Texas SB2610: Reduced liability for proper cybersecurity
In April 2025, the Texas legislature passed SB2610. This law caps certain liabilities for Texas businesses with less than 250 employees in the event of a security breach. But how can you qualify?
The critical requirement is following a cybersecurity framework, only some of which are applicable to a law firm. At Clear Guidance, the most commonly used framework for law firms is the Center for Internet Security (CIS) controls, while some firms with advanced client requirements become ISO 27001 compliant.
(A) the Framework for Improving Critical
Infrastructure Cybersecurity published by the National Institute
of Standards and Technology (NIST);
(B) the NIST's special publication 800-171;
(C) the NIST's special publications 800-53 and 800-53a;
(D) the Federal Risk and Authorization Management Program's FedRAMP Security Assessment Framework;
(E) the Center for Internet Security Critical Security Controls for Effective Cyber Defense;
(F) the ISO/IEC 27000-series information security standards published by the International Organization for Standardization and the International Electrotechnical Commission;
(G) the Health Information Trust Alliance's Common Security Framework;
(H) the Secure Controls Framework;
(I) the Service Organization Control Type 2 Framework; or
(J) other similar frameworks or standards of the cybersecurity industry;
(2) if the business entity is subject to its requirements, the current version of the following:
(A) the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);
(B) Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
(C) the Federal Information Security Modernization Act of 2014 (Pub. L. No. 113-283); or
(D) the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and
Division B, Title IV, Pub. L. No. 111-5); and
(3) if applicable to the business entity, a current version of the Payment Card Industry Data Security Standard.