Texas SB2610: Reduced liability for proper cybersecurity
In April 2025, the Texas legislature passed SB2610. This law caps certain liabilities for Texas businesses with less than 250 employees in the event of a security breach.
But here’s the catch: you only qualify if your business follows a recognized cybersecurity framework before the breach happens. At Clear Guidance, the most commonly used framework for law firms is the Center for Internet Security (CIS) controls, while some firms with advanced client requirements become ISO 27001 compliant.
What Counts as a “Recognized” Framework?
SB2610 doesn’t just say “have good security.” It lists specific frameworks and standards that qualify. A few examples:
NIST’s Framework for Improving Critical Infrastructure Cybersecurity
NIST 800-171 or 800-53 and 800-53
CIS Controls (Critical Security Controls)
ISO/IEC 27000 series
Secure Controls Framework
SOC 2, FedRAMP, PCI DSS (where applicable)
HIPAA, GLBA, FISMA, or HITECH (if you're subject to them)
For a law firm, not all of these make sense.
For Law Firms: Stick With What Fits
At CGP, we most often recommend the CIS Controls, especially Implementation Group 1 (IG1). It’s designed for small to mid-sized organizations and covers the basics well—multi-factor authentication, secure backups, employee training, etc. If you’re handling especially sensitive data or have high-end client requirements, frameworks like ISO 27001 or NIST 800-171 may be more appropriate, but they’re also more complex and resource-intensive. You don’t want to overbuild if you don’t need to.
The key is choosing a framework that matches both your risk profile and your operational capacity. Timing Matters: You Need to Be Ready Before the Breach. One thing we always say is it’s not a matter of if but when.
This protection doesn’t kick in automatically when the law takes effect on September 1, 2025. To qualify, your security program has to be fully implemented at the time of the breach, which could happen anytime. That means your window to act is now.
What to Do Next
If you haven’t already:
Assess what data you have and where it lives.
Pick a framework that matches your firm's budget, risk tolerance, and client requirements
Implement the safeguards: technical, physical, and administrative.
Document everything and keep your program current.
Don’t Wait for a Breach to Get Serious About Cybersecurity
SB2610 is a step forward for small firms, it rewards those who are proactive. But it also sets the expectation: if you want protection, you need to earn it before an incident happens.
Now’s the time to put the right protections in place, while it’s still your choice, not your defense strategy. At Clear Guidance Partners, we help law firms build cybersecurity programs that are practical, defensible, and right-sized for their needs. If you're unsure where to start, let's talk. Fill out the form below to talk to a member from our team: