB2610 • 2025

Relating to a limitation on civil liability of business entities in connection with a breach of system security.

Relating to a limitation on civil liability of business entities in connection with a breach of system security.

Enacted

This bill passed the Legislature and reached final enactment based on the latest official action.

Sponsor
Blanco
Last action
2025-06-20
Official status
06/20/2025 E Effective on 9/1/25
Effective date
2025-06-20

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Relating to a limitation on civil liability of business entities in connection with a breach of system security.

Relating to a limitation on civil liability of business entities in connection with a breach of system security.

What This Bill Does

  • Relating to a limitation on civil liability of business entities in connection with a breach of system security.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2025-06-20 Texas Legislature Online

    Signed by the Governor

  2. 2025-06-20 Texas Legislature Online

    Effective on 9/1/25

  3. 2025-06-01 Texas Legislature Online

    Signed in the House

  4. 2025-06-01 Texas Legislature Online

    Sent to the Governor

  5. 2025-05-30 Texas Legislature Online

    Signed in the Senate

  6. 2025-05-28 Texas Legislature Online

    Read 3rd time

  7. 2025-05-28 Texas Legislature Online

    Passed

  8. 2025-05-28 Texas Legislature Online

    Record vote. RV#3912

  9. 2025-05-28 Texas Legislature Online

    Statement(s) of vote recorded in Journal

  10. 2025-05-28 Texas Legislature Online

    House passage reported

  11. 2025-05-28 Texas Legislature Online

    Reported enrolled

  12. 2025-05-27 Texas Legislature Online

    Read 2nd time

  13. 2025-05-27 Texas Legislature Online

    Passed to 3rd reading

  14. 2025-05-27 Texas Legislature Online

    Record vote. RV#3814

  15. 2025-05-27 Texas Legislature Online

    Statement(s) of vote recorded in Journal

  16. 2025-05-25 Texas Legislature Online

    Placed on General State Calendar

  17. 2025-05-23 Texas Legislature Online

    Considered in Calendars

  18. 2025-05-22 Texas Legislature Online

    Committee report sent to Calendars

  19. 2025-05-21 Texas Legislature Online

    Comte report filed with Committee Coordinator

  20. 2025-05-21 Texas Legislature Online

    Committee report distributed

  21. 2025-05-16 Texas Legislature Online

    Considered in formal meeting

  22. 2025-05-16 Texas Legislature Online

    Reported favorably w/o amendment(s)

  23. 2025-05-14 Texas Legislature Online

    Scheduled for public hearing on . . .

  24. 2025-05-14 Texas Legislature Online

    Considered in public hearing

  25. 2025-05-14 Texas Legislature Online

    Testimony taken/registration(s) recorded in committee

  26. 2025-05-14 Texas Legislature Online

    Left pending in committee

  27. 2025-05-02 Texas Legislature Online

    Read first time

  28. 2025-05-02 Texas Legislature Online

    Referred to Delivery of Government Efficiency

  29. 2025-04-30 Texas Legislature Online

    Rules suspended-Regular order of business

  30. 2025-04-30 Texas Legislature Online

    Read 2nd time

  31. 2025-04-30 Texas Legislature Online

    Amendment(s) offered. FA1 Blanco

  32. 2025-04-30 Texas Legislature Online

    Amended

  33. 2025-04-30 Texas Legislature Online

    Vote recorded in Journal

  34. 2025-04-30 Texas Legislature Online

    Passed to engrossment as amended

  35. 2025-04-30 Texas Legislature Online

    Vote recorded in Journal

  36. 2025-04-30 Texas Legislature Online

    Three day rule suspended

  37. 2025-04-30 Texas Legislature Online

    Record vote

  38. 2025-04-30 Texas Legislature Online

    Read 3rd time

  39. 2025-04-30 Texas Legislature Online

    Passed

  40. 2025-04-30 Texas Legislature Online

    Record vote

  41. 2025-04-30 Texas Legislature Online

    Reported engrossed

  42. 2025-04-30 Texas Legislature Online

    Received from the Senate

  43. 2025-04-29 Texas Legislature Online

    Co-author authorized

  44. 2025-04-29 Texas Legislature Online

    Placed on intent calendar

  45. 2025-04-28 Texas Legislature Online

    Reported favorably as substituted

  46. 2025-04-28 Texas Legislature Online

    Recommended for local & uncontested calendar

  47. 2025-04-28 Texas Legislature Online

    Committee report printed and distributed

  48. 2025-04-24 Texas Legislature Online

    Considered in public hearing

  49. 2025-04-24 Texas Legislature Online

    Vote taken in committee

  50. 2025-04-22 Texas Legislature Online

    Scheduled for public hearing on . . .

  51. 2025-04-22 Texas Legislature Online

    Considered in public hearing

  52. 2025-04-22 Texas Legislature Online

    Testimony taken in committee

  53. 2025-04-22 Texas Legislature Online

    Left pending in committee

  54. 2025-04-03 Texas Legislature Online

    Read first time

  55. 2025-04-03 Texas Legislature Online

    Referred to Business & Commerce

  56. 2025-03-13 Texas Legislature Online

    Received by the Secretary of the Senate

  57. 2025-03-13 Texas Legislature Online

    Filed

Official Summary Text

Relating to a limitation on civil liability of business entities in connection with a breach of system security.

Current Bill Text

Read the full stored bill text
89(R) SB 2610 - Enrolled version - Bill Text

S.B. No. 2610

AN ACT

relating to a limitation on civil liability of business entities in

connection with a breach of system security.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:

SECTION 1. Subtitle C, Title 11, Business & Commerce Code,

is amended by adding Chapter 542 to read as follows:

CHAPTER 542. CYBERSECURITY PROGRAM

Sec. 542.001. DEFINITIONS. In this chapter:

(1)

"Breach of system security" has the meaning

assigned by Section 521.053.

(2)

"Exemplary damages" has the meaning assigned by

Section 41.001, Civil Practice and Remedies Code.

(3)

"Personal identifying information" and "sensitive

personal information" have the meanings assigned by Section

521.002.

Sec.

542.002.

APPLICABILITY OF CHAPTER. This chapter

applies only to a business entity in this state that:

(1) has fewer than 250 employees; and

(2)

owns or licenses computerized data that includes

sensitive personal information.

Sec.

542.003.

CYBERSECURITY PROGRAM SAFE HARBOR: EXEMPLARY

DAMAGES PROHIBITED. Notwithstanding any other law, in an action

arising from a breach of system security, a person harmed as a

result of the breach may not recover exemplary damages from a

business entity to which this chapter applies if the entity

demonstrates that at the time of the breach the entity implemented

and maintained a cybersecurity program in compliance with Section

542.004.

Sec.

542.004.

CYBERSECURITY PROGRAM. (a) For purposes of

Section 542.003, a cybersecurity program must:

(1)

contain administrative, technical, and physical

safeguards for the protection of personal identifying information

and sensitive personal information;

(2)

conform to an industry-recognized cybersecurity

framework as described by Subsection (b);

(3) be designed to:

(A)

protect the security of personal identifying

information and sensitive personal information;

(B)

protect against any threat or hazard to the

integrity of personal identifying information and sensitive

personal information; and

(C)

protect against unauthorized access to or

acquisition of personal identifying information and sensitive

personal information that would result in a material risk of

identity theft or other fraud to the individual to whom the

information relates; and

(4)

with regard to the scale and scope, meet the

following requirements:

(A)

for a business entity with fewer than 20

employees, simplified requirements, including password policies

and appropriate employee cybersecurity training;

(B)

for a business entity with at least 20

employees but fewer than 100 employees, moderate requirements,

including the requirements of the Center for Internet Security

Controls Implementation Group 1; and

(C)

for a business entity with at least 100

employees but fewer than 250 employees, compliance with the

requirements of Subsection (b).

(b)

A cybersecurity program under this section conforms to

an industry-recognized cybersecurity framework for purposes of

this section if the program conforms to:

(1)

a current version of or any combination of current

versions of the following:

(A)

the Framework for Improving Critical

Infrastructure Cybersecurity published by the National Institute

of Standards and Technology (NIST);

(B) the NIST's special publication 800-171;

(C)

the NIST's special publications 800-53 and

800-53a;

(D)

the Federal Risk and Authorization

Management Program's FedRAMP Security Assessment Framework;

(E)

the Center for Internet Security Critical

Security Controls for Effective Cyber Defense;

(F)

the ISO/IEC 27000-series information

security standards published by the International Organization for

Standardization and the International Electrotechnical Commission;

(G)

the Health Information Trust Alliance's

Common Security Framework;

(H) the Secure Controls Framework;

(I)

the Service Organization Control Type 2

Framework; or

(J)

other similar frameworks or standards of the

cybersecurity industry;

(2)

if the business entity is subject to its

requirements, the current version of the following:

(A)

the Health Insurance Portability and

Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);

(B)

Title V, Gramm-Leach-Bliley Act (15 U.S.C.

Section 6801 et seq.);

(C)

the Federal Information Security

Modernization Act of 2014 (Pub. L. No.

113-283); or

(D)

the Health Information Technology for

Economic and Clinical Health Act (Division A, Title XIII, and

Division B, Title IV, Pub. L. No.

111-5); and

(3)

if applicable to the business entity, a current

version of the Payment Card Industry Data Security Standard.

(c)

If any standard described by Subsection (b)(1) is

published and updated, a business entity's cybersecurity program

continues to meet the requirements of a program under this section

if the entity updates the program to meet the updated standard not

later than the later of:

(1)

the implementation date published in the updated

standard; or

(2)

the first anniversary of the date on which the

updated standard is published.

Sec.

542.005.

CONSTRUCTION OF CHAPTER; NO PRIVATE CAUSE OF

ACTION.

This chapter may not be construed to create a private cause

of action or change a common law or statutory duty.

SECTION 2. Section 542.003, Business & Commerce Code, as

added by this Act, applies only to a cause of action that accrues on

or after the effective date of this Act.

SECTION 3. This Act takes effect September 1, 2025.

______________________________

______________________________

President of the Senate

Speaker of the House

I hereby certify that S.B. No. 2610 passed the Senate on

April 30, 2025, by the following vote: Yeas 31, Nays 0.

______________________________

Secretary of the Senate

I hereby certify that S.B. No. 2610 passed the House on

May 28, 2025, by the following vote: Yeas 109, Nays 27, two

present not voting.

______________________________

Chief Clerk of the House

Approved:

______________________________

Date

______________________________

Governor